Experts at Kaspersky Lab have discovered an extremely complex spyware actively used as a cyber weapon in several countries. The malware is more complex than other cyber threats previously known. Called Flame (detected as Worm.Win32.Flame by Kaspersky Lab’s security products), the malicious program is designed for cyber espionage and can steal important information such as files, screenshots, contact data, network traffic, system information, and even audio conversations.
The malicious program was discovered by Kaspersky Lab while investigating another destructive malware called Wiper, which was reported by UN’s International Telecommunication Union (ITU) to be deleting computer data across the Middle East. According to preliminary analysis, Flame has been in existence since March 2010, just undetected by security software because of its high sophistication and narrowly targeted attacks.
photo by sophos_germany
Flame’s geography of attacks and narrow selection of target computers through the use of specific software vulnerabilities are similar to those of notorious cyberweapons Duqu and Stuxnet. These indicate that Flame belongs to the same category of these super-cyber weapons used in the Middle East for cyberwar and cyberespionage.
According to Kaspersky Lab CEO and co-founder Eugene Kaspersky, “It’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
Flame mainly steals information from infected machines then sends the information to a network of command-and-control servers across the globe. The fact that it can steal various kinds of information makes it one of the most complex and complete attack-toolkit ever known. This malware can replicate over a local network and removable media using several methods, such as Stuxnet’s use of printer vulnerability and USB infection.
Flame is made up of about 20 modules comprising around 20 megabytes of executable code. It is about 20 times larger than Stuxnet and its operators can later on upload new modules to expand the spyware’s functionality. Because of these, a large group of highly-experienced security experts and reverse engineers is needed to analyze this cyber threat. Running and debugging Flame is a lot more complicated since Flame consists of several DLL files loaded on system boot instead of being an ordinary executable program.
The goals of Flame’s creators are yet unknown but since the malware does not steal money from bank accounts and is different from the simple malware created by hacktivists, Kaspersky Lab suspects one or more nation states are behind it. The top 7 countries Flame affects are Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.