IE 11 is not supported. For an optimal experience visit our site on another browser.

FAQ: The Flame/Skywiper Virus and How to Protect Yourself

Ever since the news broke Monday of the Flame/Flamer/Skywiper malware toolkit, the mass media have been breathlessly chronicling this latest "super-virus."
/ Source: SecurityNewsDaily

Ever since the news broke Monday of the Flame/Flamer/Skywiper malware toolkit, the mass media have been breathlessly chronicling this latest "super-virus."

However, there are a lot of misconceptions being bandied about in the press about Flame/Skywiper, right down to what it's called and who first discovered it.  Here's what we know for sure so far.

Q: Flame, Flamer, Skywiper— what's this thing's real name?

A: All three names are correct. Different security companies often give the same bugs different names. It's almost certain that the malware's developers used yet another name, which we may never know.

[ 'Skywiper' Keeps Cyber Arms Race Alive ]

Q: Where do the names come from?

A: The names come from filenames found in the malware's source code.

"FLAME" appears to be the name of a module that spreads the bug along internal networks, and Moscow-based Kaspersky Lab decided to call the entire package "Flame" because of that. Similarly, the Iranian government cybersecurity bureau MAHER decided to call it "Flamer."

CrySyS, a cybersecurity research lab at Budapest University of Technology and Economics in Hungary, calls the entire package "sKyWIper" after "~KWI," a filename the malware uses to store temporary files.

Q: Is Flame/Skywiper a virus?

A: Technically, no. Unlike viruses, Flame/Skywiper doesn't infect already existing files. Its method of infection isn't completely known yet, but it appears so far to be a worm in that it can spread independently using internal networks and USB drives.

Overall, though, Flame/Skywiper is a malware toolkit — a package of several different kinds of malware that combine to overwhelm the defenses as of many targets as possible.

Q: What sort of computers does Flame/Skywiper infect?

A: It infects machines running Windows XP, Windows Vista and Windows 7.

Q: Is there any chance that my computer could be infected?

A: It's not likely, unless you're a government official or weapons researcher in the Middle East.

Q: Is this really the biggest computer malware ever?

A: If you're counting in terms of file size, yes. Depending on the configuration, Flame/Skywiper can reach 20 megabytes in size, which is enormous for a piece of malware.

Most pieces of malware take up less than one megabyte. For example, Stuxnet, which sabotaged an Iranian nuclear facility in 2010, was pretty complex, yet came in at about half a megabyte.

Q: Most news reports say a Russian security firm found Flame/Skywiper first.

A: That's not entirely true. Three different research teams found Flame/Skywiper independently.

Kaspersky, the Russian firm in question, had been analyzing "Flame" for several weeks at the behest of the United Nations' International Telecommunication Union. The ITU wanted to know more about a malware attack in March and April at Iran's government oil ministry that deleted information from several computers.

CrySyS had been conducting its own analysis into "Skywiper" on behalf of "several parties" who "want to remain anonymous."

MAHER, the Iranian government agency, had also been conducting an investigation into what it called "Flamer," and was the first to publish its results in a blog posting early on Monday (May 28).

The MAHER posting forced Kaspersky and CrySyS to quickly put their own findings online later that day. Kaspersky posted a long Q&A about the malware, and CrySyS posted a very detailed 64-page technical report.

Q: When did Flame/Skywiper first appear?

A: The bug's age is not clearly known, but the March/April malware attack at the Iranian oil ministry seems to be the first indication that something was up.

Q: Is Flame/Skywiper spreading rapidly?

A: No. It's spreading very slowly. Only a few hundred computers, mostly in the Middle East, are known to have been infected. Flame/Skywiper seems to avoid the Internet and prefers to spread along an organization's internal network. It hops from one internal network by catching rides on USB flash drives. (Stuxnet also used USB drives to spread.)

That's really a very small malware infection, indicating that Flame/Skywiper is highly targeted and that most people will never have to worry about it.

Q: Which countries are affected?

A: Iran has been the most affected, with nearly 200 machines infected, according to Kaspersky's figures, which also show about 100 machines are infected in Israel and the Palestinian territories, with lesser numbers in Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

CrySyS has also found evidence of infections in the United Arab Emirates and in unnamed European countries, as well as its own home country of Hungary.

Q: How long has Flame/Skywiper been around?

A: At least two years, according to Kaspersky, and possibly as many as eight years, according to CrySyS. Both teams analyzed archives of malware reports to reach those conclusions.

Flame/Skywiper's creators also placed fake dates inside the software, which make it seem like some components date back to the early '90s.

Q: What does Flame/Skywiper do to an infected computer?

A: Heck, you could ask "What DOESN'T it do?" It's one of the most comprehensive spyware programs ever found.

Flame/Skywiper buries itself deep in the Windows operating system, makes sure it runs upon computer startup, tailors itself to hide from specific brands of anti-virus software, turns on the computer's built-in microphone to record audio conversations, logs keyboard typing, changes the Bluetooth configuration to spy upon nearby cellphones, tablets and laptops, takes screenshots, monitors wired and wireless network activity and sends whatever information it's gathered off to command-and-control servers in a dozen different countries. 

Q: Does Flame/Skywiper have a "kill switch" or expiration date?

It doesn't seem to, but once its controllers have decided that a Flame/Skywiper installation on a specific target machine has served its purpose, they can remotely activate a "SUICIDE" command (that's really what it's called in the code) that deletes all the Flame/Skywiper files from the machine.

Since many of those files use names identical or very similar to authentic Windows system files, it's possible that the spontaneous deletion of information on Iranian oil ministry computers was a result of the "SUICIDE" command being activated.

Q: Who would want to create Flame/Skywiper?

A: Flame/Skywiper was almost certainly created by a national government with the resources to devote months, if not years, of expert programming and millions of dollars in expenses to create extremely sophisticated, multipurpose spyware. (Cybercriminals don't have that much money or time.)

In the Middle East, which Flame/Skywiper clearly targets, the only countries with such capabilities are Iran and Israel.

Q: Doesn't the United States have the capability to have developed Flame/Skywiper?

A: Yes, and so do Russia, China, Canada, Brazil, Germany, Britain, France and maybe even North Korea. But Flame/Skywiper doesn't target those countries' areas of interest.

For example, if Flame/Skywiper were a Chinese creation, you'd expect it to snoop on computers in Taiwan, Japan, India and the West. If it were American, it would be in many other areas of the world besides the Middle East.

Q: The Flame/Skywipersource code seems to use English-language filenames.

A: It does, and it even references American pop culture. One file is named "BEETLEJUICE." That could mean the coders were American — or it could mean that they've watched a lot of American TV shows and movies.

Q: Were the Stuxnet creators behind Flame/Skywiper?

A: We don’t know. The two packages don't share much code, at least not in the way the Duqu Trojan shared a lot of code with Stuxnet.

But Flame/Skywiper and Stuxnet share an otherwise unmatched degree of sophistication and complexity, and both target Iran, leading most analysts to presume that Flame/Skywiper may have been created in parallel to Stuxnet.

Q: Does this mean we're on the brink of cyberwar?

A. No. There's a big difference between espionage and outright warfare. No one's been killed by Flame/Skywiper, at least not that we're aware of.

Q: Can I protect myself against Flame/Skywiper?

A: Yes. The good news is that most of the major anti-virus software vendors, including Norton Symantec, McAfee, Bitdefender, TrendMicro, Sophos and Avast, have already updated their malware definitions to protect against Flame/Skywiper.

Bitdefender has also issued a Flame/Skywiper removal tool in case you think you're already infected.