Skip to main content

Analysis suggests Flame malware designed by 'world-class' experts

The malware, which stole data from targeted PCs in Iran, Israel and Sudan and has been pegged as a state-sponsored attack, is believed to be the first of its kind to be deployed in a real-world environment.

"We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack," a pair of expert cryptographers has written. "The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications," said cryptoexperts Marc Stevens and B.M.M. de Weger.

Flame takes advantage of a Windows Update mechanism to assign what falsely appear to be Microsoft-issued certificates to pieces of malicious code.

"It's not a garden-variety collision attack," a Johns Hopkins professor specialising in cryptography told Ars Technica. "There were mathematicians doing new science to make Flame work."

New research by security firm Symantec has discovered that the malware features a self-destruction command "designed to completely remove Flame from the compromised computer," confirming just how complex the attack is believed to be.