Posts Tagged Flame
WASHINGTON: The Flame computer virus which has been raging in the Middle East has strong links to Stuxnet, a malware program widely believed to have been developed by the United States or Israel, a security firm said Monday.
Kaspersky, the Russian computer security firm credited with discovering Flame last month, said its research shows the two programs share certain portions of code, suggesting some ties between two separate groups of programmers.
Kaspersky researcher Alexander Gostev said in a blog post that a first examination made it appear the two programs were unrelated.
“But it turns out we were wrong,” he wrote. “Our research unearthed some previously unknown facts that completely transform the current view of how Stuxnet was created and its link with Flame.”
Gostev said Flame, even though it was discovered just recently, appears to predate Stuxnet, which was created in 2009.
“By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence (we currently date its creation to no later than summer 2008) and already had modular structure,” he said.
“The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet.”
This, he said, points to the existence of “two independent developer teams… (each) developing its own platform since 2007-2008 at the latest.”
Kaspersky, one of the world’s biggest producers of anti-virus software, said the Flame virus was “about 20 times larger than Stuxnet,” the worm which was discovered in June 2010 and used against the Iranian nuclear program.
High concentrations of computers compromised by Flame were also found in Lebanon, the West Bank and Hungary. Additional infections have been reported in Austria, Russia, Hong Kong and the United Arab Emirates.
Compromised computers included many being used from home connections, according to security researchers who were looking into whether reports of infections in some places resulted from workers using laptops while traveling.
Stuxnet was designed to attack computer control systems made by German industrial giant Siemens and commonly used to manage water supplies, oil rigs, power plants and other critical infrastructure.
Most Stuxnet infections have been discovered in Iran, giving rise to speculation it was intended to sabotage nuclear facilities there. The worm was crafted to recognize the system it was to attack.
Some reports say US and Israeli intelligence services collaborated to develop the computer worm to sabotage Iran’s efforts to make a nuclear bomb.
Johannes Ullrich, a researcher at the Washington-based SANS Technology Institute, said the relationship between the two viruses remains unclear.
“Flame did initially appear very different, and I still think it wasn’t written by the same group or individual that wrote Stuxnet,” Ullrich told AFP.
“However, this doesn’t mean that the two groups didn’t coordinate or share code with each other. I do think this may have been the case with Stuxnet and Flame… the code could have been written by two different contractors who worked for the same government and as a result had access to each other’s resources.”
TALLINN: Quick advances in cyber war technologies could soon lead to a new generation of so-called “intelligent cyber weapons” which top global IT defence experts warn could be virtually unstoppable.
“Rapid developments in cyber (technology) might lead to intelligent cyber weapons that are hard to control and it’s practically impossible to use formal methods of verifying the safety of intelligent cyber weapons by their users,” Enn Tyugu, IT expert at Tallinn’s NATO Cyber Defence Centre said at its fourth annual conference Thursday.
He also warned that programmes developed to counter attacks by malwares like Stuxnet can act independently and could possibly themselves spark conflicts.
“They are quite autonomous, and can operate independently in an unfriendly environment and might at some point become very difficult to control… that can lead to cyber conflict initiated by these agents themselves,” Tyugu said.
“Stuxnet and Flame have shown the side of cyber of which the average user does not think of but which will bring a lot of challenges to all experts who deal with critical infrastructure protection issues – IT experts, lawyers, policy makers,” Ilmar Tamm, Head of the NATO Cyber Defence Centre told reporters on Thursday.
“The number of cyber conflicts keeps rising and it is important to understand who the actors in these events are, how to classify these events and participants, and how to interpret all that,” Tamm said, noting Western leaders have been slow to become aware of even existing cyber threats.
Experts at the conference noted that both China and Russia have significantly upgraded their cyber-defence capabilities in recent years by creating new IT units.
“But the most powerful weapon today in cyber space is still the propaganda, the chance to use the Internet to spread your message,” Kenneth Geers, US cyber defence expert told some 400 top IT gurus attending the meeting Thursday.
Keir Giles, head of Oxford University’s Conflict Studies Research Centre, noted that some Russian leaders seemed to “sincerely believe that the recent opposition rallies after the presidential elections in Russia were initiated by the US in cyberspace.”
There will be few among us whose computers weren’t infected by a virus. We wouldn’t know if any data was ever stolen by a stranger sitting, say in Estonia. But, what we do recollect is how our laptops wouldn’t start; and we had to get the operating system reinstalled; and in the process, lose photos and videos we hadn’t backed up.
The buzz in cyberspace now is about the biggest, the most powerful, and the most complex computer virus ever discovered – variously called Flame, Flamer or Skywiper. It has sent alarm bells ringing, and has reminded us, for the umpteenth time, how even the best-protected network can be broken into.
The virus hit headlines in March/April this year, when the Iranian oil ministry was affected. And a few weeks back, researchers found Flame similar to Stuxnet virus that had disabled the centrifuges in an Iranian nuclear plant. What has stunned experts is the complexity of Flame, the size of which was 20MB, while Stuxnet was only about half a megabyte.
Calling it the dawn of a new era in cyberwarfare, Kaspersky Labs said the virus was “destined to leave an indelible mark on the cyber weapons’ landscape”. Symantec research shows Flamer has been operating for at least two years with the ability to steal documents, take screenshots of users’ desktops, spread via USB drives, disable security vendor products, and under certain conditions spread to other systems. One mode of operation is Bluetooth.
According to Shantanu Ghosh, VP and MD, India Product operations, Symantec, the Bluetooth functionality of Flame is embedded in a module, which when triggered in accordance with the configuration set by the attacker, can result in two actions: one, scan Bluetooth devices in the range, and once detected, steal details like the ID; and two, the infected computer itself will appear when any Bluetooth device scans the local area.
It is networks in mainly West Asia that have been affected, but Ghosh says infections have been reported from Hungary and Hong Kong. Are we in India under threat?
Kaspersky says that it recorded instance of attacks in India. Says Alex Gostev, chief security expert, Global Research and Analysis Team, Kaspersky Lab, “Only a few detections by Kaspersky Lab anti-virus were registered on the computers with Indian IP address. But that can be any user even a tourist from another country who was in India at that moment. The countries worst hit by Flame are Iran, Israel, Syria, Lebanon.”
Says Ghosh, “This threat is highly targeted and not likely to impact most users. In addition to particular organizations being targeted, many of the compromised computers appear to be personal computers being used from home Internet connections.”
However Naresh Raval, a web developer, sounds a word of caution. “You never know. Security agencies have all said Flame is so complex that they haven’t fully understood how it works. Internet is a vast global network, and it doesn’t take much for malware to spread, and wreak havoc.”
Microsoft Corp warned that a bug in Windows allowed PCs across the Middle East to become infected with the Flame virus and released a software fix to fight the espionage tool that surfaced last week.
Security experts said they were both surprised and impressed by the approach that the attackers had used, which was to disguise Flame as a legitimate program built by Microsoft.
“I woke up to this news and I couldn’t believe it. I had to ask, ‘Am I reading this right?'” said Roel Schouwenberg of Russian security firm Kaspersky Lab, one of the researchers who helped discover the Flame virus.
Experts described the method as “elegant” and they believed it had likely been used to deliver other cyber weapons yet to be identified.
“It would be logical to assume that they would have used it somewhere else at the same time, Mikko Hypponen, chief research officer for security software maker F-Secure.
If other types of cyber weapons were indeed delivered to victim PCs using the same approach as Flame, then they will likely be exposed very quickly now that Microsoft has identified the problem, said Adam Meyers, director of intelligence for security firm CrowdStrike.
Cyber weapons that bear the fake Microsoft code will either stop working or lose some of their camouflage, said Ryan Smith, chief research scientist with security firm Accuvant.
A spokeswoman for Microsoft declined to comment on whether other viruses had exploited the same flaw in Windows or if the company’s security team was looking for similar bugs in the operating system.
Flame’s code included what is known as a digital certificate, which falsely identified it as a piece of software from Microsoft.
The creators of the virus obtained that certificate by manipulating a component of the Windows operating system known as terminal services licensing, or TS licensing, that is designed to authorize business customers to use advanced features of Windows.
A bug in TS licensing allowed the hackers to use it to create fake certificates that identified Flame as being from Microsoft, Mike Reavey, a senior director with Microsoft’s Security Response Center, said in a blog post.
He feared that other hackers might be able to copy the technique to launch more widespread attacks with other types of viruses, Reavey said.
“We continue to investigate this issue and will take any appropriate actions to help protect customers,” Reavey said in the blog post.
News of the Flame virus, which surfaced a week ago, generated headlines around the world as researchers said that technical evidence suggests it was built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010. Researchers are still gathering information about the virus.
Microsoft’s warning is available at http://blogs.technet.com/b/msrc/
Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.
Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.
For the full low-down on this advanced threat, read on…
What exactly is Flame? A worm? A backdoor? What does it do?
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
The initial point of entry of Flame is unknown – we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.
Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
How sophisticated is Flame?
First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine.
Lua is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in Lua – with effective attack subroutines and libraries compiled from C++.
The effective Lua code part is rather small compared to the overall code. Our estimation of development ‘cost’ in Lua is over 3000 lines of code, which for an average developer should take about a month to create and debug.
Also, there are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.
Running and debugging the malware is also not trivial as it’s not a conventional executable application, but several DLL files that are loaded on system boot.
Overall, we can say Flame is one of the most complex threats ever discovered.
How is this different to or more sophisticated than any other backdoor Trojan? Does it do specific things that are new?
First of all, usage of Lua in malware is uncommon. The same goes for the rather large size of this attack toolkit. Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame.
The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame’s completeness – the ability to steal data in so many different ways.
Another curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the corresponding option is turned on in the configuration block, it collects information about discoverable devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.
What are the notable info-stealing features of Flame?
Although we are still analyzing the different modules, Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library.
Recorded data is sent to the C&C through a covert SSL channel, on a regular schedule. We are still analyzing this; more information will be available on our website soon.
The malware has the ability to regularly take screenshots; what’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server – just like the audio recordings.
We are still analyzing this component and will post more information when it becomes available.
When was Flame created?
The creators of Flame specially changed the dates of creation of the files in order that any investigators couldn’t establish the truth re time of creation. The files are dated 1992, 1994, 1995 and so on, but it’s clear that these are false dates.
We consider that in the main the Flame project was created no earlier than in 2010, but is still undergoing active development to date. Its creators are constantly introducing changes into different modules, while continuing to use the same architecture and file names. A number of modules were either created of changed in 2011 and 2012.
According to our own data, we see use of Flame in August 2010. What’s more, based on collateral data, we can be sure that Flame was out in the wild as early as in February to March 2010. It’s possible that before then there existed earlier version, but we don’t have data to confirm this; however, the likelihood is extremely high.
Why is it called Flame? What is the origin of its name?
The Flame malware is a large attack toolkit made up of multiple modules. One of the main modules was named Flame – it’s the module responsible for attacking and infecting additional machines.
Is this a nation-state sponsored attack or is it being carried out by another group such as cyber criminals or hacktivisits?
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.
Who is responsible?
There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown.
Why are they doing it?
To systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, Israel and so on. Here’s a map of the top 7 affected countries:
Is Flame targeted at specific organizations, with the goal of collecting specific information that could be used for future attacks? What type of data and information are the attackers looking for?
From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence – e-mails, documents, messages, discussions inside sensitive locations, pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry – making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.
Of course, like we have seen in the past, such highly flexible malware can be used to deploy specific attack modules, which can target SCADA devices, ICS, critical infrastructure and so on.
What industries or organizations is Flame targeting? Are they industrial control facilities/PLC/SCADA? Who are the targets and how many?
There doesn’t seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions. Of course, collecting information on the victims is difficult because of strict personal data collecting policies designed to protect the identity of our users.
Based on your analysis, is this just one variation of Flame and there are others?
Based on the intelligence received from the Kaspersky Security Network, we are seeing multiple versions of the malware being in the wild – with different sizes and content. Of course, assuming the malware has been in development for a couple of years, it is expected that many different versions will be seen in the wild.
Additionally, Flame consists of many different plug-ins – up to 20 – which have different specific roles. A specific infection with Flame might have a set of seven plugins, while another infection might have 15. It all depends on the kind of information that is sought from the victim, and how long the system was infected with Flame.
Is the main C&C server still active? Is there more than one primary C&C server? What happens when an infected machine contacts the C&C server?
Several C&C servers exist, scattered around the world. We have counted about a dozen different C&C domains, run on several different servers. There could also be other related domains, which could possibly bring the total to around 80 different domains being used by the malware to contact the C&C. Because of this, it is really difficult to track usage of deployment of C&C servers.
Was this made by the Duqu/Stuxnet group? Does it share similar source code or have other things in common?
In size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage features. Flame has no major similarities with Stuxnet/Duqu.
For instance, when Duqu was discovered, it was evident to any competent researcher that it was created by the same people who created Stuxnet on the “Tilded” platform.
Flame appears to be a project that ran in parallel with Stuxnet/Duqu, not using the Tilded platform. There are however some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project – such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet’s authors.
On the other hand, we can’t exclude that the current variants of Flame were developed after the discovery of Stuxnet. It’s possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame.
In summary, Flame and Stuxnet/Duqu were probably developed by two separate groups. We would position Flame as a project running parallel to Stuxnet and Duqu.
You say this was active since March 2010. That is close to the time when Stuxnet was discovered. Was this being used in tandem with Stuxnet? It is interesting they both exploit the printer-spooler vulnerability.
One of the best pieces of advice in any kind of operation is not to put all your eggs in one basket. Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects – but based on a completely different philosophy. This way, if one of the research projects is discovered, the other one can continue unhindered.
Hence, we believe Flame to be a parallel project, created as a fallback in case some other project is discovered.
In your analysis of Duqu you mentioned “cousins” of Duqu, or other forms of malware that could exist. Is this one of them?
Definitely not. The “cousins” of Duqu were based on the Tilded platform, also used for Stuxnet. Flame does not use the Tilded platform.
This sounds like an info-stealing tool, similar to Duqu. Do you see this as part of an intelligence-gathering operation to make a bigger cyber-sabotage weapon, similar to Stuxnet?
The intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less than 50 targets worldwide for Duqu – all of them, super-high profile.
Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide.
The targets are also of a much wider scope, including academia, private companies, specific individuals and so on.
According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields – they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections.
What is Wiper and does it have any relation to Flame? How is it destructive and was it located in the same countries?
The Wiper malware, which was reported on by several media outlets, remains unknown. While Flame was discovered during the investigation of a number of Wiper attacks, there is no information currently that ties Flame to the Wiper attacks. Of course, given the complexity of Flame, a data wiping plugin could easily be deployed at any time; however, we haven’t seen any evidence of this so far.
Additionally, systems which have been affected by the Wiper malware are completely unrecoverable – the extent of damage is so high that absolutely nothing remains that can be used to trace the attack.
There is information about Wiper incidents only in Iran. Flame was found by us in different countries of the region, not only Iran.
Functionality/Feature Questions about the Flame Malware
What are the ways it infects computers? USB Sticks? Was it exploiting vulnerabilities other than the print-spooler to bypass detection? Any 0-Days?
Flame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”. We haven’t seen them in action yet, maybe due to the fact that Flame appears to be disabled in the configuration data. Nevertheless, the ability to infect USB sticks exists in the code, and it’s using two methods:
Autorun Infector: the “Autorun.inf” method from early Stuxnet, using the “shell32.dll” “trick”. What’s key here is that the specific method was used only in Stuxnet and was not found in any other malware since.
Euphoria: spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened. Our samples contained the names of the files but did not contain the LNK itself.
In addition to these, Flame has the ability to replicate through local networks. It does so using the following:
The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI.
Remote jobs tasks.
When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.
At the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day.
Can it self-replicate like Stuxnet, or is it done in a more controlled form of spreading, similar to Duqu?
The replication part appears to be operator commanded, like Duqu, and also controlled with the bot configuration file. Most infection routines have counters of executed attacks and are limited to a specific number of allowed attacks.
Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?
The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.
Flame’s modules together account for over 20MB. Much of these are libraries designed to handle SSL traffic, SSH connections, sniffing, attack, interception of communications and so on. Consider this: it took us several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame.
Does Flame have a built-in Time-of-Death like Duqu or Stuxnet ?
There are many different timers built-in into Flame. They monitor the success of connections to the C&C, the frequency of certain data stealing operations, the number of successful attacks and so on. Although there is no suicide timer in the malware, the controllers have the ability to send a specific malware removal module (named “browse32”), which completely uninstalls the malware from a system, removing every single trace of its presence.
What about JPEGs or screen-shots? Is it stealing those too?
The malware has the ability to regularly take screenshots. What’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server, just like the audio recordings.
We are still analyzing this component and will post more information when it becomes available.
We will share a full list of the files and traces for technical people in a series of blog posts on Securelist during the next weeks.
What should I do if I find an infection and am willing to contribute to your research by providing malware samples?
We would greatly appreciate it if you could contact us by e-mail at the previously created mailbox for Stuxnet/Duqu research: email@example.com.
Update 1 (28-May-2012):
According to our analysis, the Flame malware is the same as “SkyWiper”, described by the CrySyS Lab and by Iran Maher CERT group where it is called “Flamer”.
Jerusalem, May 29: An unprecedented “cyber espionage worm” considered the most sophisticated spyware virus yet may have been unleashed by Israel to hit Iran and other Middle Eastern countries, with the possible aim of crippling Tehran’s nuclear ambitions.
Security experts discovered the new data-stealing virus dubbed Flame which they say has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign.
Russia-based Internet security company Kaspersky Lab that uncovered the virus ‘Flame’ said it has attacked computers in Iran and elsewhere in Middle East and may have been designed to collect and delete sensitive information.
Israeli vice Prime Minister Moshe Ya’alon’s comments justifying such a measure triggered speculations that Flame may have originated from his country.
“Anyone who sees the Iranian threat as a significant threat – it’s reasonable [to assume] that he will take various steps, including these, to harm it,” Ya’alon told the Army Radio in an interview today.
In Tehran, Iranian authorities admitted that the malicious software dubbed “Flame” has attacked its computer and systems and instructed to run an urgent inspection of all cyber systems in the country.
Iran’s MAHER Center, which is part of the Islamic Republic’s Communication ministry, said that the Flame virus “has caused substantial damage” and that “massive amounts of data have been lost,” Ynetnews reported.
But Iran’s telecommunications ministry also claimed that it had developed software to clean this malware. Kaspersky, one of the world’s biggest producers of anti- virus softwares, said the bug had infected computers in Iran, the West Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
Flame is “actively being used as a cyber weapon attacking entities in several countries,” Kaspersky said in a statement, describing its purpose as “cyber espionage”.
“The complexity and functionality of the newly discovered malicious programme exceed those of all other cyber menaces known to date,” the statement said.
The Internet security company also said that Flame contained a specific element that was used in the Stuxnet worm and which had not been seen in any other malware since.
On its blog, Kaspersky called Flame a “sophisticated attack toolkit,” adding that it was much more complex than Duqu, the vehicle used to deliver Stuxnet.
The Stuxnet bug, discovered in June 2010, targeted primarily Iranian computers.
Iran admitted that the worm had damaged centrifuges operating at an uranium enrichment facility at Nantaz.
A United Nations agency charged with helping member nations secure their national infrastructures plans to issue a stern warning about the risk of the Flame virus that was recently discovered in Iran and other parts of the Middle East.
“This is the most serious warning we have ever put out,” said Marco Obiso, cyber security coordinator for the U.N.’s International Telecommunications Union.
The confidential warning will tell member nations that the Flame virus is a dangerous espionage tool that could potentially be used to attack critical infrastructure, he said in an interview.
BOSTON: Security experts have discovered a new data-stealing virus dubbed Flame they say has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign.
It is the most complex piece of malicious software discovered to date, said Kaspersky Lab security senior researcher Roel Schouwenberg, whose company discovered the virus. The results of the Lab’s work were made available on Monday.
Schouwenberg said he did not know who built Flame. If the Lab’s analysis is correct, Flame could be the third major cyber weapon uncovered after the Stuxnet virus that attacked Iran’s nuclear program in 2010, and its data-stealing cousin Duqu, named after the Star Wars villain.
The discovery by one of the world’s largest makers of anti-virus software will likely fuel speculation that nations have already secretly deployed other cyber weapons.
“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about,” Schouwenberg said in an interview.
The Moscow-based company is controlled by Russian malware researcher Eugene Kaspersky, and gained notoriety in cyber weapons research after solving several mysteries surrounding Stuxnet and Duqu.
Researchers at Kaspersky said they were only starting to understand how Flame works because it is so complex. The full significance will not be known until other cyber security firms obtain samples of Flame.
The Lab’s research shows the largest number of infected machines are in Iran, followed by the Israel/Palestine region, then Sudan and Syria.
The virus contains about 20 times as much code as Stuxnet, which attacked an Iranian uranium enrichment facility, causing centrifuges to fail. It has about 100 times as much code as a typical virus designed to steal financial information, Schouwenberg said.
Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats.
He said there was evidence to suggest the code was commissioned by the same nation or nations that were behind Stuxnet and Duqu, which were built on a common platform.
Both Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and employ a similar way of spreading.
That means the teams that built Stuxnet and Duqu might have had access to the same technology as the team that built Flame, he said.
Schouwenberg said he believed the attack was highly targeted, aimed mainly at businesses and academic institutions.
He estimated that no more than 5,000 personal computers around the world have been infected, including a handful in North America.
Kaspersky Lab discovered Flame while investigating reports that a virus dubbed Wiper was attacking computers in Iran.
The International Telecommunications Union, a UN agency that promotes research and cooperation on telecommunications technology, asked Kaspersky Lab to investigate those reports.
Schouwenberg said that his team discovered Flame, but failed to turn up anything that resembled Wiper.