Menu
Menu
Don’t believe the Flame hype: Analysts

Don’t believe the Flame hype: Analysts

Experts say Flame malware was similar to previous tools and should not be classified as a weapon

Security analysts have thrown cold water on the Flame malware, claiming that its threat level was blown out of proportion by some vendors and its features, such as the use of a computer’s microphone to record conversations, were nothing new.

The Flame malware made headlines in late May when the Iranian Computer Emergency Response Team reported that the malware might be responsible for recent data loss incidents in Iran.

In depth: Wednesday Grok: Flame on as cyber threat puts UN on "war footing"

Flame was described by Kaspersky Lab researchers as a large attack toolkit with many individual modules. According to the researchers, it could use a computer's microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic and communicate with nearby Bluetooth devices.

Kaspersky researchers added that Flame was similar to the Stuxnet worm in terms of being targeted to sites in Iran but had different features and was more complex.

However, Gartner US information security senior analyst, John Pescatore, told Computerworld Australia that Flame was “over-hyped” and could not be classified as a weapon but a piece of malware that enabled the theft of passwords and information.

“The breathless `weapon’ talk has simply been industry hype with lots of free publicity for the security vendors,” Pescatore said.

“Flame is a sophisticated piece of malicious software but it is really not anything new or ground breaking from a malware perspective,” he said.

Pescatore added that Stuxnet could be called a weapon as it tried to disable a specific piece of equipment, the industrial computer controls in an Iranian nuclear facility, whereas Flame was mostly a monitoring or intelligence tool which attempted to eavesdrop on its target.

“Flame could have been used for many other purposes, but it was largely a remote access Trojan that enable password and information stealing, like hundreds before it,” he said.

IBRS Australia advisor, James Turner, said the coverage of Flame had been like the discovery of a "carnivorous animal", but one that only exists in restricted, and distant, environments.

“It's definitely a problem, but not for us in Australia,” he said.

Turner said that Australian security experts seemed to be "fairly dismissive” of Flame due to two key reasons.

“The first reason is that the danger has passed. This piece of malware has reportedly been in the wild for about two years, so if it was after Australian organisations, it would already have us,” he said.

“The second reason is the very thoughtfully constrained installation footprint: It only seems to have installed on about 1000 machines, and most of these are in the Middle East.

“This is very controlled behaviour, and points again to the fact that if the authors of Flame had wanted us, they'd already have us.”

He added that the one benefit of the coverage for Australian IT security managers was it may draw attention to vulnerabilities in their systems.

“Due to the coverage about Flame, some IT professionals will then be asking, so what's already in my environment that I don't know about?” he said. “But then, most of the security people that I know were asking themselves this question before Flame got the spotlight.”

In response, a Kaspersky Lab spokesperson said in a statement that its official position on Flame remained the same. "All the details can be found in our blog posts," the spokesperson said.

Symantec was also contacted by Computerworld Australia but declined to comment.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

More about Computer Emergency Response TeametworkGartnerIBRSKasperskyKasperskySymantec

Show Comments
Computerworld
ARN
Techworld
CMO