I've seen a couple of postings on the Internet about a possible link between Flame malware with a project from National Laboratory for Scientific Computing (LNCC) in Brazil. They released a tool called Flexible and Lightweight Active Measurement Environment (FLAME) in 2009. This version of FLAME is a platform for prototyping network tools, which uses Lua as an extension language. FLAME allowed for the capability to deploy and remotely control packet flooding agents through instant messenger, and customize them with Lua. Both Lua and the original FLAME platform derive from Brazil.
I reached out to the creators of the FLAME platform and they quickly replied with the information below. To make a long story short, the creators of the FLAME platform informed me that their software has nothing do to with the malware which has been dubbed Flame. They also informed me that their source code isn't published. This is all an amazing coincidence for sure. Along with NMAP, this also shows that Lua has been use to extend network based tools heavily over the last few years.
See the full email response below:
Mr. Marcus Carey,
FIRST AND FOREMOST: The FLAME platform described at:
has *NOTHING TO DO* with the recently uncovered FLAME malware.
Our FLAME platform is for the rapid prototyping of active measurement tools, as described in the platform website.
We'd also like to add that:
- The FLAME environment developed by our MARTIN group at LNCC is NOT malware. We're aware of at least two other packages with the same name, it's simple and easy to make an acronym from such an appealling word, therefore it's quite likely the are other packages, including the cited malware, share this same name.
- Our FLAME environment does use Lua, but for the purpose of sending ICMP, TCP and UDP measurement probes. Crucially, our environment does not allow specially-crafted payload to be conveyed in such probes. Also, by no means it has any kind of code that allows recording audio, taking screenshots and other announced characteristics of the cited malware.
- The top hit for "FLAME Lua" on Google points to the website of our FLAME platform. The platform website has been online since November 2009.
- the source code of our FLAME environment hasn't been publicly available. A specific request for it must be made by email, explaining the requester's intended purpose. So far, we havent received such requests (the first one was a couple of hours ago, motivated by the news about the cited malware). Therefore it's unlikely that the cited malware has been even based on our package.
- Our FLAME platform only compiles on Linux. The cited malware is for Windows-based systems.
- The Lua code and log snippets presented at https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
have never been part of our FLAME environment.
As a final remark, we emphasize that all this matter boils down to a unfortunate coincidence of a malware having the same name as the acronym we’ve been using for a couple of years. If you're still interested in our platform with the aim of prototyping active measurement tools, we'll be glad to provide you with it.
Hoping to have clarified the matter, our best wishes.
MARTIN Lab team.