Security experts announced on Monday that a highly sophisticated computer virus is infecting computers in Iran and other Middle East countries and may have been deployed at least five years ago to engage in state-sponsored cyber espionage, reports Reuters.
The experts say that the virus, named Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010 while a related programme, Duqu, named after the Star Wars villain, stole data.
According to The Telegraph, Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats.
Iran’s MAHER Center, which is part of Iran’s Communication’s Ministry, said Tuesday that the Flame virus “has caused substantial damage” and that “massive amounts of data have been lost,” according to Y Net News.
The center said that the virus’ level of complexity, accuracy and high-functionality – noted mostly by the information corrupted – indicated that there is a “relation” to the Stuxnet virus.
Moscow-based Kaspersky Lab, the Russian cyber security software maker and one of the world’s largest data protection companies, was the first to discover the new malware.
“The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the United Nation’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East,” said Alexander Gostev, head of the Global Research and Analysis Team at Kaspersky, according to Computing.co.uk.
Gostev continued: “Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”
Cyber security experts claim that the discovery publicly demonstrates what experts privy to classified information have long known: that nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.
“This is one of many, many campaigns that happen all the time and never make it into the public domain,” said Alexander Klimburg, a cyber security expert at the Austrian Institute for International Affairs.
Hungarian Laboratory of Cryptography and System Security (CrySyS Lab) has prepared a comprehensive technical report. The lab was involved in the case after reports that a number of systems in Hungary had also been affected by a ‘mystery virus’.
The report says: “The results of our technical analysis supports the hypothesis that [the worm] was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyberwarfare activities. It is certainly the most sophisticated malware we [have] encountered. Arguably, it is the most complex malware ever found.”
According to Kaspersky Lab, around 5,000 personal computers around the world have been infected by the virus, Israel and the Palestinian territories (98 computers), Sudan (32), Lebanon (18), Saudi Arabia (10) and Egypt (5).
The experts in Kaspersky also said the virus appeared to have been released five years ago.
“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about,” Roel Schouwenberg, a Kaspersky security senior researcher, said.
“It’s huge and overly complex, which makes me think it’s a first-generation data gathering tool,” said Neil Fisher, vice president for global security solutions at Unisys Corp. “We are going to find more of these things over time.”
The program is up to 20 megabytes in size.
“The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine,” Gostev said.
Eugene Kaspersky, the head of Kaspersky Lab, noted that “it took us 6 months to analyse Stuxnet. [This] is 20 times more complicated”.