Leading global cybersecurity firms on Monday announced the detection of a sophisticated new type of malicious code on hundreds of computers throughout the Middle East, with particular concentration in Iran, where the code, nicknamed “Flame,” has been capturing sensitive user information such as screenshots, emails, documents and audio files using a computer’s microphone.
Iran’s own cyber security agency on Monday released a bulletin confirming that the trojan had been detected in the country, saying that the malware could be behind recent “incidents of mass data loss.” The agency said that it had created an antivirus removal tool, which it was ready to deliver to affected machines.
Although security researchers said that Flame’s authors could not be pinpointed with any certainty yet, Israel’s vice prime minister Moshe Ya’alon did not discourage speculation his country could have played a role.
“Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them,” Ya’alon was quoted referring to Flame, by Israeli newspaper The Jerusalem Post in an article published Tuesday.
Seizing on Ya’alon’s comments, Iranian news agency Fars on Tuesday accused Israel of being behind the worm.
Also known as “Flamer,” and “sKyWIper,” by other security firms that announced its existence, the Flame malware, which targets Windows-based machines, is notable for its sophistication and enormous file size — 20 megabytes, compared to 1.5 megabytes for the Stuxnet malware that reportedly damaged Iranian nuclear centrifuges back in 2010.
Flame, by contrast, appears to be designed mainly for espionage purposes rather than outright sabotage. The virus reportedly captures sensitive information through a variety of means — “sniffing” data sent across the Internet and internal networks, recording keystrokes, capturing screenshots while applications like messaging programs are running, even turning on a computer’s built-in microphone and recording audio of conversations, according to three cyber labs that detected it.
“We have not seen any specific signs indicating a particular target such as the energy industry — making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes,” wrote Alexander Gostev, the chief security expert of Kaspersky’s global research and analysis team, in a blog post detailing the virus on Monday.
“The primary functionality is to obtain information and data,” concurred American security firm Symantec in a report on the virus on Monday.
Besides being detected on 189 systems in Iran, Flame was also found on 98 in Israel and Palestine, 32 in Sudan, 30 in Syria, 18 in Lebanon, 10 in Saudi Arabia and 5 in Egypt, according to Kaspersky. Symantec also reported detections in “Austria, Russia, Hong Kong, and the United Arab Emirates.”
The malware is thought to be installed via a USB stick and is self-replicating, capable of transmitting copies of itself across networked computers.
Though Flame’s specific architecture doesn’t closely resemble that of Stuxnet nor the similar Duqu malware discovered in late 2011, security researchers believe that due to its complexity and its capabilities, it is likely to have been created with the assistance of a nation state and is the latest weapon in a burgeoning international cyber war.
As Eugene Kaspersky, CEO of Russian cybersecurity firm Kaspersky Labs said in a statement posted online Monday:
“The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
Kaspersky Labs first discovered the Flame malware in an investigation of another type of malware, but its experts were taken by surprise by the magnitude of Flame.
“Flame can easily be described as one of the most complex threats ever discovered,” Gostev added in his blog post. “It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.”
Hugarian cybersecurity outfit CrySyS Lab agreed, stating in a report released Monday that Flame was “certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”
CrySyS said that the first detection of the virus that would be come to identified as Flame, which it calls sKyWIper, was first detected in Europe in 2007 by another smaller American firm, Webroot.
Webroot, for its part, claims that the reports of Flame’s sophisticated are greatly exaggerated.
“Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it—essentially a 2007 era technology,” a Webroot spokesperson told PC World on Tuesday.
Image from Shutterstock