An extremely sophisticated strain of malware that shares similarities with Stuxnet, although Flame is much more massive in terms of complexity and size, at 30MB or larger when all modules have been installed vs. Stuxnet’s 500KB. Also known as Flamer or Skywiper, Flame was discovered by Kaspersky Lab following a significant increase in infected systems in Iran and other countries in the Middle East and North Africa over the past two years.
After infecting a computer or device, Flame spies on the machine’s activity and steals data from it with keystroke monitoring and packet sniffing functionality as well as backdoor capabilities that enable cyber attackers to update the malware and trigger it or erase it as desired. The Flame malware features multiple levels of encryption as well as more than 20 different modules and plug-ins that can be swapped in and out for added functionality. One unique characteristic of Flame is that some of its code has been written in LUA, a programming language typically used for developing games rather than malware.
Additional distinctive characteristics of Flame include scanning for Bluetooth-enabled devices in order to steal data and infect the devices with the Flamer malware, the ability to turn on a computer’s internal microphone in order to secretly record conversations, and code for taking frequent screenshots of activity such as e-mail and instant messages and secretly uploading the screenshots to “command and control” servers.
As with Stuxnet, security experts believe that Flame is so sophisticated and well-coordinated that it likely was created and conducted with “nation-state support” rather than by typical cyber criminals, although no countries have taken responsibility for the malware to date.