Flame Cyber ‘Super-Weapon’ Caught Firing On Iran

Flame may be the most sophisticated cyber weapon ever seen. Thanks to Iran, fingers are already pointed at nation states

A worm considered to be more complex than Stuxnet has been spotted attacking Iranian infrastructure, and it “might be the most sophisticated cyber weapon yet unleashed”.

The Flame (also known as sKyWIper and Flamer) malware has already caused shockwaves across the security community, with Kaspersky Lab expert Alexander Gostev calling it “one of the most complex threats ever discovered.”

“It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage,” Gostev said in a blog post.

Kaspersky said it believed a nation state was running Flame, as it was not being used to steal funds, nor was it a typical tool for hacktivists such as Anonymous to use.

Iran is the main target, with 189 infections. The second-most infected area is Israel/Palestine on 98. Machines in Hungary, Lebanon, Austria, Russia, Hong Kong and the United Arab Emirates have also been hit as well. It appears there are thousands of victims worldwide, including academic bodies, private businesses and specific individuals.

Flaming heck…

Flame has worm capabilities, as it is able to replicate on both local networks and on removable devices, if it is commanded to do so. It can also look at network traffic, take screenshots when “interesting” applications like instant messaging apps are running, record audio conversations from an infected PC’s microphone and do some keylogging. Further functionality can be added via plug-ins whenever the attackers want.

One of the most idiosyncratic things about Flame is the inclusion of a virtual machine written in LUA. This language can interact easily with C++, which is what much of Flame is written in.  “Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame,” Gostev said.

It even has Bluetooth capabilities, as it is able to pick up on signals as well as turn the infected system’s Bluetooth on.

All information is relayed back to the attackers running the command and control servers over a covert SSL channel. these C&C servers are scattered across the world.

Fatty Flamer

Flame is a sizeable piece of malicious software too, weighing in at 20MB once all modules are deployed – about 20 times the size of Stuxnet, the worm which was seen attacking Iranian nuclear power plant infrastructure in 2010. This is due to its plethora of libraries, as well as its numerous methods of encryption, believed to amount to five algorithms.

“One of the most significant things is the size of the development, it is huge,” Kaspersky’s chief malware expert Vitaly Kamluk told TechWeekEurope. “It may take up to a year to do a complete analysis. The architecture of this thing is much more complicated than Stuxnet.

“In terms of the amount of functional code it is probably one of the biggest. Here we have 20MB of functional code so it can be triggered by the operator, which makes it significant.”

Despite the difference in weight between Flame and Stuxnet, as well as its presumed data-stealing sister Duqu, and the fact that the former was not created on the “Tilded” platform as the other two were, Kaspersky pointed to some similarities between them.

“There are … some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project – such as use of the ‘autorun.inf’ infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet’s authors,” Gostev added.

“On the other hand, we can’t exclude that the current variants of Flame were developed after the discovery of Stuxnet. It’s possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame.”

Flame also uses the printer vulnerability MS10-061 exploited by Stuxnet to spread across local networks. It is known to have infected fully-patched Windows 7 systems through the network, Kaspersky said.

Yet the end goals of the two malware powerhouses differ. “Whilst Stuxnet was a worm targeting industrial control systems, this thing is more similar to Duqu, which was produced by the developers of Stuxnet,” Kamluk  said.

“It is used as a cyber espionage tool.”

A nation state to blame?

The malware was spotted by a variety of agencies and security firms. Kaspersky was called into help after the UN’s International Telecommunication Union found an unknown piece of malware was deleting sensitive information across the Middle East.

The Iranian Computer Emergency Response Team (MAHER) said earlier today it had found Flame, saying it bore a “close relation” to Stuxnet, and that it was bypassing all the 43 anti-virus solutions it had tested. It claimed a removal tool was ready to be delivered, whilst a detector has already been sent out to certain organisations.

The Budapest-based Laboratory of Cryptography and System Security (CrySyS Lab) has also been investigating Flame, which it calls sKyWIper, saying it was arguably “the most complex malware ever found.”

Whilst Kaspersky said it was likely Flame was created around 2010, CrySyS Lab said it has potentially been running for five years or more, as one of its drivers was spotted on 5 December 2007.

“The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities,” the CrySyS Lab report added.

Symantec linked Flame to a hit on the Iranian Oil Ministry, which saw a terminal reportedly taken offline after an attack in April. The security firm said certain file names associated with Flame were identical to those found in that incident.

When Stuxnet hit in 2010, it was considered the most sophisticated piece of malware ever seen, as it could exploit four zero-day vulnerabilities. It seems the security community now has a fresh piece of malware to rule them all.

Are you a security guru? Try our quiz!