A new kind of malware that is more sophisticated and damaging than the notorious Stuxnet and Duqu worms is likely being deployed by a nation state, say the cybersecurity experts who uncovered it.
"Duqu and Stuxnet raised the stakes in the cyberbattles being fought in the Middle East, but now we've found what might be the most sophisticated cyberweapon yet unleashed," wrote analyst Alexander Gostev in a blog post on the website of Kaspersky Lab Monday.
Moscow-based Kaspersky Lab, Iran's Maher Computer Emergency Response Team Co-ordination Centre and the cryptography and system security lab at the Budapest University of Technology and Economics in Hungary have all independently uncovered the Trojan computer virus while investigating wide-scale cyberattacks.
The worm, which has variously been dubbed Flame, Flamer and sKyWIper based on filenames that appear in the decrypted malware code, is able to mine a vast array of data from infected machines by:
- Surveying network traffic.
- Taking screenshots, including in instant messaging programs.
- Recording audio conversations via a computer's internal microphone.
- Collecting passwords.
- Intercepting keyboard actions
- Gleaning information from devices connected to the infected machine by Bluetooth.
- Scanning hard drives for specific file extensions or content.
- Transmitting data to servers that control the malware
"Flame is one of the most complex threats ever discovered," Gostev wrote.
'It's a complete attack tool kit designed for general cyber-espionage purposes.'— Alexander Gostev, analyst, Kaspersky Lab
It far surpasses Stuxnet and Duqu, two worms behind cyberattacks against technology related to Iran's nuclear energy program, both in size — the program used to deploy it is 20 MB versus about 500 KB — and in its capability to steal information in so many different ways.
"It's a complete attack tool kit designed for general cyber-espionage purposes," writes Gostev.
Like other viruses, it is able to replicate across a local network and removable devices such as USB sticks and portable drives and is controlled through a series of command-and-control servers around the world, which can also remotely remove every trace of the worm.
Just how it initially enters a computer is not yet known.
Kaspersky Lab discovered the worm, which it found under the codename Worm.Win32.Flame, while carrying out work for the International Telecommunication Union, a United Nations agency, which had asked it to try to trace malware that was deleting sensitive information from computers in several countries in the Middle East.
Gostev said his company is still analysing the malware but that it is certain it was deployed in August 2010 and has been circulating since around February or March 2010 and possibly in earlier versions before that. The Hungarian team found evidence of the worm as early as 2007.
Kaspersky has ruled out the possibility that the malware was created by hacktivists or cybercriminals because its intention is not to steal money, its architecture is vastly more complex than that used by hackers and its targets have been confined to several countries in the Middle East and Africa.
The company has concluded that it is likely the work of a nation state.
The Hungarian lab concurs, saying in its analysis that the worm was probably "developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities."
"SKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found," it said in its analysis.
On Tuesday, Israel's vice-prime minister Moshe Yaalon seemed to give credence to the theory that a state is behind the computer virus and that that state could possibly be Israel.
"Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," Yaalon told Galei Tzahal, the radio network of the Israel Defence Forces, when asked about Flame. "Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us."
Several Mideast countries hit
Kaspersky has so far identified seven countries that have been affected by Flame attacks:
- Iran (189 infections)
- Israel and Palestine (98 targets)
- Sudan (32 targets)
- Syria (30 targets)
- Lebanon (18 targets)
- Saudi Arabia (10 targets)
- Egypt (5 targets)
The Hungarian experts found that the worm, which they traced under the filename wavesup3.drv, was active in several European countries, including Hungary, as well as the United Arab Emirates and Iran.
Variety of targets
So far, there doesn't seem to be a pattern to the types of targets attacked. Individuals, educational institutions and state-related organizations have all been hit, Gostev said.
"From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence — emails, documents, messages, discussions inside sensitive locations, pretty much everything," Gostev writes. "We have not seen any specific signs indicating a particular target, such as the energy industry."
Iran's nuclear energy infrastructure was one of the targets of the Stuxnet cyberattack in 2010, so there will likely be suspicions that the newly identified worm might be deployed in similar ways.
The Stuxnet worm specifically targeted Siemens software and equipment, which is the basis of Iran's uranium-enrichment infrastructure, and did significant damage to Iran's nuclear capabilities.
Cybersecurity experts suspect it was created by Israeli or U.S. programmers at the behest of intelligence agencies in those countries.
In a security advisory issued Monday, Iran's Maher centre said that recent incidents of "mass data loss" in Iran could be the result of the new worm that it and its counterparts in Russia and Hungary have identified.
Gostev said that while there are indications in the Flame code that its creators might have had access to the same technology as was used in Stuxnet and may have exploited some of the same vulnerabilities as that virus, the two pieces of malware were likely created by separate groups.
Initially, Kaspersky experts suspected Flame was deployed in parallel but not in conjunction with Stuxnet.
But on June 11, they revised that analysis and said they had found evidence that the creators of the two viruses co-operated at least once and shared some source code.
Kaspersky expert Alexander Gostev said in a blog post that his company had identified a similarity between a subset of the code used in Flame and another set of code used in an early version of Stuxnet.
Stuxnet is believed to have been created by U.S. and Israeli intelligence agencies, a suspicion that surfaced again in a new book by New York Times journalist David E. Sanger.