An extremely complex virus infecting computers in the Middle East called Flame was made public today. It’s being likened to the Stuxnet virus, which attacked Iranian nuclear systems in 2010.
“Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated,” said Alexander Gostev, Kaspersky Lab’s head of global research and analysis in a blog post. “It pretty much redefines the notion of cyberwar and cyberespionage.”
Kaspersky Lab, a Russian security research team, made light of the extensive virus today, saying it may have run unchecked since 2010 and continues to be developed today. Flame is a Trojan, but it’s point of entry is unknown for the time being. Once in, the virus unpacks 20 modules, each with a different tool. Types of tools include a screen capturing tool, which listens for when an “interesting” app is opened — such as an instant message box — and then takes a screen shot to record your conversation. Another turns on your computer’s microphone and records conversations happening in the room, within the mic’s audio reach. It can also watch and record what your type, sniff network traffic and more, sending all the information to the virus creator’s several command and control servers.
Flame is compared to Stuxnet because of its ties to the Middle East — some of the top countries it is targeting are Iran, Lebanon, Syria, and Israel — its complexity, and because researchers believe this is a state-sponsored attack. Researchers also note that Flame “is not designed to steal money from bank accounts,” and is too complex to be developed by hacktivists, who usually use less intensive attacks such as distributed denial of service attacks.
“It looks like the creators of Flame are simply looking for any kind of intelligence — e-mails, documents, messages, discussions inside sensitive locations, pretty much everything,” said Gostev in the blog post. “We have not seen any specific signs indicating a particular target such as the energy industry — making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.”
Stuxnet, which attacked Iran’s nuclear power infrastructure in 2010 was believed to be a government project, aimed at damaging infrastructure that may have been related to a nuclear weapons program. It does not look like Flame is attacking these systems, called SCADA systems, though it has the capacity to. The virus is also around 20 times larger than Stuxnet, installing at 20 megabytes, and was probably created by different parties.
Stuxnet and its recently discovered sister Duqu were built on the Tilded platform and are said to have three other siblings in the wild. Flame was not, however, built on this platform, according to Kaspersky, and is thus not a sibling.
Kaspersky Lab found the worm while digging around for more information about the Wiper virus — another piece of malware aimed at the Middle East. In this case, Wiper, also known as Viper, would infect a system and delete any number of files from it, wiping out anything that came in its path. At the time, Wiper infected Iran’s Oil Ministry, deleted whole hard drives within the ministry, and eventually caused it to shut down Internet access to all of its oil facilities and rigs.