Who made Flame?

Flame, of course is the latest computer super bug discovered and publicized by Kaspersky Lab which also discovered the famous Stuxnet malware. Flame shares two features with the fabled Stuxnet virus, 1.) it appears to be targeted at certain middle east countries, most notably Iran, and 2.) it is of such sophistication and complexity as to imply that the source is a state actor. But unlike Stuxnet, which targeted a specific class of industrial computer, Flame is designed to spy on the target by capturing keystrokes, taking pictures and video with the target's camera, recording audio with the computer's built-in mike, and even using blutooth to collect info and sophisticated compression techniques to send the info back to its master at regular intervals.

I haven't visited Slashdot.org, where I go by the handle CatInTheHat, in a long while but in as much as I know it to be a good place to get the low down on subjects like this, I thought I have a look at the chatter over there. I found one analysis left by an Anonymous Coward so insightful that I thought it worth repeating here. He draws his conclusions based, in part, on the software licenses of the libraries used to build the rather bulky Flame malware. His comment is below the fold.

Earlier comments had already identified three commons sources of computer malware as hackivists, cybercriminals and intelligence agencies. Each of these groups has a need for different types of computer malware and creates it according to their purpose. Anonymous Coward on Monday May 28, @04:14PM (#40137021) added this:

Who made Flame?

Flame seems to use libraries with permissive licenses only. No hacktivists or cybercriminals would care about this issue, they would use whatever works best.

This leaves governments, they might. Why? Because if it ever becomes known who actually made it, that party would need to release all of the sources, had they used libraries under some copyleft license! Why? Well, whoever made Flame has already obviously distributed binaries, so suing for copyleft violation would happen in court, and it would be many people suing, especially the counterparty is the government. It would be a PR disaster, and to risk that on an election year? No way.

Also, Flame requires a considerable infrastructure to store and analyze the spied information. Which governments would be capable of pulling this off? All the big ones with a lot of money to spend: China, Russia, Great Britain, France, USA, Japan, ...

So, which government cares a lot about intellectual property? China? Nope. Russia? Nope. Great Britain - well, yeah. Personally, I don't think it was Great Britain. It would be enlightening to check the Flame Lua-parts (or other plaintext in the main Flame) for spelling of -ise vs. -ize. I bet there's -ize and not -ise.

It is said that Stuxnet and Flame share similar 0-day holes. The nation which developed Stuxnet is Israel and they have a strong history of military and intelligence collaboration with USA. Israel would not have had the capability or capacity to run two such parallel programs on its own.

So who HAS likely NOT made Flame? Drop the nations which are one way or another unlikely candidates, and only one name is really left.

So, who made Flame?
USA made Flame. This is what I think. What's your analysis?

Another commenter raised questions about Kaspersky Lab:

OK, the facts, as presented so far:

- Massive, extremely sophisticated spyware is detected on computers in a few Middle East countries; dubbed "Flame", it is suposed to be similar to the infamous (well, at least for some) Stuxnet malware.
- It is not stated that, the origin of the spyware is a North American government.
- The only company that makes a public announcement about this spyware is Kaspersky Lab, a Russian security company, although the spyware in question is supposed to have been "out there" since 2007.
- Kaspersky Lab (KL) made the public announcement, however they do not provide scanner/remover for Flame; in fact, a Flame search at the KL site returns no hits.

Are we to believe that other AV companies did not know about it? Why is it that no major AV software reports it? Why is it that no Flame remover is publicly available yet?

Someone else raised a scary question:

the important somewhat scary question: how does Kaspersky accumulate so much sensitive data?

Think about it. We're talking about personal computers in the middle east. We're talking about some kind of top-shelf spyware. So where does Kaspersky pull their data from?

While still another gave this link to a Flame removal tool.

If you don't know Slashdot.org, you should check it out.

Also checkout this other diary on the Flame malware published on the Daily Kos today.
Meet Stuxnet's Big Brother - It's called Flame