RATs of Unusual Sizes

The flame malware has been referred to by some as “The most sophisticated malware to date” and while it is quite an impressive piece of espionage spyware, it poses little threat to the common user. In this blog post I am going to go over a quick summary of the technical capabilities of the Flame malware, just for anyone who hasn’t already read all the blogs and news articles that have been circulating around the net for the past week.  Then I am going to give a quick comparison of its capabilities to that of Stuxnet and Duqu, after which telling you why they are nothing alike. Then tell you about the real threats when it comes to similar malware that is circulating around the net right now that you might not know much about.  I will finish it all up with some words of comfort and tell you why you shouldn’t be afraid to surf the net.

Flame Technical Summary

As stated previously, Flame is an impressive malware kit; it is very powerful and pretty unique in the way that it performs some of its operations.  First of all, some back-story:

Flame was found by Kaspersky while they were helping out the International Telecommunication Union (ITU) to track down some malware that was wiping out the file systems of computers in Iran, well they didn’t find the exact malware which they were looking for but they found Flame instead.  In the same general time frame, CrySyS labs was asked to join an international effort to analyze an as of yet unknown piece of malware, they called it sKyWIper.  Not long after, Kaspersky and CrySyS realized they were working on the same file.  Kaspersky researchers discovered that not only was Flame present in Iran but also in the surrounding countries.  The malware was found on systems belonging to academic institutions, private companies and specific individuals. Kaspersky believes that Flame might have been in use since March of 2010, which was the same time that Stuxnet was first discovered.

Here is a quick summary of its base functionality:

  • Steal documents
  • Record audio with the internal microphone
  • Take screenshots (can be configured to take them only when certain applications are running)
  • Keylogging
  • Report back to a Command and Control server and take new commands
  • Can attach up to 20 modules to itself in order to obtain extra functionality

It can also spread to different computers by exploit USB or printer vulnerabilities; this functionality is only activated when the operator tells it to do so.

One of the unique characteristics of Flame is the fact that it creates an internal SQLite database to store all of the data it steals, then it sends that data back to the C&C.  This is not normal because most malware will just send a series of values either embedded in a URL or as encrypted text.  CrySyS labs had mentioned something in their report on sKyWIper about this functionality that I thought was funny: “It appears unusual to use databases to store attack related information inside the malware, but apparently this is the case…” This method also means that Flame needs to carry the proper code to create and modify this database, which brings us to the next unique thing: It’s really big! Flame is at least 20x larger than Stuxnet and the general consensus is that the entire malware kit is about 20mb.  There are two main reasons why Flame has such a large size:

  1. It carries around libraries for SQLite, SSL, Zlib and a variety of other encryption and compression libraries.
  2. The size not only makes it looks less suspicious but it also allows for Flame to hide the true malicious code deep within legitimate code, making it very difficult to analyze.

The third unique thing about Flame is that it uses Lua as a scripting language. Lua is used often with video game engines and other applications, Lua itself is not malicious.  There is other malware out there that uses unique scripting languages to perform its operations but never before has Lua specifically been used in malware.  The use of Lua also makes the malware bigger because along with everything else, it has to bring a Lua interpreter with it so that it can execute the code!

Finally, according to the report done by CrySyS labs, Flame contains one of the most comprehensive lists of antivirus/Anti-Malware countermeasures ever seen.  Making it possible for it to circumvent detection attempts and keep itself hidden.  CrySyS felt that it was a bad idea to post this list in their report for fear that it might do more harm than good in the wrong hands.

My Opinion:

The fact that Flame is being considered very dangerous and its ability to stay undetected until now is, in my humble opinion, because of the fact that it does everything wrong. In saying that, it is as if the author(s) threw out the book on malware writing and decided to start from scratch doing everything in very odd and unintuitive ways. Apparently it worked. The unique characteristics mentioned above are proof of that, most of the malware that antivirus/Anti-Malware organizations, security researchers and malware hobbyists see uses new and interesting methods of stealth to hide their presence and their intentions.  Stealth is only present in the case of Flame when you consider how neatly organized the control and movement of individual samples is, where operators keep a set amount of compromised hosts and move on only when they are done collecting information. The bottom line is with it’s unusual design and operation Flame could have remained hidden for another two or more years if it wasn’t discovered when it was. That being said, the question I am raising today is, “How much more Flame type malware is out there, malware that doesn’t follow the standard template and who have they already infected?”

Comparison to Stuxnet / Duqu & Contrast

Two years ago, Stuxnet was the big name is scary spy malware, last year it was Duqu, this year we have Flame.  There are some similarities between all three of these so called “super-malware”, for instance:

  • They are all fond of Iran and the Middle East
  • It is suspected that they were all funded /developed by governments (In fact at the time of writing this post, an article from The Register has been released which “reveals” the sponsor behind Stuxnet: http://www.theregister.co.uk/2012/06/01/stuxnet_joint_us_israeli_op/)
  • They all did a pretty good job at hiding until someone found them
  • They are all “Modular” malware, which means that you can switch out their accessories.
  • They all had Keyloggers
  • They all used DLL modules as resources
  • …and that’s about it.

Everything else between Flame and Stuxnet/Duqu is totally different. They have different functionality, were developed for different purposes (apparently) and were even developed with completely different methodologies.  Here is a list of differences (we will refer to the Stuxnet/Duqu combo as StuQu):

  • StuQu used valid digital signatures, Flame does not
  • StuQu used 0-day Exploits; Flame uses the same ones Stuxnet used two years ago.
  • StuQu had deactivation timers, Flame commits suicide when asked
  • StuQu was developed to infect SCADA and/or PLC systems; Flame takes a more general approach and infects normal systems.
  • StuQu stole specific data; Flame steals everything it can.

These are just a few of the many technical differences between Stuxnet/Duqu and Flame.  The point is that while very similar in their overall purpose (intelligence gathering / messing up stuff), their method of spreading and their targets, nothing else is similar in the least.  Actually, Kaspersky believes that Flame might have been built as a backup intelligence gathering tool, just in case the more important ones were discovered.

The Real Threat

It’s a stretch, but you might refer to Flame as a RAT or Remote Administration Tool / Trojan. The purpose of a RAT is to have complete (or at least mostly complete) control over another system, usually from the safety of a command and control server.  In my opinion, there are three types of RATs currently being used in the world:

The White Hat RAT – A legitimate network administrator needs to quickly perform updates or solve problems for numerous users, so he has a legitimate reasons to install a remote administration tool on all of the systems under his supervision. This would allow him to make changes and/or catch people going against the companies computer use policy for all of the users without leaving his desk.

The Black Hat RAT – Usually developed by hackers or malware authors, these tools allow an attacker to do the same thing that the White Hat RAT would be able to do but on a system that didn’t belong to them.  Usually these types of RATs include very well hidden botnet-like malware that constantly communicates with its command and control server and features numerous cyber-espionage functions, and some joke ones (like making the screen appear to be melting).

The G-Hat Rat – The government sponsored, James Bond style, completely for the purpose on spying on other government’s Remote Administration Trojan.  Flame would fit in to this category, since it was most likely government sponsored, but also because it is usually better at hiding itself than the Black Hat Rat and is used to conduct some serious, long term espionage.  With the exception of the few that have been in the news over the past years, you will never know or hear about these types of RATs because you aren’t supposed to, they are not sold to hacker groups or cyber-crime organizations and they rarely get caught.

Remote administration trojans are everywhere and the ones you need to worry about the most, are the Black Hat ones.  They are usually sold on underground markets to sketchy corporations or just people who want to spy and steal from other people. They are very powerful and easy to get a hold of, here is a quick list of some of the terrifying things that these tools can do:

  • Create/Delete/Move/Steal Files, including more malware or picture/documents you don’t want anyone else to see.
  • They can turn on your microphone and listen to “You” Radio!
  • They can turn on your Webcam and see what you are wearing
  • They can take lots of screenshots
  • They can even see a real-time view of what you are doing on your system
  • They can steal your passwords/credit card numbers/ contact information, etc. With keyloggers
  • They can make you think you are going insane by making your computer lock up or your CD tray open on its own or, as mentioned before, making your screen melt!

They can execute arbitrary commands on your system and pretty much have full control to do whatever they want to do. I am now going to briefly discuss a few of the big names in the RAT business today: Poison Ivy, BlackShades and DarkComet.

Poison Ivy:

One of the more notorious of the remote administration trojans is known as Poison Ivy. It was developed by Chinese hackers and gained a large amount of visibility in 2006.  It is commonly used in targeted attacks and spread via exploits or phishing attacks to perform cyber-espionage on specific individuals or organizations. It can be obtained commercially or for free depending on the version and/or support required.  It gives the attacker the ability to do pretty much everything listed above and even allows individual malicious payloads to be created for specific attack purposes using the trojans toolkit.

Poison Ivy has not disappeared and even though it is widely known about, it is still being used by hackers for various forms of espionage, here is an article describing one such incident to steal chemical defense secrets:


…here is another about Poison Ivy being found in Israel, early May of this year:


BlackShades NET:

BlackShades NET is another RAT, although it considers itself to be a Remote Administration “Tool” rather than a trojan.  It was developed by AirDemon.net and was written in Visual Basic 6.  It can do all the things mentioned above, including allowing that attacker to have a real time chat with the victim.  There are multiple YouTube videos showing this functionality off by messing with unwilling victims who don’t realize what is going on. Blackshades is much more user friendly than Poison Ivy and even offers some product support!

Blackshades can be used for legitimate purposes and I think it was the intent of AirDemon.net to convey that on their website, even though they have plenty of hacker tools and malware for “research” purposes. However, more often than not Blackshades is used for attacks against unwilling users by various methods of infection.


DarkComet was developed by DarkCoderSc of France.  It is a completely free remote administration tool (trojan) that allows the administrator (attacker) to do things like streaming a user (victims) webcam, watching the desktop, keylogging, recover stored passwords from browsers and instant messaging applications, using the system to perform a DDOS attack and finally, entirely controlling the system.  The website for DarkComet does a great job as making the functionality of this trojan sound completely legit and in many cases it can be used to serve good.  However, the researchers here at Malwarebytes often see this tool being used to infect unwilling users and take over their systems, steal information, etc.

You are safe

The intention of this post was not to send you or anyone else into a panic about what evil lurks on the internet, but to inform you of what is out there and what you can do to protect yourself.  Most antivirus/Anti-Malware products will detect a RAT and be able to remove it quickly.

Malwarebytes Anti-Malware does a great job of this as we are constantly updating our definitions to catch whatever is out there.  Regardless of whether you use our product or not, you should always be as protected as you can possibly be while using your computer because the kind of threats out there will only continue to get worse and the end goal of any computer security organization is to make your desktop a safe place to work, play and live.




Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.