Flame (also known as Flamer, sKyWIper, and Skywiper) is a highly advanced piece of malware that contains a number of add-on modules to perform attacks, gather information, propagate itself, scan networks, leak files, and remove itself from an infected system. The malware was first discovered in May 2012 by a Russian security firm Kaspersky Labs and named "Flame" after one of its main modules. Kaspersky stated that Flame had probably been operating since as early as August 2010. Unlike other advanced pieces of malware
, which targeted industrial programmable logic controllers (PLCs) and their corresponding software and hardware, and
, which attempted to gather information on such industrial systems, Flame is much larger in size - 20MB with all of its modules installed - and was designed to gather vast amounts of sensitive information including but not limited to: documents, audio or video recordings, contact information from Bluetooth-enabled phones, 3D CAD (Computer-Aided Design) model files, and network architecture and password information.
As an abnormally large and complex piece of
, Flame had to employ many significant exploits and methods in order to evade detection by the hundreds of machines it infected. It used five types of encryption, many zero-day exploits, and forged security certificates allowing it to masquerade itself as genuine software originating from Microsoft. Furthermore, Flame was written in a combination of multiple programming languages, including a newer language called Lua that has not been commonly used to create malware.
Perhaps the most amazing of Flame's mechanisms - just one of the strong hints that it along with Stuxnet and Duqu was funded by a wealthy nation-state - is its use of a previously unknown variant of a "chosen prefix collision attack", exploiting a weakness in the MD5 hashing algorithm to generate fake Microsoft security certificates. These fake certificates allowed an infected machine on a network to hijack the Windows Update system on uninfected machines on the same network, subsequently infecting them by leading them to believe that Flame and its modules are legitimate Microsoft software. The use of such a crypto attack among other pieces of malware is completely unheard of, and according to leading experts in the field, "…would have involved mathematic breakthroughs that could have only been accomplished by world-class cryptographers."
Also worth noting is Flame's revolutionary ability to use humans carrying storage devices to act as "data mules", carrying the stolen sensitive information from separately-networked or non-networked machines (usually referred to as "air-gapped") which do not possess an internet connection. Once a user plugs in a Flame-infected flash drive into such an environment, all stolen data is collected in a folder named "." on the drive (where Flame itself resides), which Windows fails to detect as a valid folder name and therefore does not make it visible to the user. Once the same infected USB drive is then plugged into an Internet-connected computer or network, the information contained in the "." folder is silently sent off to Flame's owners' C&C servers without the user ever knowing. Such behavior has never been witnessed with any other malware and poses a significant problem for the previously perceived high security of such "air-gapped" systems.
In June 2012, many of Flame's command and control (
) servers which received the sensitive information gathered by Flame sent out instructions to install the "kill" module on all Flame-infected machines. This module forced all copies of Flame on infected machines to delete themselves and their related files, overwriting the memory locations where the files used to reside with random junk data in an effort to thwart forensics.