Quick guide to Flame malware attack

The security industry has been alight with the news of the Flame malware attack on Iranian IT systems, which represents a significant advancement on the Stuxnet and Duqu attacks from the last two years.

Some security experts have claimed the Flame malware "redefines the notion of cyberwar and cyber-espionage" given its complexity and capabilities.

With so much information and conjecture circling around the development V3 aims to answer some of the key questions being asked about the newly discovered cyber weapon.

Who's behind it?
No security vendor has pointed out a single country or group as being responsible for Flame's creation.

The central matter of contention at the moment is whether the malware was made by a private group or a nation state.

Kaspersky Labs chief security expert Aleks Gostev reported in his opening blog post that he believes current evidence indicates a nation state was at the very least involved in funding Flame's creation.

"Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group," he said.

"In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."

The only clue highlighting a specific country came from Israel's vice prime minister Moshe Ya'alon, who hinted the nation may have been involved in the attack.

Information from Kaspersky shows that it appears Israel itself has been hit by the malware (pictured above), but this could well be blowback from its own attack as Flame can be passed on by something as simple as a USB stick, so it could easily cross into other system.

How does it work?
Flame appears far more advanced than Stuxnet and Duqu as it's a combination of different attack factors.

"It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media [such as USBs] if it is commanded so by its master," wrote Gostev.

Gostev has admited, though, that Kaspersky are still a long way from uncovering all its secrets and the file is a whopping 20MB in size.

"It took us several months to analyse the 500K code of Stuxnet. It will probably take years to fully understand the 20MB of code of Flame," he said.