Self-destructing and hard to detect… Flame, the most "tricky" computer worm virus in history

1. Prophecy

Dadong: Xiaobai, do you remember the worm virus we talked about before?

Xiaobai: Remember, worm viruses replicate and spread through the Internet, and the main transmission channels are through the Internet and email, right?

Dadong: I remember it well! However, with the development of society, not only technology is improving, but also computer viruses are improving. Today I will tell you about a super advanced version of the worm virus!

Xiaobai: Super advanced version? Just hearing this makes me feel so awesome!

Dadong: Its real name is Worm.Win32.Flame, abbreviated as Flame Virus.

Xiaobai: Brother Dong, tell me about it quickly! I can’t wait.

2. Flame virus

Dadong: The full name of the Flame virus is Worm.Win32.Flame. It was discovered in May 2012. It is a backdoor program and Trojan virus, and also has the characteristics of a worm virus. As long as the operator behind it issues an order, it can replicate itself on the network and in mobile devices.

Xiaobai: Once the computer system is infected, what actions will the virus take?

Dadong: It includes monitoring network traffic, taking screenshots, recording audio conversations, intercepting keyboard input, etc. All data in the infected system can be transmitted to the server specified by the virus through a link, allowing the operator to see it at a glance.

Xiaobai: It’s completely under surveillance.

Dadong: The Flame virus is a highly complex malicious program that is often used as a cyber weapon and has attacked multiple countries.

Flame virus intercepted by Kaspersky

Xiaobai: What are the ways in which the Flame virus is transmitted?

Dadong: Physical contact, like another industrial virus Stuxnet, used a lesser-known LNK vulnerability, which was also found in Flame's code. Some people would carry a USB and insert it into the victim's PC. When Stuxnet was first discovered, this LNK vulnerability was an unpublished 0day, but it has now been fixed. So far, Flame has not been found to use any 0day vulnerabilities.

Xiaobai: What else?

Dadong: Remote infection, in this case, could be a malicious link or an email attachment. If the Flame authors try to upload the Flame virus to a user's PC remotely, it may be blocked by security software such as Trustwave Secur Web Gateway because it does not have a proper digital signature.

Xiaobai: What are the targets of the Flame virus?

Dadong: Although the Flame virus was only discovered in 2012, many experts believe that it may have been lurking for a long time. Thousands of computers in many countries, including Iran and Israel, have been infected with this virus. Moreover, the attack activities of this virus are irregular. Personal computers, educational institutions, various non-governmental organizations and state agencies have all been visited by it.

Xiaobai: It seems that it doesn’t choose its targets.

Dadong: The Flame virus initially focused on attacking the Middle East, including 189 cases in Iran, 98 cases in Israel and Palestine, as well as Syria, Lebanon, Saudi Arabia and other countries, with the purpose of being used for cyber warfare.

Flame virus distribution map

Xiaobai: A war without the smoke of gunpowder.

3. The most dangerous virus in history

Dadong: Flame has been identified by official organizations including the World Telecommunication Union and international authoritative manufacturers such as Kaspersky as the most complex, dangerous and deadly virus threat to date.

Xiaobai: Is the Flame virus so powerful? Is it worthy of being called "the most complex, the most dangerous", "the most powerful", or even "the most ingeniously designed", "the most secretive", "the most deadly" and many other titles?

Dadong: The Flame virus uses 5 different encryption algorithms, 3 different compression techniques, and at least 5 different file formats, including its own format, and stores the infected system information in a highly structured format in databases such as SQLite. The virus file is as large as 20MB (the length of the paper printed out by the code is 2,400 meters). In addition, it is written in the Lua scripting language used for game development, making the structure more complex.

Xiaobai: It really can be described as the “most complicated”.

Dadong: It is reported that the earliest appearance of the Flame virus can be traced back to 2007, and it is speculated that it may have been released by attackers in March 2010 (attacking the business intelligence of Iran's oil sector), but due to its complex structure and selective attack targets, security software has not been able to detect it. The current consensus is that the Flame virus may have been active in some form for 5 to 8 years, or even longer, and this high latency is very dangerous. In addition, once the data collection task is completed, these viruses can also destroy themselves, which is one of the reasons why they can remain dormant for a long time.

Xiaobai: It can also destroy itself, no wonder it is not easily detected.

Dadong: Once infected with the Flame virus and activated, it will use all possible conditions including keyboard, screen, microphone, mobile storage device, network, WIFI, Bluetooth, USB and system process to collect information, and then record the user's browsing of web pages, communication calls, account passwords and keyboard input, and even use Bluetooth function to steal files from smartphones and tablets connected to the infected computer and send them to the server that remotely controls the virus. In addition, even if the connection with the server is cut off, the attacker can still control the infected computer at close range through Bluetooth signals.

Xiaobai: From a functional perspective, it is very powerful. It can be called an all-round stealing technology, covering all the input and output interfaces of the user's computer.

Dadong: That’s right.

IV. Preventive measures

Xiaobai: How can we prevent such a powerful Flame virus?

Dadong: Don’t worry. The antivirus software provides us with a special antivirus tool called “Super Flame”. Just click it and the Flame virus will disappear without a trace!

Xiaobai: Are there any other methods?

Dadong: Of course. The Flame virus exploits a Microsoft vulnerability, so it is very important to install official patches in a timely manner.

Xiaobai: How do I know if I have been infected with the Flame Virus?

Dadong: First, search the computer to see if there is a "~DEB93D.tmp" file. If it exists, it may be infected with the Flame virus. Then check the registry "HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages". If mssecmgr.ocx or authpack.ocx is found, it means that the computer has been infected.

Xiaobai: As long as these files are not in my computer, can I be sure that my computer is not infected?

Dadong: Check if the following directory exists. If it exists, it means the computer has been infected:
C:\Program Files\CommonFiles\MicrosoftShared\MSSecurityMgr

C:\Program Files\Common Files\Microsoft Shared\MSAudio

C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl

C:\Program Files\Common Files\Microsoft Shared\MSAPackages

C:\Program Files\Common Files\Microsoft Shared\MSSndMix

Xiaobai: It should be over now!

Dadong: You are so impatient, there is still one last step to tell you! If you find any of the following files in the %windir%\system32\ directory, it also means that the computer may be infected: mssecmgr.ocx, advnetcfg.ocx, msglu32.ocx, nteps32.ocx, soapr32.ocx, ccalc32.sys, boot32drv.sys

Xiaobai: It's finally done! However, viruses are now omnipresent, so we should check each of the above folders step by step to prevent them from invading.

Dadong: Xiaobai, you finally understand these principles.