The discovery of a new species of highly sophisticated malware earlier this week adds another puzzle piece to the contemporary cyberwar battleground. Flame, as it’s called, is a whopper of a program—20 megabytes, the size of a video file, and 40 times bigger than the Stuxnet virus that took down Iranium centrifuges back in 2010. But Flame is not just another cyber weapon—it could greatly expand the scope of nations capable of carrying out cyberattacks.
Flame bears many similarities to Stuxnet. Both are specimens of highly advanced programming and detailed expertise in many specialized areas. Both programs are the products of large teams of experts working hundreds of hours on development and testing. Only a handful of nations have the technical capacity to do this kind of work. The list would include the United States, the UK, Germany, China, Russia, Israel and Taiwan, says Scott Borg, head of U.S. Cyber Consequences Unit, a security consulting firm.
But Flame differs from Stuxnet in many important respects. Whereas Stuxnet was designed for a specific purpose—infiltrating and destroying the centrifuges used in Iran’s nuclear fuel enrichment facility at Natanz—Flame appears to be a general purpose tool for espionage. It has a broad ability to gather data from screenshots or through Bluetooth connections with other devices. Once Flame makes it onto a computer, it begins “sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on,” says a May 28 report by security firm Kaspersky. It can compress and encrypt the information it captures and hold onto it until it has a reliable Internet connection to send it Flame was apparently targeted to countries in the Middle East—it was showed up mainly in Iran, with infections also in Israel, the Palestinian territories, Sudan and Syria.
Perhaps the biggest potential problem is that the programmers who designed Flame did not try and disguise the code in a way that makes it difficult to reverse engineer. The practice, known as “code obfuscation,” is common among commercial software developers as a way to keep competitors from being able to figure out how software products are designed. Flame programmers apparently didn’t take such measures, which means a knowledgeable programmer wouldn’t have too much trouble extracting the pertinent design of Flame and making use of it. Flame, in other words, is a boomerang.
That’s not to say that just anyone can download Flame and start using it, of course. It still requires expertise to understand how the program works. But the lack of code obfuscation adds “dozens” of states to the list of those capable of carrying out sophisticated cyber attacks, says Borg. That may very well include Iran, whose programmers almost certainly are studying the malware as we speak. The failure to protect the Flame code from being reverse engineered may turn out to have been a monumental error.
Who designed Flame isn’t clear. David Sanger’s article in today’s New York Times confirms that Stuxnet was authored by the United States. Indeed, a clear pattern of U.S. offensive cyber warfare has been taking shape in recent years. In December, a security expert asserted that the Conficker worm, which has infiltrated millions of ordinary PCs over many years, could have served as a “door kicker” for Stuxnet—a program that went out into the field and set the stage for the Stuxnet invasion. At this point, there isn’t enough information about Flame to know who authored it. It’s safe to assume, however, that the cyber battlefield is about to get more crowded.
ed note: Stuxnet code was not protected against reverse engineering, either, but this is less of a problem because its purpose is narrow and hence the programming is less useful as a weapon than the more general-purpose Flame. This post was corrected to reflect this.