W32.Flamer has built-in modules to gather an enormous amount of information from compromised computers, well beyond that of any threat seen previously. These modules, referred to as 'apps' by the threat, are downloadable and updatable by the threat from an 'app store', as described in a previous blog. Flamer may initially collect some preliminary information and—only based on that information—proceeds to collect more data. For example, Flamer has the ability to extract metadata from documents first. Based on that metadata, if the attackers have further interest in the document, the attackers will then choose to exfiltrate the entire document.
Due to the large number of items Flamer has the ability to gather, documenting them is a daunting task. Flamer is not the typical infostealer one would see in a targeted attack—often referred to as Advanced persistent threat (APTs)—or one would see in financially motivated threats like banking Trojans. The sheer breadth of functionality and size sets it apart. Even describing it as an industrial vacuum cleaner does not do it justice. Some of the items Flamer can gather are outlined below to give you a sense of just how invasive Flamer is:
