What is the “Flame” Worm and Should I Worry About It?

If you’ve followed security or technical news over the last few days, you’ve probably heard about the “Flame” worm. This interesting new piece of malware belongs to a class of attack called an Advanced Persistent Threat (APT), and it’s making headlines worldwide. As a result, many of you may be wondering whether or not this nasty sounding malware will affect your organization. My short answer is, “probably not,” but read on to learn more.

Let’s start with the basics. Kaspersky Labs — one of WatchGuard’s Antivirus (AV) partners — was one of the first to discover and analyze the “Flame” worm (Worm.Win32.Flame). According to their analysis so far, Flame is one of the largest and most complex malware samples they have ever seen. As such, they haven’t finished their full investigation of this malware, but here’s a quick summary of what they know so far:

  • Flame is primarily an information stealing toolkit and backdoor trojan, but it also has worm-like capabilities that allows it to spread over local networks and USB storage.
  • Its information stealing capabilities include network sniffing, keystroke logging, screenshot snapping, and even audio recording. It also can collect data about Bluetooth devices in the vicinity. It shares all this stolen data over an encrypted Command and Control (C&C) channel.
  • It is one of the largest pieces of malware Kaspersky has seen, at around 20MB, and it contains over 20 different modules. Its author also created it using a scripting language (Lua) that malware writers don’t typically use.
  • Rather than running as an executable file like typical malware, Flame loads itself as a number of malicious DLL files at boot.
  • Kaspersky believes the author originally created the malware in 2010.
  • Flame is targeted. Its infections seem limited to various organizations in Middle Eastern countries, with a primary focus on Iran. It also does not appear to have spread widely (under 400 known infections).

All that said, one thing we don’t know yet is how Flame initially infects its victim. Since this is a very targeted attack, I doubt Flame’s initial infection vector is automated in any way, nor launched on a massive scale. Rather, the attackers probably directly target specific organizations, and may even leverage different infection vectors for each target. If you add up all these facts, you can probably see why many experts consider Flame an APT attack similar to Stuxnet and Duqu. While none of the researchers analyzing this malware can prove it yet, most suspect that a nation-state actor created the Flame malware for cyber-espionage.

This brings us back to our original question, “Should I worry about the Flame malware?” Unless you’re an administrator of a state or education related industry in the Middle East, Flame will probably never directly affect you. So, no. I don’t think typical organizations have anything to worry about Flame. Furthermore, now that AV organizations have identified Flame, they have released signatures to detect and remove its known variants. If you use any of the top AV products, and keep those products up-to-date, you are protected from Flame infections. More specifically, if you’re a WatchGuard customer, our XCS and XTM appliances will protect you from the Flame worm. We partner with both Kaspersky and AVG to deliver Gateway Antivirus to these appliances, and both our partners have signatures to detect Flame.

From a security industry perspective, Flame is a very interesting malware sample. It leverages more advanced attack techniques than typical malware and likely comes from a nation-state attacker, which is why it has garnered so much media attention. However, Flame is probably not going to directly affect normal organizations. If you’ve been worried about this headline-grabbing worm, you can probably stop. Even if this targeted attack started affecting organizations outside the Middle East, WatchGuard and Antivirus products have you covered.  — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

6 Responses to “What is the “Flame” Worm and Should I Worry About It?”

  1. Corey, Thanks for the analysis, timely and to the point! With that said I’m wondering how long it will be before someone turns this around and points it “our way” (US, and other Western Countries). I could see them chopping out pieces repackaging them and automating the delivery.. fun for us all…

    • Corey Nachreiner Reply June 1, 2012 at 3:19 am

      You are entirely right. First, while it may not actually be the “flame” toolkit, I believe nation-states have and are already launching these same types of cyber-espionage attacks against US organizations. So while I don’t think Flame specifically will affect the US, I wouldn’t be surprised if there are other APT-like malware samples already infecting our government and big private organizations.

      Also, in general I believe all the new attack techniques being leveraged in these advanced, likely nation-state sponsered attacks, will eventually affect all businesses. As the public becomes aware of malware like Stuxnet, Duqu, and Flame, and as researchers decompile and analyze these, criminal organizations that are responsible for more run of the mill malware are paying close attention. Many traditional malware variants (for instance, Zeus) have starting leveraging the techniques and attacks they see in these APT threats. So I think this advanced malware is evolving all malware quicker, which will affect everyone.

  2. After many grillings, you have to take time to faithfully clean with
    a small brush. With there being so many to choose from, we are going to take a
    closer look at some of the most popular models currently available.
    75″ by 10″ non-stick grilling surface is perfect in entertaining a small gathering.


  1. WatchGuard Security Week in Review: Episode 20 | WatchGuard Security Center - June 1, 2012

    […] What is the Flame worm – WatchGuard Security Center […]

  2. Microsoft Revokes Certificate Due to Flame Malware | WatchGuard Security Center - June 4, 2012

    […] week, I wrote about a sophisticated new piece of malware called Flame, which infected various organizations in […]

  3. Is your online data still safe? | Information Strategy - September 11, 2013

    […] is of course true that since it was suspected that stuxnet [1] and flame[2] are creations of the U.S. government, heads all over the world were turned. However, it was not […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: