Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Analyst Relations

With W32.Flamer, perhaps simple is not the most effective

Created: 04 Jul 2012 • Updated: 25 Jun 2013
Orla Cox's picture
+1 1 Vote
Login to vote

Much has already been written about the ongoing analysis into the code, sources and likely consequences of the 'Flame' or 'Flamer' malware program. Even at this early stage however, there's one aspect that continues to set it apart: its complexity.

W32.Flamer, to give the malware its technical name, is over 20MB in size - which makes it an order of magnitude bigger than its contemporaries. Our analysis to date has revealed that it contains a number of self-contained modules including screen capture, database management, Bluetooth, secure transmission and even self-destruct capabilities.

While its role as a targeted espionage tool is already evident, some purposes of this particular piece of malware are still to become clear.  It appears extremely well written, incorporating ‘world-class’ cryptography and the complete malware toolkit that any illicit operator might want to access. In other words, the Flame is not 'for' any one thing - it provides a general purpose set of facilities that could then be programmed and controlled remotely, depending on the target.

As such, W32.Flamer may be first of its kind. Traditionally viruses, trojans and so on have been made deliberately small and uncomplicated so they could be made easy to transmit, which made them more straightforward to identify and analyse.  What with network bandwidth offering such massive data rates however, 20 megabytes is no great shakes. And the irony is that analysis takes longer, meaning that its very complexity becomes part of the threat.

Not all malware is created equally, and whether by accident or design, more complex and very targeted programs can be harder to pin down, particularly if they contain features similar to existing, bespoke software. Indeed, it is possible that half the functionality in Flame is redundant - merely extra, publicly available modules thrown in simply to make analysis take longer.

What’s the bottom line? Despite their dubious intentions, malware writers are as smart as they come, and prepared to use any technique in the book to ensure that their malicious code delivers its payload. Microsoft may have released an update to patch the vulnerability exploited by Flame. However there is no substitute for vigilance across the organisation looking to exploit every single one of – holes come in all shapes and sizes, and malware writers are looking to exploit every single one of them.