The Flame cyber virus has been in the news since it was discovered in Iran and other parts of the Middle East by Kaspersky Lab late May this year. The Russia-based computer security firm, originally invited by the UN’s International Telecommunications Union to investigate malicious software that deleted information, detected Flame, a much wider and harmful programme that gathered intelligence. Although it is a very large programme by malware standards, it is almost completely undetectable because it is made up of many components which perform actions that are not unusual for computers. Kaspersky Lab found that the virus could record keystrokes, capture screenshots and record conversations using microphones built into computers.
A Relative of the Infamous Stuxnet Virus
Development of the Flame platform may have started as early as 2006, and an earlier analysis by Kaspersky reported that the code for Flame, which is likely to be related to Stuxnet and other viruses, was written in 2009 Stuxnet was designed to attack computer control systems made by Siemens, commonly used to manage critical infrastructures such as water supplies and power plants. During an investigation recently conducted by anti-virus software makers Symantec Corp and the computer security firm, further evidence was discovered about how powerful and far-reaching the virus really is. Flame is managed using a piece of software named Newsforyou which handles 4 malicious software: Flame itself and 3 other programs code-named SP, SPE and IP, that neither firms were able to get hold of. They are said to be of an “unknown nature” and one of which is currently operating “in the wild”.
It is Difficult To Measure The Damage Inflicted
Both firms, who led their analysis independently, explained that it was difficult to quantify the amount of data stolen by Flame even after detailed analysis of its Command and Control (C&C) servers because its creators had been very skilful at covering their tracks. The virus was designed specifically to hide its source, deleting “unnecessary logging events” and entries in its database on a regular basis. The in-depth analysis of the C&C servers also revealed that they were disguised to look like a common Content Management System to conceal their true purpose from hosting companies or investigators. However, Kaspersky Lab and Symantic Corp found that more than 5 gigabytes of data was uploaded to a particular server in a week, from over 5,000 infected machines, uncovering that Flame was cyber espionage on a massive scale.
Who Is Behind It?
As Flame has been targeting mostly Iran and a few other Middle Eastern countries, the virus is widely believed to be part of a US-Israeli cooperation to compromise Iran’s nuclear strategy. Both Kaspersky and Symantec declined to comment on this hypothesis, only to say that it was difficult to ascertain who was behind Flame. Most malware is designed to steal information that will bring monetary rewards, but it is clearly not Flame’s raison d’être so common cyber criminals are unlikely to be responsible. On the other hand, the sophistication of the code and the scale of the attacks suggest that it involved a team with considerable financial resources and may be state-led.
This was a guest blog post by Imex Technical Services who provide IT Support in Bristol.