Much has been said and written in the last few days since the initial discovery of the so-called Flame (SkyWiper) toolkit.
Security researchers have split in two camps: those who consider the threat sophisticated and are almost in awe of its complexity, and those who are more dismissive about it.
The latter said that its modular functionality and its capabilities are nothing new, that it has managed to compromise only a limited number of computers when compared to malware created to steal money or enslave computers into botnets, and that now the malware has been detected and signatures for it made, it’s no longer a threat to anyone.
While all these things are true, the former still pointed out that the the malware has been working undetected for two years at least, and likely even more.
Also, the number of currently compromised computers might be small in the grand scheme of things, but it should be noted that Flame has the ability to wipe all traces of itself from the machines once the people behind it decide that they have gathered as much information as they needed.
Indeed, it seems that one of the reasons why the toolkit wasn’t detected sooner is because its spread was managed by its authors, who restricted the number of computers infected at any one time.
Those who downplay the threat are right in pointing out that the number of computers is almost negligible, but this is not a threat that should be compared to banking Trojans or phishing attempts, as their goals are not the same.
Flame poses practically no threat to regular computer users, but it can’t be considered harmless.
You can laugh all you want about its authors’ use of simple programming languages such as Lua and their failure to use obfuscation techniques that would make the researchers’ work harder and slower, but let’s not forget that the malware has served its purpose extremely well.
Now, the question about who is behind it is one that will likely not be easily answered – event though some unnamed sources have seemingly confirmed that the US might have created it, and that the Israeli minister of strategic affairs has initially failed to unequivocally deny his country’s involvement.
Even though Kaspersky Lab researchers have stated that they believe that the dissimilarities between Stuxnet, Duqu and Flame lead them to believe that the first two and the latter have not been authored by the same team of programmers, they shared their belief that all that malware has been commissioned by the same “larger entity”.
And even if they wouldn’t say which entity that might be, previous discoveries about the working hours of Duqu’s operators and a few other hints seem to point to Israel. But, as always, things like this can hardly be considered as solid proof.