The malware called Flame has a lot of features that could, at first sight, qualify it as one of the most sophisticated malware samples found. With regards to it being the most complicated… this is subject to interpretation. It does not use obfuscation technique to hide its code nor does it have any real new malware behavior.
Flame is different in the sense that it is big in file size and complexity and it has many different possibilities, but none of the possibilities are overwhelming revolutionary or new: we have seen all these functions before. Furthermore, it is very difficult to determine how many computers have been infected and still are infected. Fact is: We will never know for sure, because Flame can erase itself from infected machines very efficiently.
Below is a short summary of our analysis:
After analyzing the malware, we have confirmed some of the findings made at the CrySyS Lab (Budapest University of Technology and Economics, Hungary) and Kaspersky Labs.
In most of the press releases you can read about the new recognized toolkit. They baptized it as the most “complex/sophisticated” as of now in the history of the malware industry. Due to the following capabilities it can definitely carry out many operations:
The main file, mssecmgr.ocx, has debug information embedded, which makes it a bit easier to analyze it. There is no obfuscation or packing employed to hide its malicious code. Nonetheless, Flame is too big to be fully analyzed in a short period of time.
Since the main intention of this malware is information stealing in many ways, researchers will have to identify where the gathered and stored information is sent to.
Who is behind this attack? What are the real intentions and what kind of confidential information they want to collect and for what reasons? Is it made to spy on governmental institutions, on industry’s big players, private industry? It is not entirely clear, yet. The malware we analyzed has a lot of functionality that has been used or can be used as a cyber-weapon against a specific organization, to perform a targeted attack. Most probably, it was designed to target selected computers/organizations, especially governmental organizations.
Another aspect to look at in the next months: Will the attackers and code programmers stop working on Flame now or will they continue with their project and improve the malware against renewed detections?
Like everybody, we will also keep an eye on this situation!