Why would super-secret spy software be written in a video game language? As security researchers continue to unpack the digital mystery that is the Flame virus, that's just one question looming over perhaps the world's most intriguing digital whodunit.
With all the talk about Flame being the most powerful, ingenious and stealthy computer virus ever written, some properties of the mysterious malicious software are causing confusion.
For one thing, the program takes up 20 megabytes of space on infected machines. That's not stealthy; large files usually indicate sloppy programming. Also, unlike Stuxnet, Flame didn't come with precision targeting, and hasn't yet been credited with doing anything as impressive as hacking nuclear power plant computers. But perhaps most mysterious of all: Part of Flame’s code was written in the Lua programming language, a simple language used almost exclusively by video game programmers. Why would a nation-state trying to commit secret espionage toy with video game software?
"This is not a stealth operation," said Marcus Carey, who worked as a security analyst at the National Security Agency for eight years before joining the security firm Rapid7 in Boston.
News of the Flame virus hit Monday, as multiple computer security firms claimed the program represented a huge escalation in cyberwarfare. Moscow-based Kaspersky Labs, among the first to analyze the virus, called it the most powerful malicious program ever.
“The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” it said.
Flame reportedly comes loaded with lots of capabilities, such as remotely turning on victims' PC microphones, but it's hardly the first virus to accomplish that. And unlike Stuxnet, it's yet clear that Flame used a series of so-called 0-day exploits -- vulnerabilities in software that are undiscovered by the security industry and for which there are no antidotes. While initial reports immediately linked Stuxnet to Flame, primarily because they both seem to target Iran, skepticism is beginning to build that the two are directly linked.
That's partly because the two programs were written in very different ways. Flame’s authors used Lua, something that confuses observers.
"Lua in a spy tool is just ... weird," said one Israeli programmer who uses Lua and requested anonymity. "The little snippet I've seen of the code seems so ... ordinary ... really like the work of your average programmer. Stuxnet sounded genius.”
Said another: "Lua is considered a kids language.... All I see around that is built with Lua are games. I mean, the syntax is very simple."
Not exactly the stuff of high-tech international espionage. Or is it?
Lua has been around since the 1980s, developed at the Pontifical Catholic University of Rio de Janeiro in Brazil. It was created out of necessity; at the time, trade barriers made importing software development tools too expensive. Development of Lua as a programming language remains centered in Brazil, where a small group of programmers make infrequent updates to the language. But it's become a favorite platform for a few thousand devotees around the world, who are attracted to its simplicity, its ability to play well with other software and its tiny footprint, which makes it ideal for use on embedded devices or games, where memory and space are at a premium.
Unlike other programming languages that grow in size out of necessity over time, Lua has actually shrunken in recent years, as developers have revised and refined its architecture.
Its name – Portuguese for “moon” – hints at Lua’s use as a subordinate language to attach satellite projects to larger pieces of software.
At the Lua-L discussion list, Flame talk was all the rage on Monday, as its users’ small corner of the technology world was suddenly thrust into the limelight. One even the virus "in some morbid way...an endorsement for Lua."
"I'm a bit perplexed about the alleged high sophistication of that malware, when I see unobfuscated Lua with self-descriptive names," added a poster identified as Enrico Colombini
But longtime Lua programmer Erik Hougaard, based in Denmark, said such opinions show a fundamental misunderstanding of Lua's simple elegance as a programming tool.
"It's a well-kept secret, but it's everywhere. It's hard to pick up an Xbox game without it," said Hougaard, who now uses Lua to program robots but has also used it to create from-scratch accounting software and other financial tools at EFoqus Danmark A/S. "It's not sexy, but it's unique. It's so small you can fit it onto a single chip."
That's essential, because Lua includes both program and programming language in one tidy package -- meaning programs written in Lua will run reliably on machines as diverse as PCs and iPhones.
"Lua is quite common in the mobile application space. If someone has Angry Birds installed on their iPhone, they are using Lua," said Carey, the security analyst. In fact, thousands of iPhone apps are written with Lua, he said.
Hackers have taken notice. While security firms have said they can't think of another computer virus before Flame that used Lua, it is a fundamental part of a favorite hacker tool called "NMAP." NMAP is used to scan the Internet for computers with potentially exploitable vulnerabilities; it’s the first tool used by hackers looking for trouble, and by security professionals looking to plug holes. NMAP permits use of a scripting language that runs under Lua so hackers can adjust the tool as needed.
"People have been using Lua to hack networks for a while, so this shouldn't surprise anyone," Carey said. "Attackers are just using what works."
Lua first came to hackers' attention about two or three years ago, roughly when some analysts believe Flame was written, Carey said.
As with most information about Flame, Lua's appearance in the virus can be interpreted in two ways:
- Flame's writers may have been ahead of their time, using a unique programming language to create their cybermonster, and further confuse computer security professionals.
- Or, Flame's writers may have been video gamers and relative amateurs who didn't bother to do much to cover their tracks.
Symantec Corp. believes the use of Lua supports the former theory. It’s one of many security firms calling Flame one of the most powerful and complex virus ever written.
"Lua is scriptable, easy to understand, and easy to update. That said, it’s not used often," said Vikram Thakur, principal security manager at Symantec Security Response. "Anecdotally, we can’t think of another threat that is written in Lua..... The usage of the programming language is what makes the program, independent of the language, interesting."
But is it the work of genius, and a sign that cyberwar has escalated a new and dangerous level? Carey is not so sure.
"Saying this is the work of a nation-state is premature," he said. "This is not a particularly clever piece of malware or uber-elite." And despite the fact that it apparently operated in stealth for at least two years, many experts say it is too big to have been conceived as a spy tool.
"What's with the size?" said the anonymous Israeli Lua programmer. "It's like the trick they do in the movies of making a scene on the train/plane” to create a diversion while committing a crime.
Colombini was even more direct in his assessment.
"I find it difficult to believe this to be the work of an intelligence service, at least of a decent one,” he said. “Obfuscating … the Lua code would have made analysis more difficult and above all slower. In the spying business gaining time has a very high value. … No self-respecting intelligence service (would have neglected to do that)."
So far, most of the roughly 300 confirmed Flame infections have been in Middle Eastern countries that are natural enemies of Israel, including 189 in Iran, according to Kaspersky Lab.
“If it weren't for the peculiar geographical distribution, (which is) the only thing that makes one think of politically charged malware, I'd think of a sort of malware construction kit,” designed to simply collect a large series of attack tools in one place, Colombini said.
Given that the subject is covert cyberwar, confusion, half-truths and disinformation are the rule rather than the exception. Already, an unnamed U.S. official has told NBC News that the U.S. government is probably responsible for it; while Israeli officials have hinted that their side developed it.
Something else concerns Carey about the way that the Flame narrative has progressed so far. Much of what we know about Flame has come directly from Iran's Computer Emergency Response Team Coordination Center.
"Generally, we don't believe anything Iran says. Here, we seem to be believing everything they say," he said. "But this incident reinforces a storyline for Iran playing the victim."
Symantec, and many other security organizations, have said the sheer size of Flame is making thorough analysis of the virus a slog. Early reports on the malicious program all came with warnings that findings were preliminary. Symantec expects to issue a follow-up later this week.