May 29, 2012
Flame Virus ‘Most Sophisticated’ Cyber Weapon Ever Used
Researchers at Kaspersky Lab announced on Monday that they had uncovered the “most sophisticated cyber weapon” ever unleashed.
The malware, dubbed Flame, is a highly complex malicious program with vast espionage capabilities that are actively targeting sensitive information across the Middle East.
“Flame can easily be described as one of the most complex threats ever discovered. It´s big and incredibly sophisticated,” wrote Alexander Gostev, Kaspersky Lab´s head of global research and analysis, in a blog post describing the cyber weapon.
“It pretty much redefines the notion of cyberwar and cyberespionage.”
Flame came to the attention of Kaspersky Lab after the UN´s International Telecommunication Union sought the company´s help in finding an unknown piece of malware that was deleting sensitive information across the Middle East. While searching for that code, nicknamed Wiper, Kaspersky uncovered the new malware, codenamed Worm.Win32.Flame.
The researchers at Kaspersky describe Flame as a sophisticated attack toolkit -- a backdoor Trojan with worm-like features that allows the virus to replicate in a local network and on removable media when commanded by its master.
Once deployed, Flame begins “a complex set of operations,” and can sniff network traffic, gather data files, obtain screenshots, record audio conversations, remotely change settings on computers, copy instant messaging chats, intercept a keyboard and much more, Kaspersky said. This data is then available via Flame's command-and-control servers.
Operators can also choose to upload further modules that expand Flame´s functionality.
There are about 20 modules in total, Kaspersky said, and the purpose of most of them is still being explored.
Flame differs from other backdoor Trojans by its use of the LUA programming language, which is uncommon in malware. It is also remarkable for its large size -- about 100 times that of most malicious software. Modern malware is typically small, and written in compact programming languages that make it easy to conceal. In fact, the practice of concealment through large amounts of code is one of the specific new features in Flame, Kaspersky said.
The completeness of Flame´s audio data recording capabilities, which allow the virus to steal data in many different ways, is also fairly new, Kaspersky said.
Experts said the worm is 20 times more powerful than any other known cyber warfare program -- including the Stuxnet virus that attacked Iranian nuclear systems in 2010 -- and could only have been created by a state.
Kaspersky made the 20-gigabyte virus available to other researchers, saying it did not fully understand its scope.
Flame is the third cyber attack weapon targeting systems in the Middle East to be exposed in recent years. The Russian security firm said the program appeared to have been released five years ago, and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
"If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don't know about," Kaspersky senior security researcher Roel Schouwenberg told The Telegraph's Damien McElroy and Christopher Williams.
Iran ordered an emergency review of its official computer systems upon news of Flame´s discovery.
Mr. Schouwenberg said there was evidence to suggest the malware was commissioned by the same nation or nations that were behind Stuxnet.
Iran's Computer Emergency Response Team said Flame was "a close relation" of Stuxnet, and that organizations had been given software to detect and remove the malware earlier this month.
Flame does not spread itself automatically, but only when hidden controllers permit it to do so. The malware´s unprecedented layers of software allow it to penetrate remote computer networks undetected.
The virus infects Microsoft Windows machines, has five encryption algorithms and sophisticated data storage formats.
Components of Flame enable those behind it, who use a network of rapidly-shifting "command and control" servers, to direct the virus to turn microphones into listening devices, steal documents and log keystrokes.
Once a machine is infected, additional modules can be added to the system allowing the machine to undertake specific tracking projects.
"It took us 6 months to analyze Stuxnet. [This] is 20 times more complicated,” said Eugene Kaspersky, the founder of Kaspersky Lab.
Researchers at Kaspersky Lab said they would share a full list of the files and traces with technology professionals in the coming weeks.