
HERE we go again. Antivirus firms are warning that another computer worm has evaded their radar. Nicknamed Flame, it is described as one of the most complex viruses ever and has the power to cripple national infrastructure. But a full two years after the last major threat â Stuxnet â was discovered, its authors have still not been exposed, although suggests they work for US and Israeli intelligence (see âObama âgave full backing to Stuxnet attack on Iranââ). So what chance is there of tracking down the creators of this latest threat?
Parts of Flame surfaced online as far back as 2004, according to BoldizsĂĄr BencsĂĄth of the at the Budapest University of Technology and Economics in Hungary. Despite this, it was not formally identified until Kaspersky Lab of Moscow, Russia, discovered what was deleting data on hundreds of computers across the Middle East. Iran and Israel took the biggest hits, with Flame even briefly disrupting Iranâs oil industry, according to senior Iranian officials.
On 28 May, Kaspersky revealed the cause: an all-in-one âworm, trojan and backdoorâ Flame. It is a remotely reprogrammable data stealer that can seize, transmit and then delete files. Its six-megabyte heart can download extra modules until it swells to 20 MB, giving it a broad range of data-stealing tricks, says Gavin OâGorman at âs lab in Dublin, Ireland. âItâs most likely this info-stealing is for espionage. It can turn a mic on to record audio, or video what you are doing on screen,â he says.
Advertisement
Itâs stealthy, too. Iranâs national says the codeâs malicious components were undetectable by 43 antivirus programs. âStuxnet, Duqu and Flame are all examples of cases where we â the antivirus industry â have failed,â says Mikko Hypponen, founder of antivirus firm F-Secure. But while the industry tries to work out why it failed, it looks almost impossible for the malwareâs creators to be found.
Hereâs why. âIf I write the code âprint âHelloââ and then load it to a forum via a proxy or Tor connection, what link is there to me? Simply, none. The same principle exists with malware,â says Nick Furneaux of e-forensics firm in Bristol, UK. Attackers can also cover their tracks by bouncing commands to the malware via cascades of servers, says BencsĂĄth. âIf an attacker hides by using multiple jumping points, it is almost impossible to identify them,â he says. âAnd the forensics mostly lead you to a computer that is fully cleared, erased.â
To catch them, investigators have to pray their quarry makes a mistake. âIâve seen mistakes made in malware such as hard coding IP and email addresses, or a user name, which can be used to find the perpetrator,â says Furneaux. Another giveaway is coding style, says OâGorman: âYou might find file-naming conventions or how data is passed between functions is characteristic of a known coder.â Indeed, it was a coding mistake that revealed Stuxnet existed.
, a security researcher at BTâs lab in Ipswich, UK, hopes their emerging AI-based pattern recognition system, Saturn, will snare threats like Flame. It âwill sense the subtle network disruptions and cyber footprints left by such attacksâ, instantly alerting security analysts, he says. This might help, says BencsĂĄth: âIf the attackers are caught mid-attack, and they do not know about it, it becomes possible to track them down.â
ÂIf the attackers are caught mid-attack, and they do not know about it, they can be trackedÂ