Over the past few days, several security research firms, including Symantec, Kaspersky Labs and McAfee have been hard at work analysing this powerful piece of malware.

The Iranian Computer Emergency Response Team posted an alert about the malicious code specifically designed to steal and exfiltrate information from infected computers back to a network of at least 10 command and control servers.

However, as Budapest University’s Laboratory of Cryptography and System Security (CrySyS) reported in its analysis of the malware, it “may have been active for as long as five to eight years”. CrySyS also reported that the malware’s footprint is massive — some 20MB — in stark contrast to traditional malware, which attempts to keep as low a profile as possible to avoid detection. Furthermore, the malware also appears to regularly send out information to command and control servers, which should have raised the concerns of a discerning network administrator.

But despite these apparent red flags, the Flame war didn’t heat up until just recently.

Stratsec manager for threat research and analysis Sergei Shevchenko said that it was possible that Flame had not been in the wild as long as initially reported. CrySyS’ five-to-eight-year estimate relies on anecdotal evidence submitted by the Webroot community in 2007.

“The samples in those firstly reported cases happened to share the same filenames as Flame’s own components, and could either have belonged to Flame family, or not … could have been detected under different threat names and by different products, or not,” Shevchenko said.

Kaspersky, McAfee and Symantec all believe that Flame has been around for two years, after detecting some of its components running back to 2010. So the issue wasn’t necessarily that antivirus products weren’t detecting Flame, but rather that they just didn’t know what they were looking at until now.

Yet, Pure Hacking CTO Ty Miller believed it was simply a case of malware authors being a step ahead of antivirus companies.

“Malware detection is a tricky industry, as the hackers and the antivirus companies are both constantly racing for better bypass and detection techniques, respectively. Unfortunately, antivirus companies are behind the eight ball since it is easier to bypass known security controls, than it is to detect unknown threats,” Miller said.

A well-trained network administrator could have been expected to detect the regular communications sent from the infected machines using intrusion detection/prevention systems (IPS/IDS). However, Miller notes there is a chicken-and-egg situation whereby IPS signatures are often only created once the malware is known. In addition, Flame’s creators appear to have taken precautionary measures against network forensics. Flame uses SSL encryption, similar to that used to secure communications during online banking.

“The malicious network traffic is transferred over SSL and SSH tunnels, which are generally encrypted from end to end. This means that network-based intrusion prevention systems would not be able to detect rogue activities,” Miller said.

Shevchenko agreed, stating that even if the traffic seemed odd, it would be impossible to decrypt without the right key to determine what was going on.

“Without knowing what algorithm the traffic is encrypted with and what keys were used to encrypt it, no security solution would be able to classify such traffic as malicious, without increasing the risk of false positive detections that may potentially block legitimate traffic,” he said.

CrySiS’ report also revealed that more than 50 domain names and over 15 distinct IP addresses were cycled to reduce and suspicious trends in activity that might be picked up by a network administrator.

Flame’s larger file size didn’t raise any flags; in fact, Kaspersky Labs security researcher Alexander Gostev noted that its large size was precisely why it wasn’t discovered for so long — it simply didn’t fit the profile.

Shevchenko said that the larger size of the malware points to a set of careless malware authors — who prefer to use high-level languages — or professional programmers that prefer to use third-party components and libraries that had evolved over time into highly reliable time-tested tools.

“This complacency might be explained with the fact the recently hired professional developers simply continued to work the way they used to … developing lower-level components might sound like a nightmare idea to them,” he said.

The powerful virus has been sabotaging government systems for at least five years in the Middle East.

The “Flame” program is claimed to be at least 20 times more powerful than any previously known cyberwarfare programs.

Israeli Vice Prime Minister Moshe Ya’alon, in an interview with Army Radio, said that “whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them,”.

He also noted, “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.”

Kaspersky Lab, one of the world’s biggest producers of anti-virus software, said its experts discovered the virus during an investigation prompted by the International Telecommunication Union (ITU).

Iran appears to have been the main target of the attack, and the announcement comes just a month after the Islamic republic said it halted the spread of a data-deleting virus targeting computer servers in its oil sector.

Israeli Prime Minister Benjamin Netanyahu, while not mentioning Flame, spoke of Israel’s cyber prowess at an international security conference at Tel Aviv University.

“In the cyber arena, the size of a country is not that important but there is great significance in its scientific ability and in that Israel is blessed,” he said.

Meanwhile, Iran says it has developed tools that can defend against the Flame virus.

Iran’s National Computer Emergency Response Team (Maher) said in a statement that the detection and clean-up tool was finished in early May and is now ready for distribution to organisations at risk of infection.