Win32/Flamer: the 21st Century Whale

It’s not only the malware that ESET calls Win32/Flamer.A which is complex (and quite dauntingly large).

The news and speculation around this threat is also extensive and complex. While it is understandable that what appears to be a sophisticated threat found in several regions, some of them particularly politically sensitive, has excited so much interest. conflicting conjecture and confusion over the ‘ownership’ of the detection is muddying the waters somewhat. According to the Iran National CERT, it had detection (but not removal) for the malware in early May, but Kaspersky claims it’s been in the wild since March 2010. This seems to be the same malware theat that the Laboratory of Cryptography and System Security (CrySyS) in Budapest calls sKyWIper (which they believe may have been active for 5-8 years or even longer).  However, it looks as if those assumptions on timing are incorrect: module compilation dates have been manipulated, presumably in order to hamper researchers in some way.

Nonetheless, the Budapest lab has some interesting initial analysis which shouldn’t be overlooked. While I’m reluctant to add to the confusion, it seems to me of interest that the malware has been reported not only in the Middle East/Western Asia (including Israel, curiously enough), but also in Eastern Europe (notably Hungary and Austria) and even Hong Kong. Whether it’s actually targeting a specific country is not clear: after all, Stuxnet is nowadays assumed to have been targeting Iran, but was originally detected over a very wide area. While there’s speculation that Flamer is linked in some way to Stuxnet and Duqu, that seems to me to be – well, speculative, as most of the code seems very different.

Perhaps the most interesting feature is that the Iran National CERT (Maher) has volunteered to share samples with security vendors even though many software vendors (notably those headquartered in the US) are unable to trade legally with Iran. (Bizarrely, these malicious programs are running in Iran on an operating system that Microsoft can’t export to Iran.) This restriction may have hampered initial detection of the malware by security vendors outside the region, but samples have subsequently trickled into the mainstream via secondary sources.

The whole episode seems strangely reminiscent of the excitement back in 1990 about Whale. This was a very large, very complex, heavily-armoured virus that attracted a great deal of detailed analysis: as Alan Solomon said later, far more analysis than was really necessary to write detection for the thing. I guess researchers had more spare time in those days. There is a difference, though: Whale was significant because of the array of interesting techniques it contained, but as malware it was barely functional. Flamer, however, looks to be too effective to be ignored, even though detection for it is already widespread. In that respect, it is like Stuxnet: no-one will be happy until we have a better idea of the who, the whys and the wherefores behind it.

ESET Senior Research Fellow

Author David Harley, ESET

  • Maher Researcher

    just to mention, you’re link to Maher article is not correct, this is the correct one:

    • David Harley

      Thanks. The link you gave us was stripped automatically by the CMS, but I think the link I’ve added should now work correctly.

  • Graham Cluley

    Ha.. I love that you are making the comparison to the classic “Whale” virus.

    I had the same thought myself, but hadn’t committed it to keyboard. I’m not sure anyone ever fully understood the intricacies of “Whale”… Here we are over 20 years later and it’s still a mystery..

    Kids today etc..

    • David Harley

      We used to dream of living in a sandbox. ;-)

  • Stephen Cobb

    The fuss about Flamer will be worthwhile IF the result is broader corporate and consumer awareness that a. much malware today is both complex and modular with a wide range of espionage capabilities, and b. good endpoint security offers good defense against these threats.

    The RAT examples that Cameron and I showed at our presentations during Interop certainly drew a lot of eyeballs from IT progressionals who clearly needed to revise their perceptions about the state of malware, or revise the perceptions of their users and management (for that purpose the recorded version is freely available here).

    Many computer users just don't realize (yet) that there is plenty of malware out there that can do things like turn on your webcam and microphone, and do yet more nasty things if they are updated with fresh modules by the botmaster. This may sound like rare and exotic stuff but we know it is not. I think it is worth noting that one of the most prolific spam-sending botnets, Win32/Festi, is modular in design, as detailed at length in the recent ESET whitepaper on Festi. The good news is that proper implementation of sound endpoint security can provide a strong defense against these complex threats.

  • Kawther

    Thanks, it is so inresting topic.
    You mentioned here the detection of the virus and you gave snapshot about the detection and you didn’t mention the cleaning of it for NOD32 and Smart Security. Could you please confirm the ability of cleaning with snapshot?
    thanks in advance 

    • David Harley

      The screenshot in the post already says:
      “Clean – Recommended.
      The object contains a possible threat for your system. This option will completely remove possible threat from your system.”

  • Larry Constantine (Lior Samson)

    "Endpoint security" like the much-touted "air gap" is an illusion. In any real installation there are far too many endpoints, too much in flux. With highly adaptable, configurable malware in the wild, if somebody wants in badly enough, they can get in. With Stuxnet, DuQu, and now Skywiper/Flamer, we have been distributing free courseware in software engineering for malicious purposes, complete with a well-equpped laboratory supplied with sample code and templates. These are all just pre-war skirmishes with small arms compared to what is on the drawing table.
    –Larry Constantine (Lior Samson)

Follow us

Copyright © 2018 ESET, All Rights Reserved.