Trail goes cold as gigantic Flame virus peters out
AS THE COMPLEXITIES of the gigantic Flame computer virus are dissected, the blame game has begun. The nefarious application came to light after data was deleted from hard drives in Iran’s oil ministry several weeks ago, with Israel being seen as likely culprits by Iranian officials and security analysts alike.
Indeed, Israel’s vice prime minister Moshe Ya’alon did little to stop these rumours yesterday when he said: “Israel is blessed with high technology and we boast tools that open all sorts of opportunities for us.”
Despite Ya’alon’s barely-veiled boasts, due to the complexities of the coding involved in Flame, it is unlikely that Israel – or any other nation – will be held accountable. It is this inability to pinpoint the genesis of such attacks which makes this manner of cyber warfare so appealing to nation states.
“It’s about plausible deniability,” says Vitaly Kamluk, chief malware expert with Kaspersky Lab, enlisted by the UN’s Geneva-based International Telecommunications Union to investigate the threat a few weeks ago.
“There are no traces that can point to one organisation or any country with Flame,” he adds. “We followed the controls of the malware but we discovered that there are more than a thousand different servers [involved] located in different countries, all geographically spread out, so it’s unclear where is the central country.”
Sophos senior technology consultant Graham Cluley suggests that for rogue nation states, “the beauty of an internet attack is your ability to hide your tracks and to be relatively anonymous no matter how big the attack is”.
DCU law and government lecturer Dr Maura Conway says the “blanket of anonymity” has been a factor for various governments to launch similar attacks for several years. “In all aspects of warfare and intelligence gathering, plausible anonymity is key.”
There are a number of factors that mark Flame out as unique. For one thing, it is estimated to have sat undetected on Iranian computers for two to five years collecting data. Its size is fascinating as well, with its combined applications bulking it up to about 20MB, as opposed to smaller threats such as the Stuxnet worm which infiltrated Iran’s nuclear program in 2010 which was “20 times smaller”, according to Cluley.
“The benefit they get out of this size of file is that it looks normal,” says Mikko Hyppönen, chief research officer with security specialists F-Secure. “Flame looks like your average application, not the encrypted, hidden malware we’re used to seeing. It’s big, it has libraries and it’s hiding in plain sight. It might seem odd, but it worked, it went undetected for years. You can’t argue with that.”
Hyppönen says the other fascinating stat is that compared with Stuxnet, or other attacks such as the data-grabbing Duqu virus, this did not infect hundreds of thousands of computers to get what it needed. Kaspersky and Symantec, which was also brought in to investigate Flame, have found fewer than 600 incidents of the virus, pointing to each infiltration being very deliberate.