Massive malware program infecting Iranian computers

Rick Moran
As the Wired story makes clear, this new malware program - Flame - is light years beyond the Stuxnet virus that wreaked havoc with Iranian computers a couple of years ago.

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed "Flame" by Kaspersky, the malicious code dwarfs Stuxnet in size - the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran's nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals - marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

Just what does Flame do?

Early analysis of Flame by the Lab indicates that it's designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption - some strong, some weak - and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language - an uncommon choice for malware.

Kaspersky Lab is calling it "one of the most complex threats ever discovered."

"It's pretty fantastic and incredible in complexity," said Alexander Gostev, chief security expert at Kaspersky Lab.

I don't imagine that if you're an Iranian nuclear scientist it's "fantastic," although for pure, geeky fun, you can't beat it.

Speaking of pure, geeky fun, how about listening in on some conversations?

Among Flame's many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer's near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers' command-and-control servers.

We are presently in an escalating arms race. With nation states now involved, the race will be to develop offensive and defensive programs while anticipating countermeasures to programs like Flame and Stuxnet before they can take out your power grid, or sabotage a nuclear power plant. Even just bringing down the internet for a few hours would cause massive problems in the US and other western nations, resulting in the potential loss of tens of billions of dollars in commerce.

Right now, we have the upper hand in cyber warfare. But that may change as rogue states develop capabilities to infiltrate and destroy our vital systems.



As the Wired story makes clear, this new malware program - Flame - is light years beyond the Stuxnet virus that wreaked havoc with Iranian computers a couple of years ago.

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed "Flame" by Kaspersky, the malicious code dwarfs Stuxnet in size - the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran's nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals - marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

Just what does Flame do?

Early analysis of Flame by the Lab indicates that it's designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption - some strong, some weak - and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language - an uncommon choice for malware.

Kaspersky Lab is calling it "one of the most complex threats ever discovered."

"It's pretty fantastic and incredible in complexity," said Alexander Gostev, chief security expert at Kaspersky Lab.

I don't imagine that if you're an Iranian nuclear scientist it's "fantastic," although for pure, geeky fun, you can't beat it.

Speaking of pure, geeky fun, how about listening in on some conversations?

Among Flame's many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer's near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers' command-and-control servers.

We are presently in an escalating arms race. With nation states now involved, the race will be to develop offensive and defensive programs while anticipating countermeasures to programs like Flame and Stuxnet before they can take out your power grid, or sabotage a nuclear power plant. Even just bringing down the internet for a few hours would cause massive problems in the US and other western nations, resulting in the potential loss of tens of billions of dollars in commerce.

Right now, we have the upper hand in cyber warfare. But that may change as rogue states develop capabilities to infiltrate and destroy our vital systems.