We have all been hearing quite a bit of hyperbole concerning the sophistication of the Flame malware.  It’s hard to find any headline about the malware that doesn’t involve the adjectives massive, sophisticated, elaborate, impressive, or scarey. But is Flame as revolutionary as everyone claims? To me it looks amateurish.

Part of the curiosity that surrounds Flame is that it doesn’t fit the profile that antivirus companies are used to analyzing–which is part of the reason it has gone undetected for so long. Instead of a tiny piece of code that stealthily accomplishes a single task, Flame is a bloated and unencrypted general purpose spying toolkit. Yes the authors apparently had access to some an exclusive and possibly large knowledge base, but overall there’s really nothing new about turning on a microphone, exploiting old vulnerabilities, and subverting Windows features such as Autorun.

It’s just not that impressive as far as features go. In fact, 10 years ago it really wouldn’t have been that impressive.

What sticks out to me is that despite its breadth and apparent sophistication, one thing it doesn’t look like is something written by an experienced hacker. This thing makes hardly any attempt to conceal itself or prevent reverse engineering of it’s code. This means that once discovered the whole thing is completely useless. Even worse, it also means that any hacker or enemy can likely reverse engineer it enough to use it right back at the authors.

And then there’s stuff like a hard-coded password, an easily-discoverable network of command & control servers, and the use of CRC’s to ensure data integrity. Then there’s the query string it sends back to the command & control servers:

UNIQUE_NUMBER=xxxxxxxxxx&PASSWORD=LifeStyle2&ACTION=x&FILE_NAME=x&FILE_SIZE=xxxxx&CRC=xxxxxxxxx

Seriously, does that look like something a hacker would write? No, that is something written by a 40-something US programmer who lives in the suburbs (who also happens to use some variant of the password LifeStyle2 on every account he owns).

One thing is clear, Flame wasn’t built for destruction or financial theft. This is a spying toolkit plain and simple. The list of targets and the fact that it seems to be interested in AutoCad documents quickly points back to one likely suspect country.

One thing is also clear, this wasn’t written by a hacker. I would guess that some well-funded US agency paid some private consulting firm (which employs a bunch of 40-something suburbanites) millions of dollars to write up the ultimate hacker’s toolkit and Flame is what they got instead.

Nonetheless, the fact that it probably wasn’t written by an experienced hacker is what allowed it to go so long being undetected. Ironically it’s lack of evasion techniques let it evade detection.

 

Tags: , , , , , , , , , , , ,

Yubikey Token        LastPass password manager