The discovery of a new species of highly sophisticated malware earlier this week adds another puzzle piece to the contemporary cyberwar battleground. Flame, as its called, is a whopper of a program20 megabytes, the size of a video file, and 40 times bigger than the Stuxnet virus that took down Iranium centrifuges back in 2010. But Flame is not just another cyber weaponit could greatly expand the scope of nations capable of carrying out cyberattacks.
Flame bears many similarities to Stuxnet. Both are specimens of highly advanced programming and detailed expertise in many specialized areas. Both programs are the products of large teams of experts working hundreds of hours on development and testing. Only a handful of nations have the technical capacity to do this kind of work. The list would include the United States, the UK, Germany, China, Russia, Israel and Taiwan, says Scott Borg, head of U.S. Cyber Consequences Unit, a security consulting firm.
But Flame differs from Stuxnet in many important respects. Whereas Stuxnet was designed for a specific purposeinfiltrating and destroying the centrifuges used in Irans nuclear fuel enrichment facility at NatanzFlame appears to be a general purpose tool for espionage. It has a broad ability to gather data from screenshots or through Bluetooth connections with other devices. Once Flame makes it onto a computer, it begins sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on, says a May 28 report by security firm Kaspersky. It can compress and encrypt the information it captures and hold onto it until it has a reliable Internet connection to send it Flame was apparently targeted to countries in the Middle Eastit was showed up mainly in Iran, with infections also in Israel, the Palestinian territories, Sudan and Syria.
Perhaps the biggest potential problem is that the programmers who designed Flame did not try and disguise the code in a way that makes it difficult to reverse engineer. The practice, known as code obfuscation, is common among commercial software developers as a way to keep competitors from being able to figure out how software products are designed. Flame programmers apparently didnt take such measures, which means a knowledgeable programmer wouldnt have too much trouble extracting the pertinent design of Flame and making use of it. Flame, in other words, is a boomerang.
Thats not to say that just anyone can download Flame and start using it, of course. It still requires expertise to understand how the program works. But the lack of code obfuscation adds dozens of states to the list of those capable of carrying out sophisticated cyber attacks, says Borg. That may very well include Iran, whose programmers almost certainly are studying the malware as we speak. The failure to protect the Flame code from being reverse engineered may turn out to have been a monumental error.
Who designed Flame isnt clear. David Sangers article in todays New York Times confirms that Stuxnet was authored by the United States. Indeed, a clear pattern of U.S. offensive cyber warfare has been taking shape in recent years. In December, a security expert asserted that the Conficker worm, which has infiltrated millions of ordinary PCs over many years, could have served as a door kicker for Stuxneta program that went out into the field and set the stage for the Stuxnet invasion. At this point, there isnt enough information about Flame to know who authored it. Its safe to assume, however, that the cyber battlefield is about to get more crowded.
ed note: Stuxnet code was not protected against reverse engineering, either, but this is less of a problem because its purpose is narrow and hence the programming is less useful as a weapon than the more general-purpose Flame. This post was corrected to reflect this.