Security companies Kaspersky Lab and Symantec have discovered a major new family of sophisticated cyber-malware to rival Stuxnet and Duqu that appears to be striking targets in Iran and its Middle-Eastern neighbours.
Experts know that there is undoubtedly more cyber-malware out there than has yet been found and now they have a new name to add to a small but infamous list, Worm.Win32.Flame, or plain ‘Flame’ (or 'Flamer' or SkyWiper) for short.
What is Flame and what does it do? Kaspersky describes it as an “attack toolkit”, which means that it has enough components to do anything and everything it wants to, from opening a backdoor, deploying Trojans with various purposes and then spreading like a worm.
In the field, it can steal documents, record audio files, take screenshots when certain applications are run and even probe for nearby devices using Bluetooth, a highly unusual feature in any malware.
“Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on,” said Kaspersky Lab researcher, Alexander Gostev, underlining Flame’s apparent data-stealing design.
The program’s size and complexity is startling. In total, the company had discovered 20 different malware modules, as well as a clutch of databases, different encryption and compression mechanisms and scripting interfaces, ranking Flame as major feat of malware creation.
The company does not know how it spreads, but suspects a targeted attack using an unknown infection mechanism, possibly email, infected USB drives or a drive-by attack, possibly all of these.
Created no earlier than 2010 and still being modified up to this year, the obvious question is who created the monster and what was on its target list?
“There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown,” admitted Gostev.
Nevertheless, since discovering Flame while investigating an infection at the International Telecommunications Union (ITU), Kaspersky had uncovered a striking pattern of infection that echoed those suspected state-backed malware attacks.
Although the number of infections uncovered is still very small, the fact that Iran is at the top of the list with 189 infections connecting back to the malware’s command and control network, followed by smaller infections (in this order) in Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt, is odd Mainstream security software would not have detected Flame, Kaspersky said.
The company said it had noticed some similarities to Stuxnet in the software vulnerabilities exploited, but a clear engineering connection is far from obvious. Regardless, Flame was aimed at a aider net of targets than the small scale of Duqu or extremely specific targets of Stuxnet.
Symantec said it had also noticed the malware, but was less certain of the targeting.
“Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear,” the company said.
Analysis showed infections could stretch back as far as 2007, the company said.
On 28 May, Iran's national CERT has published its own alert regarding 'Flamer', noting that "at the time of writing, none of the 43 tested anti viruses [programs] could detect any of the malicious components."