New Version of Flame Malware Discovered

Flame was discovered in 2012, linked to Stuxnet, and believed to be American in origin. It has recently been linked to more modern malware through new analysis tools that find linkages between different software.

Seems that Flame did not disappear after it was discovered, as was previously thought. (Its controllers used a kill switch to disable and erase it.) It was rewritten and reintroduced.

Note that the article claims that Flame was believed to be Israeli in origin. That's wrong; most people who have an opinion believe it is from the NSA.

Posted on April 12, 2019 at 6:25 AM • 5 Comments

Comments

Petre Peter April 12, 2019 8:02 AM

A good search engine should be able to return all things similar to a particular body of malware. It's a problem of finding the right search parameter.

BebeTrumpApril 12, 2019 3:30 PM

Given how closely they work together, I'm not convinced that the difference between the NSA and the Israelis is a difference worth paying attention too.

641AApril 14, 2019 7:51 PM

Note that the article claims that Flame was believed to be Israeli in origin. That's wrong; most people who have an opinion believe it is from the NSA. [Citation Needed]
I'm genuinely curious who these people who have that opinion are. My (layman's) opinion is that it was the work of American and Israeli intelligence working together, which is supported by various news articles on the subject. If you have reason to think that only the US was involved, I'd like to hear it.

1&1~=UmmApril 15, 2019 3:40 PM

@641A:

"I'm genuinely curious who these people who have that opinion are."

I'm always curious when people make allegations as to the origin of malware, especially alleged 'state level' cyber-espionage code.

However I suspect the reasoning is that in various ways both the US and Israel 'fessed up' to stuxnet. Although the Israelis gave the impression that they were responsible for the actual ICS code not the delivery / dropper code (I hate that expression ;-)

It was noted aftet stuxnet that there were two earlier state level malware types that had similarities with stuxnet. One of these was Flame, as the targets it had been aimed at appeared to some to be "Of US interest" rather than Israeli it has kind of cemented it in some minds that Flame and all it's derivatives 'must be NSA code'.

Thus there appears to be a bit of a cult or belief system built up around it. The trouble with both cults and belief systems are mostly recognized for their lack of rationality in their conclusions and the 'nerr nerrr not listening' attitude in their adherants.

It's been pointed out on this blog long before the CIA emulator code turned uo that a 'false flag' operation could easily exploit such cults / beliefs simply by copying the code and making a few minor code changes. Those 'true believers' and those who's income "depends on them being seen to be believers" are going to blow the horn and bang the drum irrespective of if there is any fact behind it... Which is very useful to those wishing to 'stir it up' one way or another.

Oh as for stuxnet, as was later confirmed the real target was not Iran, they were just collateral damage on the real target which was North Korea. If you study the 'before and after beliefs' you will see how easily not only they can be wrong but how tenaciously 'true adherents' can cling in beyond reason or fact...

That is just part of the human condition so don't worry about it. Remember 'guessing is easy finding supporting facts is hard very hard' when it comes to attributing malware, some but not many are begining to realise this, but then their income is not dependent on following a political narative.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.