Flame: Massive cyber-attack discovered, researchers say

Kaspersky blog has more info: <a href="http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers" rel="nofollow">http://www.securelist.com/en/blog/208193522/The_Flame_Questi...</a>

<i>The reason why Flame is [20MB] is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine.</i><p>SQLite is 500kB, Lua is 150kb, zlib is 80kB, libbz2 is 60kB. Together this comes to less than 1MB, not 20MB. You would need an awful lot of libraries like this to get anywhere close to 20MB.

More technical details (pdf) on: <a href="http://www.crysys.hu/skywiper/skywiper.pdf" rel="nofollow">http://www.crysys.hu/skywiper/skywiper.pdf</a><p>Although the naming differs it has been noted on several blogs that it is the same malware.

&#62;&#62; Our estimation of development ‘cost’ in LUA is over 3000 lines of code, which for an average developer should take about a month to create and debug.<p>They should do project estimation instead of Security Analysis.

"It’s easier to hide a small file than a larger module." my mind is blown. small files are not like small rocks. it's a computer!

Didn't Sub7 do all of that back in the 90s?

Man, I love hearing the nitty-gritty security details. More like this, please!

I assume we are going to see a complicated and interesting dissection a la Stuxnet? The Stuxnet TED talk [0] was really interesting, I ended up giving a talk to my department at work afterwards.<p>[0] - <a href="http://www.youtube.com/watch?v=CS01Hmjv1pQ" rel="nofollow">http://www.youtube.com/watch?v=CS01Hmjv1pQ</a>

&#62; "Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states."<p>Surely that can't be all-inclusive… is it?

I'd love to know more about the command and control servers. If any of them involve paid hosting that might help to out the guilty party.

I'm fed up by these technically lacking stories that don't give you the details but tell you that its "complex". While I realise that the BBC website is aimed towards the general public I think that it would be beneficial to include at least some technical details.

The Wired ThreatLevel article is a good alternative summary to the BBC article. <a href="http://www.wired.com/threatlevel/2012/05/flame/" rel="nofollow">http://www.wired.com/threatlevel/2012/05/flame/</a>

Those paragraphs are so short that it makes me angry.

Their conclusion that because it doesn't steal money it can't belong to cybercriminals is bogus and show how little they understand of the industry.<p>I've heard of researchers from one company dumpster diving the competition. A worm (as amateur as a 20mb one ) could easily be the work of those kind. But i think it gets less press than "evil country" "omg world cyber war" ...not that it may not be happening anyway.

We should just convert the comments to a poll. Who is behind this?