Thursday, May 31, 2012

The Flame program: Its purpose, features and threat.

What is the Flame program we're seeing so much in the news this past week? Various media have labeled the Flame a cyber weapon, an espionage tool, malware, a worm, and a virus.  For this article, let's call it a 'program,' because if you separate the code from the intent, it's simply an interesting computer program.

What brought Flame into the open? Depending on which source is accurate, Flame may have infected computers in Austria, Egypt, Hong Kong, Hungary, Iran, Israel, Lebanon, Palestine, Russia, Saudi Arabia, Sudan, Syria, and the United Arab Emirates.  One of Flame's features is that it can be turned off, so it doesn't spread blindly.  This controlled spread and the fact that it's most prevalent in Iran, led some people to see it as an Israeli or joint Israeli/USA operation against Iran's infrastructure and oil industry.

Flame has several interesting features separated into different modules.  It can:  record keystrokes (commonly called a 'keystroke logger'); be turned on/off; wipe hard drives; take screen shots; collect data and send it to a remote computer; use the computer's onboard microphone as a recorder; use a 'packet sniffer' to scan traffic on the computer's local network; and even activate a Bluetooth connection with cellular telephones.  Flame can be customized with some 20 different plugins.

While having all these options makes Flame a flexible tool, it also makes it a big program, far larger than programs like DuQu or Stuxnet.  In the past, worms and viruses were written to be as lean as possible--they ran fast and didn't take up much space.  But Flame seems like they just kept adding features and the program grew bigger and bigger.

Many in the media and computer world speculate that either a country developed Flame, or paid a group of programmers to write it.  It's odd to see that just like with commercial software, when clients keep demanding more features, the program experiences 'feature creep' and quickly grows in size and complexity.  It's usually a big headache for the programmers who have to keep up with it all.

Some articles are quite alarmist, declaring use of Flame as cyberwar and making dire predictions.  But Flame has probably been loose on the Internet since 2010.  And components like keystroke loggers and packet sniffers are not new things--they've been around a while.  What makes Flame interesting is that it has so many tool options, and it doesn't appear to spread indiscriminately.  By slowing the spread of Flame, its controllers kept it undetected for a longer period of time.

When computer experts encounter these type programs, they take them apart to figure out how they work.  So if Country A fires off a program at Country B, it may not be too long before Country A gets hit with their own weapon.  If you shoot a bullet at someone and miss, then can't pick it up, load it in their gun and fire it back at you.  But a program can be studied and modified.  It's a copycat world, so I predict we'll see something similar to Flame in the near future.

(Odd historical note:  The ancient Romans, being the practical folk they were, made the necks of their spears out of soft iron.  So when the Romans threw their spears at enemies, the points would stick in enemy shields and drag them down.  But the soft iron also bent, which meant the enemy couldn't throw them back.  Clever Romans.)    

* * *
(Here is a good article at Wired, and this one at FoxNews, and this one, too.  The pic is from:

No comments:

Post a Comment