Highly sophisticated malware being used to spy on several countries, mostly in the Middle East, that has been around for more than two years has been discovered by Kaspersky Lab, the research arm of the Russian security products company announced May 28.
Detected by researchers as Worm.Win32.Flame - or more simply, Flame - it's designed to carry out cyber espionage and steal valuable information, including, but not limited to, computer display contents, information about targeted systems, stored files, contact data and audio conversations, Kaspersky Lab says.
Kaspersky Lab's chief security expert, Alex Gostev, characterizes Flame as a super-cyberweapon such as Stuxnet and Duqu, and in his blog contends it's "one of the most complex threats ever discovered. It's big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."
Gostev identifies Flame's targets as: Iran, Israel and/or Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. Nearly half of the 382 Flame attacks identified by Gostev targeted facilities in Iran. Roger Thompson, chief emerging threats researcher for ICSA Labs, also identifies organizations in Hungary as being targeted.
From Kaspersky's initial analysis, Gostev says, the creators of Flame are looking for any kind of intelligence: e-mails, documents, messages, discussions inside sensitive locations, "pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry - making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."
There doesn't seem to by a visible pattern in the type of organization Flame targets, he says, adding that victims include individuals, government-related organizations and educational institutions.
Thompson, in his blog, says Flame portends ill for its victims. "One of the tenets of computer security is that if a skilled hacker is in your networks for long enough, you can never get them out again, because they know more about your network than you do, and these hackers , were skilled... highly skilled," he says.
No one knows who's behind Flame, but because of its size and sophistication, a nation-state is suspected. "This code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives," according to a Symantec Security Response blog post. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry."
Flame is huge: It's about 20 times larger than Stuxnet, the malware that infected Iranian nuclear centrifuges in 2010. But Gostev says Flame's architecture is different from the framework behind Stuxnet and Duqu.
Flame contains nearly 20 megabytes when fully deployed, making it extremely difficult to analyze. Why so big? Flame includes many different libraries, such as for compression and database manipulation, and it contains a virtual machine based on the Lua scripting programming language.
Its massive size makes Flame different from other malware tool kits. Gostev says modern malware generally is small and written in compact programming languages, which makes it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame. Flame also can record sound, which is fairly new, he says. Though other malware can record sound, he says, the key with Flame is its completeness: the ability to steal data in a wide variety of ways.
Flame can use Bluetooth devices, collecting information about discoverable devices near the infected machine. Depending on the configuration, Flame can turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.
Gostev doesn't rule out that Flame's authors were involved with the creation of Stuxnet and Duqu. "One of the best pieces of advice in any kind of operation is not to put all your eggs in one basket," he says. "Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects - but based on a completely different philosophy. This way, if one of the research projects is discovered, the other one can continue unhindered."