New cyber espionage malware ‘Flamer’ is the most complex ever seen

Our Malware Analysis team has discovered a highly complex malware (Trojan.Flamer.A) that is written using the ‘Lua’ programming language. This malware is on par, if not stronger, than previously seen similar threats, Stuxnet and Duqu. The Iranian CERT (Computer Emergency Response Team) has many names for this worm – ‘Flame’, ‘Flamer’, ‘Skywiper’ or ‘Viper’. They detected the malware as it began launching cyber-attacks on their energy sector. The malware uses known vulnerabilities like Print Spooler and LNK in order to execute its malicious components. These vulnerabilities were first seen with Stuxnet in June 2010 and our investigations show that a few of the malicious components were reported around 2 years and 10 months ago. The malware is approximately 20 times larger than Stuxnet and hence the ramifications for the security industry are huge.

Furthermore, the malware communicates with its Command and Control (C&C) servers, which are inactive as of now, with the help of secure HTTPS and SSH protocols. This makes it even harder to detect this newfound threat. It is also capable of spreading through USB drives and local networks, thanks to its component based architecture. Further risks like screen capturing, scanning network resources, enabling and sharing Bluetooth connections, detecting and disabling anti-virus suites, negating the effects of security patches and recording audio (something which is highly unusual for malware) are also being seen.

The broad purpose of this malware is to extract information from the SQLite database on the machines of their victims. Its targets can range from individual users to educational institutions to state-run organizations. We are carrying out further analysis of this malware and will update our readers with more information soon since it is a highly complex malware with many other characteristics. It appears to have been written by a large group of people over a period of several years, so its analysis will need to be carried out in a systematic manner. Quick Heal ensures that its users are constantly protected against such threats.

Rahul Thadani

Rahul Thadani


7 Comments

Your email address will not be published.

CAPTCHA Image

  1. Thanks for updating on this lasted complex threat ! Great to see Quick Heal is also fighting this global epidemic.

    Reply
  2. Does worm.win32.flame and Trojan.Flamer.A responds in the same manner? and whether Quick Heal products has the solution for both the above threats?

    Reply
    • Rahul Thadani Rahul ThadaniMay 30, 2012 at 6:00 AM

      Worm.win.32 and Trojan.Flamer.A are the same malware and hence respond in the same manner. Quick Heal products detect this malware and inform the user.

      Reply
  3. Your anti virus really protects from flame ?

    Reply
    • Rahul Thadani Rahul ThadaniMay 31, 2012 at 2:53 PM

      Yes. Once a malicious code is discovered, identifying it on a machine is simple and quick. Further analysis is being carried out to understand its nature and origin.

      Reply
  4. So much things flame can do! It must be silent war between nations.and obviously it must be the product of nationwide large secret agency. Thanks for giving such valuable info and I hopeI’ll get some more info soon . Till then I’ll learn some of LUA. Thanks over and over again.

    Reply