Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Researchers discover major cyber-weapon targeting Middle-East

'Flame' malware shows infections in Iran and neighbours

Article comments

Security companies Kaspersky Lab and Symantec have discovered a major new family of sophisticated cyber-malware to rival Stuxnet and Duqu that appears to be striking targets in Iran and its Middle-Eastern neighbours.

Experts know that there is undoubtedly more cyber-malware out there than has yet been found and now they have a new name to add to a small but infamous list, Worm.Win32.Flame, or plain ‘Flame’ (or 'Flamer' or SkyWiper) for short.

What is Flame and what does it do? Kaspersky describes it as an “attack toolkit”, which means that it has enough components to do anything and everything it wants to, from opening a backdoor, deploying Trojans with various purposes and then spreading like a worm.

In the field, it can steal documents, record audio files, take screenshots when certain applications are run and even probe for nearby devices using Bluetooth, a highly unusual feature in any malware.

“Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on,” said Kaspersky Lab researcher, Alexander Gostev, underlining  Flame’s apparent data-stealing design.  

The program’s size and complexity is startling. In total, the company had discovered 20 different malware modules, as well as a clutch of databases, different encryption and compression mechanisms and scripting interfaces, ranking Flame as major feat of malware creation.

The company does not know how it spreads, but suspects a targeted attack using an unknown infection mechanism, possibly email, infected USB drives or a drive-by attack, possibly all of these.

Created no earlier than 2010 and still being modified up to this year, the obvious question is who created the monster and what was on its target list?

“There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown,” admitted Gostev.

Nevertheless, since discovering Flame while investigating an infection at the International Telecommunications Union (ITU), Kaspersky had uncovered a striking pattern of infection that echoed those suspected state-backed malware attacks.

Although the number of infections uncovered is still very small, the fact that Iran is at the top of the list with 189 infections connecting back to the malware’s command and control network, followed by smaller infections (in this order) in Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt, is odd  Mainstream security software would not have detected Flame, Kaspersky said.

The company said it had noticed some similarities to Stuxnet in the software vulnerabilities exploited, but a clear engineering connection is far from obvious. Regardless, Flame was aimed at a aider net of targets than the small scale of Duqu or extremely specific targets of Stuxnet.

Symantec said it had also noticed the malware, but was less certain of the targeting.

“Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates.  The industry sectors or affiliations of individuals targeted are currently unclear,” the company said.

Analysis showed infections could stretch back as far as 2007, the company said.

On 28 May, Iran's national CERT has published its own alert regarding 'Flamer', noting that "at the time of writing, none of the 43 tested anti viruses [programs] could detect any of the malicious components."



Share:

More from Techworld

More relevant IT news

Comments

Claude Rochon said: Obviously a group with immense power to hire the top programmers of this world is most definitely NOT interested in trouble that cannot be controlled So you spy on everyone thats got a grudge the size of Israel or Iran etc and you see to it that if things get too close to nasty conflict involving huge loss to the global economyyou just wipe their FampG war intended programs from their computer banksCOOL no



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *