Security researchers at Kaspersky Labs announced Monday that they had identified a complex collection of malware that has been living on hundreds of Windows computers at least since early 2010 (and possibly several years longer) without being detected. It has since been confirmed by Symantec and McAfee and the work has begun to dissect it, not least to figure out how it has avoided detection for so long.
The Flame virus is being described in hyperbolic terms. One Hungarian lab called it “the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.” The Kaspersky researchers said it was “the most sophisticated cyber weapon” they have ever seen. “It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.” A Symantec researcher calls it a “nuclear cyber weapon.”
Once a computer is infected, it can report on network resources, steal specific files, detect and evade over 100 security products, capture screens, record audio through any microphone attached to the computer, search through nearby Bluetooth devices, and more. It reports back to servers that can pass instructions to go silent or become active as well as sending updates for new espionage functions.
There is a more detailed description in Wired:
“Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.
“The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network. . . .
“While the malware awaits further instruction, the various modules in it might take screenshots and sniff the network. The screenshot module grabs desktop images every 15 seconds when a high-value communication application is being used, such as instant messaging or Outlook, and once every 60 seconds when other applications are being used.”
Flame is not aimed at a particular industry; among those hit have been individuals, private companies, educational institutions, and government organizations. It is carefully targeted, however. Flame has only been deployed in a specific geographic area and only against very precisely targeted systems.
The sophistication of the virus programming has led most security researchers to believe that Flame was written by a government as an act of information warfare.
The word “terrorism” is loaded with emotional baggage but if an unfriendly government had launched Flame at the United States, is there any doubt that we would call it an unforgivable act of cyberterrorism?
It’s not aimed at the United States.
Flame is a cyberweapon that has been used for two years to attack Iran. The infected computers are primarily in Iran but there are also compromised computers in Sudan, Syria, Lebanon, and Saudi Arabia.
Like the Stuxnet virus that did tremendous damage to Iran’s nuclear program in 2009-10, it is likely that Israel developed the Flame virus and is controlling it, perhaps with the assistance of the United States. It’s also possible that it is primarily or entirely controlled by the United States.
The takeaway: you can relax tonight. This virus is not on your computer. To the best of our knowledge, there is no virus launched by another country against the U.S. that is stealing administrative passwords for American utility companies, air traffic controllers, nuclear military contractors, or banks.
Nope, the only one out there is the one that our ally launched against a country ruled by people who are demonstrably crazy.
What is more dangerous in today’s world – a war in the Middle East with nuclear bombs, or a cyberwar fought globally in which Iran can rally support in the Mideast by claiming it is acting in self-defense?
In the worst case, we will never know which one is worse because we’ll get both.
The final, unanswerable question, something to muse about while you drink your morning coffee, courtesy of Bruce Sterling:
“Okay, given that this has been out in the wild for at least a couple of years now, what’s lurking out there that’s even bigger than “Flame” and even less suspected and less understood?”