Flame on

Understanding arduously complex topics is a joy in itself. I’ve been, by professional necessity, recently working on 3D visualization technologies. Matrix rotations, vector mathematics, and linear algebra are old topics that I’ve encountered now and again, but to be pushing towards a deadline and peeling the onion layers back in support of a specific goal makes each improvement as triumphant as those early summer mornings at the tender age of fourteen when “Hello World” in machine code first ran on my Commodore 64.

Understanding is a joy.

The “Flame” malware infecting computers in the Middle East is another example. This collection of tools and technologies embeds itself in Microsoft Windows (XP and up) and monitors various actions by the users. From what is currently understood it is therefore spyware, but there may be additional functionality hidden in this huge collection of software.

There is some remarkable research already on Flame, like this 64-page report from an academic laboratory in Budapest, Hungary that shows the detailed machinations working in a modern spyware system. At heart are exploits of the Windows OS, of course, but the cleverness is magnified by some of the approaches that are applied: decrypting code resources and overlaying other running programs, multiple compression and encryption algorithms, spyware databases, kernel patching to hide running processes, and even an embedded scripting language for providing versatility in the face of new challenges.

This is l33t stuff, but it is still dependent on legacy features of the Windows OS. And don’t take that as suggesting that Linux or Mac OS X are somehow immune. They aren’t. The exploits were just targeting the OSes relevant to the task. Could OS creators fix the problem? Yes, they could, through process isolation, access control, and monitoring principles, and they have started doing so, but legacy software needs to be updated, too, or abandoned.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>