Researchers from Russian-based Kaspersky Labs, responding to a request from the UN's International Telecommunication Union, have uncovered a malware attack of unprecedented size and complexity. Aimed at targets in the Middle East, the worm is believed to have been operational since August 2010 or earlier. The worm, named Flame for the title of one of its modules, is a complex, highly sophisticated "toolkit" for computer espionage.
Flame's capabilities include taking screenshots of activity, keylogging, activating the infected computer's microphone to record nearby conversations, accessing and stealing data files, and logging email and instant messaging conversations. The BBC reported that Flame is also able to connect with nearby Bluetooth devices to steal additional data from them. Professor Alan Woodward of the University of Surrey described Flame as "an industrial vacuum cleaner for sensitive information."
Unlike more common malware, which typically performs a single function, Flame is a complex "toolkit" for digital spying. Once a computer is infected the basic program, the malware's operator can add modules enabling Flame to perform additional surveillance tasks.
The worm spreads through networks or via USB devices, much like the Stuxnet malware believed to be its predecessor. Stuxnet disrupted software controlling Iranian uranium enrichment equipment in the spring of 2010. The Duqu worm, uncovered in the fall of 2011, was built to steal data rather than disrupt systems, but appeared to share design characteristics with Stuxnet.
Both Kaspersky Labs and Iran's CERTCC noted that Flame spreads in the same way and exploits the same Windows security weakness as Stuxnet and Duqu, and the targeted nature of the attacks is similar.
CERTCC notes that the malware worms also shared a common file naming convention, which may refer to the "~d" filenames for which the Stuxnet/Duqu platform was dubbed "Tilded." Kaspersky researcher Roel Schouwenberg, whose team uncovered Flame, says Flame appears to be the work of the same hackers who produced Stuxnet and Duqu.
Based on the sophisticated, complex nature of the malware, researchers believe that Flame, like its relatives Stuxnet and Duqu, is the product of state-backed cyber warfare, although experts presently have no indication regarding which state originated the attacks. Kaspersky Labs' Vitaly Kamluk, in a statement to the BBC, said, "Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation-states. Flame is not designed to steal money from bank accounts. It is also different from rather simply hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to the conclusion that it most likely belongs to the third group.
Flame has infected over 600 targets, from personal computers to government systems. Schouwenberg says the attack appears to have primarily targeted academic institutions and businesses, mostly in Iran. Computers in Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt were also infected, as well as "a handful" of personal computers in North America.
Alexander Gostev of Kaspersky Labs told CNET that "One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase." Iran's CERTCC reported that Flame had evaded at least 43 antivirus programs, but that "now a removal tool is ready to be delivered.
