Flame, a complex spyware is spying in Iran PCs
A highly sophisticated and massive Malware called “Flame” was recently identified infecting Iranian systems and some other countries, and is believed to be part of an international spy operation (in a chapter in the cyberwar).
The malware was discovered by the Russian company Kaspersky Lab, and it would be a tool that aims to get data from Iran, Lebanon, Syria, Sudan and other Middle East and North Africa. The malware would have been created two years ago.
According to preliminary investigations, Flame would be designed to spy on users of infected computers and steal data, including documents, recorded conversations and sequences of keystrokes. It also opens a backdoor on infected systems to allow attackers to modify the tool and add new features.
When fully installed, Flame weighs 20 MB and contains multiple libraries, SQLite3 databases and multiple levels of encryption, plus 20 plug-ins that can be interchanged to provide different functionality to the attackers. Attention that includes a virtual machine LUA programming language is unusual when malware. According to Kaspersky Lab, is “one of the most complex threats ever discovered.”
According to the company, Flame is much larger than Stuxnet , viruses that sabotaged the operation of nuclear facilities in Iran in 2009 and 2010. Although Flame has another purpose and seems to have been written by different programmers to Stuxnet, geographic area and the behavior that would be indicators that a country behind Flame. “It is not designed to steal money to buy bank accounts,” and neither meets the characteristics of the tools used by hacktivists. So this would be another tool Cyberwar commissioned by a state.
Kaspersky says that Flame could have been commissioned by the same people who commissioned and perhaps Stuxnet DuQu , but as a side project to another team of developers.
“Stuxnet and DuQu were part of a chain of attacks, raising concerns of cyber warfare in the world. The Flame malware seems to be another phase in this war, and it is important to understand that a ciberarma like this can easily be used against any country, “said Eugene Kaspersky, co-founder and CEO of the company.
Flame seems to have begun operations in March 2010, and remained off the radar of antivirus companies so far. Kaspersky malware discovered about two weeks ago, when the Telecommunications Committee of the UN asked the company to review a report in April, which stated that computers of the Ministry of Petroleum and National Oil Company of Iran had been infected with was stealing malware and removing information systems. The said malware was then called “Viper”.
When researchers began to review Kaspersky found that there was more than Viper, identifying components that correspond to Flame and that this would be a separate infection and malware deeper than they had been asked to review.
One of the modules of Flame, for example, turn on the microphone of an infected computer to record conversations that occur around the equipment, or through Skype. Conversations are stored and sent regularly to command and control servers. There is also a module that uses Bluetooth to discover other computers nearby and steal the names and contact numbers, and a module that takes snapshots of the machine and the server sends the command and control of the attackers. Interestingly, most followed Flame takes screenshots when the user is using applications “interesting” as instant messaging.
Although there appears to have been developed by those who created Stuxnet and Duqu, there are some indications that those who created Flame had access to the technology used in the project Stuxnet, as methods of infection, and exploiting the same vulnerabilities used by Stuxnet. However, we can not rule that has been developed after Stuxnet, and that the perpetrators of Flame had learned of the information was published on Stuxnet.
– Meet ‘Flame’, the massive spy iranian malware infiltrating computers (Wired)
- The Flame: Questions and Answers (Securelist)