Weaponised viruses: Flame and StuxnetPosted: June 9, 2012
The Globe and Mail has an article today about evidence that the makers of Flame, which it describes as “the most complex pieces of malware ever designed,” are issuing instructions for it to self destruct. The article follows on an astounding New York Times piece on June 1st, linking the Stuxnet virus directly to the United States and Bush and Obama administrations.
Flame is really a piece of work: according to reports it has multiple modules, is remotely controlled, can make use of microphones and video to eavesdrop, and makes “sophisticated use of bluetooth technology to figure out how infected machines work together”:
By combining Bluetooth data with unique computer identifiers, Flame could begin to build a picture of a physical workspace, figuring out which users work together in an office.
“Now I can figure out the layout of an office,” Mr. Haley said. “Now I can do things that may have required someone sitting in a car watching, but now we can do it with software.”
I find myself strangely (and against my will) thrilled by all this. There seemed to be a kind of poetic justice in the Stuxnet and, while I’m sure it is a very complex piece of work, it seemed mostly interesting as a kind of weaponized virus (i.e. a militarily enhanced version of something that already existed in the wild). If reports about Flame are true, however, this seems to be a different kind of beast entirely: its connection to your common or garden variety computer virus seems about as strong as that between a spy satellite and the common cold. We are clearly going to need a new name for these things.
I imagine we’ll start to see examples of this in civilian use quite shortly, though I imagine most people who want to spy on people will want to spy on people with whom they share physical access to the same computers (e.g. spouses, co-workers, and, as has tragically already happened at Rutgers, roommates). If nothing else, it will compensate writers of detective stories and thrillers for the loss of the “telephone trace” as a plot device: Stieg Larsson’s Lisbeth now only seems cutting edge, not completely fantastic.
One other lesson from all this: security-minded government institutions are going to have to stop relying on commercial Operating Systems: both Stuxnet and Flame spread through Windows updates. If I were running a major military or security operation, I think I’d be developing my own OS and keeping its details secret. If it makes sense to keep the name of your spy chief secret, it certainly doesn’t make sense to use store bought software to run his or her computer. Unfortunately, however, as the problems the FBI have had with their computer systems suggest, agencies that do try to build their own systems often end up with really inferior software and endless woes.
Tough times to be a spy.