Security experts said on Monday a highly sophisticated computer virus is infecting computers in Iran and other Middle East countries and may have been deployed at least five years ago to engage in state-sponsored cyber espionage.
Evidence suggest that the virus, dubbed Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010, according to Kaspersky Lab, the Russian cyber security software maker that took credit for discovering the infections.
Kaspersky researchers said they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.
Iran has accused the United States and Israel of deploying Stuxnet.
Cyber security experts said the discovery publicly demonstrates what experts privy to classified information have long known: that nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.
The UK Telegraph added:
A leading Israeli politician hinted at the country’s involvement in the virus. Israel rejects Tehran’s claims that its nuclear programme is designed to produce energy, not bombs. It considers Iran to be the greatest threat to its survival.
“Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it,” Vice Premier Moshe Yaalon told Army Radio. “Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us.”
Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.
Flame does contain a module named Viper, adding more confusion to the Wiper/Viper issue, but this component is used to transfer stolen data from infected machines to command-and-control servers. News reports out of Iran indicated the Wiper/Viper program that infected the oil ministry was designed to delete large swaths of data from infected systems.
Kaspersky Lab reported:
The malware was discovered by Kaspersky Lab’s experts during an investigation prompted by the International Telecommunication Union (ITU). The malicious program, detected as Worm.Win32.Flame by Kaspersky Lab’s security products, is designed to carry out cyber espionage. It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversations.
The independent research was initiated by ITU and Kaspersky Lab after a series of incidents with another, still unknown, destructive malware program – codenamed Wiper – which deleted data on a number of computers in the Western Asia region. This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in coordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been “in the wild” for more than two years – since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it.
Although the features of Flame differ compared with those of previous notable cyber weapons such as Duqu and Stuxnet, the geography of attacks, use of specific software vulnerabilities, and the fact that only selected computers are being targeted all indicate that Flame belongs to the same category of super-cyberweapons.
The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet.
Kaspersky also has more information in a Flame FAQ:
First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine.
Lua is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in Lua – with effective attack subroutines and libraries compiled from C++.
The effective Lua code part is rather small compared to the overall code. Our estimation of development ‘cost’ in Lua is over 3000 lines of code, which for an average developer should take about a month to create and debug.
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.
There doesn’t seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions.
According to our analysis, the Flame malware is the same as “SkyWiper”, described by the CrySyS Lab and by Iran Maher CERT group where it is called “Flamer”.
June 11, 2012
A chunk of code used in both Stuxnet and Flame shows that the developers of the two pieces of malware shared their work, researchers at Kaspersky Lab said today.
There were two independent developer teams, with Flame development preceding Stuxnet and each team developing its own code platform since 2007-2008 at the latest, the researchers said. Both projects were state-sponsored, experts believe.
In addition, a previously undiscovered elevation-of-privilege exploit is in Stuxnet.A, an early variant of the malware that experts believe was developed to sabotage Iran’s nuclear program, Roel Schouwenberg, senior researcher at Kaspersky Lab, said in a Web conference with reporters.