Security researchers at Kaspersky Labs have discovered a new variety of malware that was used to spy on Middle Eastern countries. The attack has been highly targeted, infecting about 5000 computers across Iran, Israel, Sudan, Saudi Arabia and other unnamed countries. The malware, called Flame, affects Windows machines, and once infected, it can record audio conversations, take screenshots, sniff network traffic, intercept keyboard, etc.
Functionally, it can be said that Flame is similar to Stuxnet or Duqu but differs from them in several aspects. It is much more complex than either Stuxnet or Duqu. For those unaware, Stuxnet was used to target Uranium enrichment plants in Iran, while Duqu was used to steal sensitive information. While both Stuxnet and Duqu were single pieces of malware, Flame is a collection of modules consisting of a Trojan, a backdoor and a worm. While the payload size of Duqu was 300KB and that of Stuxnet was 500KB, Flame is a whopping 20MB in size. “The reason why Flame is so big is because it includes many diff
erent libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine,” explained Alexander Gostev of Kaspersky Labs in a blog post.
Flame has the ability to add new modules later to improve its functionality, making it even more dangerous. Considering the sheer complexity and the limited targeting of Middle Eastern countries, one can only assume that this might be a work of a nation state. According to Hungary’s Laboratory of Cryptography and System Security,
The results of our technical analysis support the hypothesis that [the worm] was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities. It is certainly the most sophisticated malware we [have] encountered. Arguably, it is the most complex malware ever found.
Flame still remains undetected by the 43 major anti-virus vendors.
Iran’s Computer Emergency Response Team is investigating the virus and has posted some features as shown below.
· Distribution via removable medias[sic]
· Distribution through local networks
· Network sniffing, detecting network resources and collecting lists of vulnerable passwords
· Scanning the disk of infected system looking for specific extensions and contents
· Creating series of user’s screen captures when some specific processes or windows are active
· Using the infected system’s attached microphone to record the environment sounds
· Transferring saved data to control servers
· Using more than 10 domains as C&C servers
· Establishment of secure connection with C&C servers through SSH and HTTPS protocols
· Bypassing tens of known antiviruses, anti-malware and other security software
· Capable of infecting Windows XP, Vista and 7 operating systems
· Infecting large scale local networks
You can read a detailed Q&A about the Flame malware, published by Kaspersky here.