What damage could the Flame virus cause?
A new malware threat is spreading like fire across the Middle East. What problems might the cyber weapon Flame cause, where did its name come from, and how similar is it to the virus Stuxnet?
Kai Ryssdal: You know how the IT people at work are always giving you a hard time about network security? About passwords and not using files you're not sure of? Yeah, listen to 'em. We learned today of a brand new virus that could conceivably do very bad things. It's called Flame. It's been found so far mostly in the Middle East. And it's bringing back memories of a virus from a couple of years ago called Stuxnet that got cyber warfare experts very nervous. Liam O Murchu is an analyst at Symantec. He does viruses like these for a living. Welcome to the program.
Liam O Murchu: Good to be here, thank you very much.
Ryssdal: What is this thing, Flame?
O Murchu: Flame is an information-stealing threat that we have recently discovered and it's interesting because it has been found in Middle Eastern countries exclusively. We haven't found it anywhere except in the Middle East. It's capable of stealing all sorts of information -- keystrokes, it's able to take screenshots of your computer, it's able to listen in on your microphone and it's able to discover Bluetooth devices that are nearby.
Ryssdal: You mention that it's an intelligence-gathering tool. Could it do physical damage? Could it get into an electical grid? Could it get into some kind of corporate network?
O Murchu: Well the way that Flame is written is that it's very modular, so the attackers can add in new modules at any time and they could update it very easily. So the attackers could choose to do that in the future, but from what we see right now, it's exclusively being used for information stealing and to spread to other computers. So it's able to infect other computers on your network and is able to spread to them and it's able to collect the information from all of those computers.
Ryssdal: Is it like Stuxnet in that it's designed to do physical damage to equipment, famously the centrifuges over in Iran?
O Murchu: No, so Flame is not able to change how physical machinery works in the way that Stuxnet did. It is strictly for stealing information and the reason that it's similar to Stuxnet is that it appears to be a politically-motivated threat, a cover threat, that is operated in Middle Eastern countries, which is very similar to where Stuxnet operated. But the threats themselves are different. They have different capabilities, and they're written by different people.
Ryssdal: There's probably a short list of countries that would get behind this. Care to hazard any guesses?
O Murchu: Well we don't know actually, but it's interesting to see that we found this threat -- or at least the threat has been reported -- in Iran, Lebanon, and Palestinian West Bank. So that does narrow down who is likely to be behind it.
Ryssdal: Do I have to worry about this thing on my laptop at home?
O Murchu: Probably not so much, particularly now because seeing as how this is a very targeted attack -- unless you are living in the Middle East and are engaged in something that the attackers are interested in, you probably don't need to worry about this threat.
Ryssdal: Is the building and deploying of one of these things a billion-dollar proposition? A million-dollar proposition? How expensive is it?
O Murchu: It's expensive, but you're not talking billions of dollars. No. Millions maybe would be more accurate. In this particular threat, it looks like it was written by people who normally write legitimate software. So this threat, for example, it carries a database inside it and it interacts with the database for storing information and for accumulating information. Whereas normally with malware, we see them just using plain files, plain text files, things like that.
Ryssdal: Last question for you, Mr. O Murchu. Who gets to decide that this thing is called Flame?
O Murchu: Well normally the researchers decide that and in this particular case, researchers looked at the code inside the threat and the word "flame" is used extensively within the threat. So the researchers picked that out and decided to call it Flame. We normally try to call it something that we can uniquely identify in files. If we see a new version, we would see that name and we would know oh yes, this is Flame again.
Ryssdal: Liam O Murchu, he's an analyst at Symantec, the virus people. Thanks very much for your time.
O Murchu: Thank you.