Flame virus: son of Stuxnet uncovered in Middle East

New malware designed to spy on people, steal classified information and cause mass deletion of data has been uncovered by a number of anti-virus software vendors and security researchers.

Code-named "Flame" or "Flamer", the malware is currently undetectable by standard anti-virus and anti-malware programs and can be updated by its operators to expand its range of attack.

Hungary's Laboratory of Cryptography and System Security (CrySyS Lab) has produced a comprehensive technical report. The lab became involved after reports that a number of systems in Hungary had also been affected by a "mystery virus".

It concluded: "The results of our technical analysis supports the hypothesis that [the worm] was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber-warfare activities. It is certainly the most sophisticated malware we [have] encountered. Arguably, it is the most complex malware ever found."

It can relay computer display contents, information about targeted systems, stored files, contact data and even audio conversations, according to Kaspersky Lab.

"The ‘Flame' cyber espionage worm came to the attention of our experts at Kaspersky Lab after the United Nation's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East," explained Alexander Gostev, head of the Global Research and Analysis Team at Kaspersky, in a posting to Securelist.com.

He continued: "Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

"Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame's command-and-control servers. Later, the operators can choose to upload further modules, which expand Flame's functionality," he added.

The malware appears to have first been uncovered by Iran's Computer Emergency Response Team Coordination Center (CertCC), which refers to it as Flamer. It claims to have conducted research into the malware for a number of months, and to have delivered the code to selected organisations and security software companies in early May.

The program is up to 20MB in size and researchers are still unsure about the full scope of its capabilities. Kaspersky claimed that the programme could have been released as long as five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt – even getting as far afield as Hungary.

"The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine," said Gostev.

Lua is a scripting language, which can easily be extended and interfaced with C code. Many parts of Flame have high-order logic written in Lua, with effective attack subroutines and libraries compiled from C++.

"Also, there are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more. Running and debugging the malware is also not trivial as it's not a conventional executable application, but several DLL files that are loaded on system boot," said Gostev.

He concluded: "Overall, we can say Flame is one of the most complex threats ever discovered."

From an analysis of the code, CertCC claims that Flame is closely related to Stuxnet, which was uncovered in 2010, and which was responsible for a number of incidents of mass data loss in Iran. It primarily attacked Iran's nuclear programme, while a related programme, called Duqu, named after the Star Wars villain, stole data.

The new malware was deliberately designed to evade all 43 anti-virus software packages on the market, said CertCC. It listed its main features:

• Distribution via removable media;
• Distribution through local networks;
• Network sniffing, detecting network resources and collecting lists of vulnerable passwords;
• Scanning the disk of infected system looking for specific extensions and contents;
• Creating series of user's screen captures when some specific processes or windows are active;
• Using the infected system's attached microphone to record the environment sounds;
• Transferring saved data to control servers; 
• Using more than 10 domains as command-and-control servers;
• Establishment of secure connection with command-and-control servers through SSH and HTTPS protocols;
• Bypassing tens of known anti-virus, anti-malware and other security software;
• Capable of infecting Microsoft Windows XP, Vista and 7 operating systems;
• Infecting large-scale local networks.

• A spokesperson on behalf of Kaspersky Lab recently apologised to Computing for an incorrect story claiming that Apple had invited the company to work on improving its security. – The Editor.