Flame/Flamer/Skywiper is making the media rounds. Coming next: a book tour. This time, the hullabaloo is much ado about nothing. It's a classic instance of the security industry using the latest threat to drum up business and the news media joining in the fun.
There's little new in Flame; in fact, it's pretty clumsy as malware goes. It puts a lot of everyday malware functionality into one place, so that makes it a little bit interesting, but not very.
[ Also on InfoWorld: Robert Lemos explores the program's roots in "Flamer starts a flame war over origin." | Learn how to secure your systems with InfoWorld's Web Browser Security Deep Dive Report and Security Central newsletter, both from InfoWorld. ]
Here's all that's worth talking about regarding Flame:
- Scripting interpreter that allows functionality to be updated easily using scripts
- Local database instance
- Bluetooth discovery
- Document parsing looking for information
- Desktop discovery focus
No zero days. No backdoor techniques where information is hidden within other data streams or protocols. It doesn't use an obscure OS feature to do its dirty deeds. It can't sneak invisibly onto someone's computer. It contains nothing, individually, that makes computer security researchers shudder. To be fair, Flame hasn't been fully analyzed yet, so maybe other features will come out.
What it does is bundle lots of functionality, which bulks up the code. Coming in at 20MB, it's huge in the malware world, and huge isn't good. That makes it slower and more noticeable. There's a reason most malware -- even feature-rich and capable viruses -- likes to stay small. The size alone makes you think the leader in charge of the programming team hasn't been working in the malware world very long, if at all.
Even with its girth, Flame can be detected and removed like other malware. It has lots of hiding tricks, such as legitimate-seeming names, encryption, and so on, but these techniques have all been around for over 20 years.