Iranians, West Bankers, and Israelis can all calm down. The much-hyped Flame Trojan isn’t all that, according to Zvi Netiv, one of the world’s pioneers of the anti-virus business.
“The capabilities that are being attributed to Flame are clearly way overblown. There is nothing in Flame that we haven’t seen for at least ten years,” said Netiv, who has seen viruses, Trojans, and worms come and go since 1991, when his company, NetZ Computing, came up with the world’s first comprehensive virus protection program.
That’s a radical position, considering comments made by Eugene Kaspersky, who heads Kaspersky Labs, which captured Flame and has begun analyzing it. In a press release announcing the trojan, Kaspersky said that “the Flame malware looks to be another phase in the war” to take control of networks and computer systems, “making it one of the most advanced and complete attack-toolkits ever discovered.”
Experts who have studied the information available on the virus say Flame is able to do things such as surreptitiously record conversations by taking control of a computer’s microphone, and transmit video to a server by controlling a computer’s webcam. According to Kaspersky, the purloined information — documents, screenshots, audio recordings and interception of network traffic — “is then sent to a network of command-and-control servers located in many different parts of the world.” The controllers of the virus can install “modules” for specific needs, harvesting whatever information they want at will.
Flame can even “follow” individual users throughout an organization on a network, according to Israeli security expert Ben Ben-Aderet of GRSee Consulting. “It appears that the Flame virus is extremely advanced, and that many financial and other resources were invested in developing and distributing it. All this was done with a level of professionalism not usually found among virus writers,” implying that a large, organized, and professional group — such as a government — is behind Flame.
Netiv, though, remains skeptical. “The capabilities that are being attributed to Flame would mean that it could easily be traced. Video weighs many megabytes, and it would be a simple matter to trace at least the initial path of surreptitiously uploaded video. Because of the size of video it would be very unlikely that the files could jump from server to server quickly enough to make a trace difficult.” Flame can “weigh” as much as 20 megabytes, large for malware.
“No doubt it can do many things, but if it is as capable as they say it is — and it has been around since 2007 — someone would have noticed something long before now,” Netiv said. “If the anti-virus companies can find the Trojan, they can find the servers where the data is being sent. It’s not really a virus if it just sits there and doesn’t do anything.”
Not that Netiv dismisses the Flame threat altogether. “I have no doubt that it does some of what Kaspersky claims. But it is no different substantially than other Trojans we have seen over the past decade.”
That group includes Stuxnet, the virus that allegedly set Iran’s nuclear program back by infecting machine systems. “There, too, I am somewhat skeptical over what was claimed about Stuxnet. Now that we are several years past that ‘revelation’ it is clear that whatever Stuxnet did, it did not disable Iran’s nuclear program.”
For Netiv, the news about Stuxnet, Flame, and their lesser virus brothers illustrate an interesting confluence of business, politics, and journalism. Not to sound cynical, he said, but “a lot of this is about business. There’s a clear pattern where when a major story about a ‘killer’ virus gets pumped in the media, anti-virus sales go up. As an insider, I can tell you that sales of anti-virus systems have significantly flagged in recent years, and stories like this clearly help business. So it’s clear that Kaspersky, Symantec, and other leaders in the business have an interest in pushing scare stories.”
Scary technology stories — especially relating to countries like Israel and Iran — help sell papers and drive web traffic. And don’t forget the political aspect, Netiv said. “For Iran, stories like this are very beneficial, because it shows them as a victim — ‘Look, they are destroying our computers, they are killing our scientists.’ There’s a benefit for Israel as well, as politicians get to imply that it was Israel’s high-tech genius that created the Trojan.”
But Netiv is doubtful that Flame is the work of a government. “If you are going to bother to distribute a data-collecting trojan, you would expect it to collect data and send it on. Sooner or later you will be able to trace where that data goes. So far, no one has been able to discover where the data stolen by Flame, or for that matter Stuxnet, has gone. And once the trojan is detected and eliminated, the targeted systems are shored up, and the smoking gun is unveiled. It doesn’t make sense for a government, or even a corporation, to dedicate resources to this kind of attack.”
That doesn’t mean that it’s safe to surf; on the contrary, said Netiv. “The real danger is the creation of an alternative network or popular site like Facebook, where users are diverted and their systems compromised, while they are completely unaware. Using the data collected in this manner, hostile governments could create a major crisis, like the compromising of a country’s banking system, critical national resources, or Internet connection. That is where the real battleground is, and that’s where resources to protect systems are needed.”