Should I Be Concerned about the Flame Worm?

Since it was uncovered, there's been a lot of (mis)information on what Flame is, how it works, and what's at risk.

Let's take a look.

First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,

"The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."

I left in the entire paragraph from their article so that it could be seen in all its glory.

At best, the quote above is misleading. At worst, it's alarmist.

Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.

There was no such intrusion.

What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)

Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.

What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.

There was... no... security... breach... at Microsoft.

Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.

Now that that's clear, just what is this thing?

It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.

OK, so what's it do?

A better question: is there anything it doesn't do?

So far, according to Kasperksy's analysis of Flame it can:

1. Ennumerate nearbly bluetooth devices
2. Record audio (if there's a microphone)
3. Create backdoor accounts on infected machines (HelpAssistant)
4. Listen for incoming network requests
5. List the PCs directory contents
6. Lists "interesting" files
7. Logs keystrokes
8. Upload collected data to remote servers
9. Identifies antivirus software and firewalls

This is a pretty nasty/impressive list of feats.

Now the real question. Are you at risk.

As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.

Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.

The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)

Getting Rid of Flame

As complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.

One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.