The creators of the Flame malware have sent a "suicide" command that removes it from some infected computers.

Security firm Symantec caught the command using booby-trapped computers set up to watch Flame's actions.

Flame came to light after the UN's telecoms body asked for help with identifying a virus found stealing data from many PCs in the Middle East.

New analysis of Flame reveals how sophisticated the program is and gives hints about who created it.

Clean machine

Like many other security firms Symantec has kept an eye on Flame using so-called "honeypot" computers that report what happens when they are infected with a malicious program.

Described as a very sophisticated cyber-attack, Flame targeted countries such as Iran and Israel and sought to steal large amounts of sensitive data.

Earlier this week Symantec noticed that some Flame command and control (C&C) computers sent an urgent command to the infected PCs they were overseeing.

Flame's creators do not have access to all their C&C computers as security firms have won control of some of them.

The "suicide" command was "designed to completely remove Flame from the compromised computer," said Symantec.

The command located every Flame file sitting on a PC, removed it and then overwrote memory locations with gibberish to thwart forensic examination.

"It tries to leave no traces of the infection behind," wrote the firm on its blog.

Analysis of the clean-up routine suggested it was written in early May, said Symantec.

Crypto crash

At the same time, analysis of the inner workings of Flame reveal just how sophisticated it is.

According to cryptographic experts, Flame is the first malicious program to use an obscure cryptographic technique known as "pre-fix collision attack". This allowed the virus to fake digital credentials that had helped it to spread.

The exact method of carrying out such an attack was only demonstrated in 2008 and the creators of Flame came up with their own variant.

"The design of this new variant required world-class cryptanalysis," said cryptoexpert Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam in a statement.

The finding gives support to claims that Flame must have been built by a nation state rather than cybercriminals. It is not clear yet which nation created the program.

http://www.bbc.co.uk/news/technology-18365844

The Most Sophisticated Cyberweapon Yet?

By Chris Wood, Senior Analyst

"It pretty much redefines the notion of cyberwar and cyberespionage."

That's a quote from experts at the Russia-based antivirus firm Kaspersky Lab regarding malware they recently discovered while trying to determine what was deleting sensitive information from computers across the Middle East for the UN's International Telecommunication Union. While searching for that code, nicknamed Wiper, the group discovered a new, more insidious, malware codenamed Worm.Win32.Flame.

More on that new malware, simply dubbed "Flame," in a moment. First, some background on the state of cyberwar today. For starters it's important to recognize that although no cyberwar has ever been declared, cyberwarfare is now a part of life. The war is pervasive and we are all vulnerable to attack.

It's impossible to say who fired the first "shot" in this war, but the US government has certainly stepped up the fight. The New York Times recently came out with a report detailing how President Obama accelerated cyberattacks (begun during the Bush administration) on the computer systems that run Iran's nuclear enrichment facilities. The worm that the US (in conjunction with Israel) created to carry out the attacks accidentally became public in the summer of 2010; a programming error allowed it to escape its target in Iran, and it was discovered by computer security experts. They named it Stuxnet.

The cat was out of the bag. But it was still just speculation at the time that the US and Israel were behind the worm. In the weeks that followed, Iran's Natanz plant was hit by a newer version of Stuxnet, and then another after that. According to David Sanger of the New York Times, "The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium."

As far as we know, Stuxnet was the US's first sustained use of cyberweapons; the attacks marked the first time that a computer worm was used to cause physical damage, prompting many to call Stuxnet the most sophisticated piece of malware that had ever been crafted.

Enter Flame.

According to the experts at Kaspersky Lab, "Flame can easily be described as one of the most complex threats ever discovered. It's big and incredibly sophisticated." It's a back door, a Trojan, and has wormlike features, which allow it to replicate in a local network and on removable media if instructed. At almost 20MB in size when fully deployed, it dwarfs Stuxnet (which is 50 times larger than the typical worm) in size. And it's been infecting systems in parts of the Middle East and North Africa for at least two years.

Flame is a sophisticated attack toolkit that spies on the users of infected systems by sniffing network traffic, taking screenshots, recording keystrokes, and even recording audio conversations by turning on computer microphones remotely. Another impressive feature of Flame is its ability to use enabled Bluetooth devices to collect information about discoverable devices near the infected machine. The malware is also a platform capable of receiving and installing various modules for different goals. It allows operators to upload further plugins which expand Flame's functionality through a back door. There are about 20 modules in total; the purpose of most of them is still being investigated.

While Flame is similar to Stuxnet in that both are the product of highly advanced programming and detailed expertise in many specialized areas which use specific software vulnerabilities to target selected systems, it differs from Stuxnet in some important ways. Stuxnet was designed specifically for the purpose of infiltrating and wreaking havoc on the centrifuges at Iran's Natanz nuclear enrichment facility. At least part of Flame's purpose appears to be more broad-based in nature - as a general purpose tool for cyberespionage. Once Flame captures the data it's looking for, it compresses and encrypts the information and then holds it until it has a reliable connection to send it to its command and control servers.

By virtue of its general cyberespionage purpose, Flame is much more widespread than Stuxnet. Researchers have detected Flame on hundreds of computers throughout the MENA region and suspect that the total number of infections could be more than a thousand. The top affected areas are Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.

It's not yet known who is behind Flame, since no information in the code has been discovered that can tie it to its authors. But, like Stuxnet, Kaspersky Lab believes it is the product of a nation-state.

[Ed. Note: Some computer security firms say that Kaspersky has hyped Flame, and that it's too early to call it a cyberweapon. Whether the skepticism is warranted or a result of jealousy remains to be seen. But what can't be contested are the skills of the researchers at Kaspersky Lab.]

At this point you might be saying, "Well that's both kind of scary and cool, but so what? What's the point? How does it affect me?"

The point is that the genie is out of the bottle, and there's no going back. Unlike in a traditional war, in a cyberwar it's the more developed nations that are the most vulnerable to attack. When Flame was designed, the programmers did not employ "code obfuscation," which is a fancy way of saying that they didn't try to disguise the code in any way that would make it difficult to reverse engineer, like a commercial software developer would have. According to Fred Guterl from Scientific American, "Stuxnet code was not protected against reverse engineering, either, but this is less of problem because its purpose is narrow and hence the programming is less useful as a weapon than the more general-purpose Flame." This, coupled with the fact that the US has recently been so brazen in its cyberwar efforts, virtually ensures an increase in cyberattacks against the US government and US businesses.

Alan Paller, director of research at the SANS Institute, said that the revelation of US involvement in Stuxnet dramatically altered the cybersecurity landscape:

"The public airing of the US involvement in Stuxnet is going to make others bolder about launching similar attacks against the country using the same kind of tactics and cyber weapons. We are now going to be the target of massive attacks."

The takeaway for US businesses should be that they need to pay more attention to securing their networks.

The takeaway for investors should be that with the proliferation and increasing sophistication of cyberthreats, there will be growing demand to protect against it. As the weapons in this cyberwar evolve, so too must the defenses against them. And that's big business.

As Intel CEO Paul Otellini said, "We have concluded that security has now become the third pillar of computing, joining energy-efficient performance and Internet connectivity in importance."

Otellini hit the nail on the head. And investors are already capitalizing on the huge growth that will come in this area over the coming decades. Estimates of the total market opportunity vary widely, but to get some sense, Canalys recently announced the results of its latest enterprise security forecasts, which indicate that the market is expected to grow to about $23 billion worldwide this year. Steady, double-digit growth is projected for years to come.

As one example of the gains that can be had by investing in this space, Casey Extraordinary Technology subscribers were rewarded with a one-week return of nearly 50% in August of 2010 when we recommended buying ArcSight Inc., which developed monitoring software to seek out nefarious code or malicious insiders that had breached a company's firewall. Just seven days after our recommendation, news of a potential buyout of the company by HP, at a 50% premium, caused the shares to pop and we exited with a huge gain.

Another example: One of our core portfolio holdings which operates in the network security space is up almost 170% since we bought in just two years ago.

Not all the computer and network security firms out there are gems, but given all the money that's necessarily going to be pumped in to these industries in the coming years, it behooves you as an investor to investigate the options.

Casey Research