Why I can't get inflamed over Flame

The latest malware doesn't deserve its celebrity status, but the media-vendor echo chamber will continue to raise the alarm

Flame/Flamer/Skywiper is making the media rounds. Coming next: a book tour. This time, the hullabaloo is much ado about nothing. It's a classic instance of the security industry using the latest threat to drum up business and the news media joining in the fun.

There's little new in Flame; in fact, it's pretty clumsy as malware goes. It puts a lot of everyday malware functionality into one place, so that makes it a little bit interesting, but not very.

[ Also on InfoWorld: Robert Lemos explores the program's roots in "Flamer starts a flame war over origin." | Learn how to secure your systems with InfoWorld's Web Browser Security Deep Dive Report and Security Central newsletter, both from InfoWorld. ]

Here's all that's worth talking about regarding Flame:

  • Scripting interpreter that allows functionality to be updated easily using scripts
  • Local database instance
  • Bluetooth discovery
  • Document parsing looking for information
  • Desktop discovery focus

No zero days. No backdoor techniques where information is hidden within other data streams or protocols. It doesn't use an obscure OS feature to do its dirty deeds. It can't sneak invisibly onto someone's computer. It contains nothing, individually, that makes computer security researchers shudder. To be fair, Flame hasn't been fully analyzed yet, so maybe other features will come out.

What it does is bundle lots of functionality, which bulks up the code. Coming in at 20MB, it's huge in the malware world, and huge isn't good. That makes it slower and more noticeable. There's a reason most malware -- even feature-rich and capable viruses -- likes to stay small. The size alone makes you think the leader in charge of the programming team hasn't been working in the malware world very long, if at all.

Even with its girth, Flame can be detected and removed like other malware. It has lots of hiding tricks, such as legitimate-seeming names, encryption, and so on, but these techniques have all been around for over 20 years.

Some media outlets say Flame is Stuxnet or Duqu, but for espionage use -- as if it were the first time malware had been used by a nation to spy on its citizens or on the citizens of other countries. But that isn't even close, nor were Stuxnet or Duqu, for that matter.

Many countries and their spy agencies have long had remote-control malware programs. Germany and France have been in the press on that score for years, but you must assume that every capable nation does it and has been doing it for a long time. I can remember public advertisements by the U.S. government for bids to build industrial/cyber warfare malware programs two decades ago. I have friends who've worked on such covert projects. It's nothing new.

If there is a central headline to be made, it's that one of the many general malware programs made by a nation or spying agency (likely originating in the United States because of the identified program strings) has been caught and identified in the wild. There are lots of these spying programs in the world, but it's a testament to how bad and bloated the malware code is that it has gained all this attention. It's been incredibly documented and all the antimalware companies now detect it. Certainly the people that paid for the program can't be happy. They should ask for a refund.

I just can't get worked up over Flame. It's a failure at every level.

This story, "Why I can't get inflamed over Flame," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)