Last May 28, Kaspersky Lab, a leading developer of secure content and threat management solutions, announced that it has discovered a powerful and highly complex malicious software that is being used as a cyber weapon to attack certain countries.
The new malware called “Flame,” short for Worm.Win32.Flame, steals top secret information such as emails, audio recordings, photos, documents, messages, and discussions from infected computers. The captured information is sent to a network of command-and-control servers located in many different parts of the world.
Kaspersky Lab said Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and has worm-like features allowing it to replicate in a local network and on removable media if it is commanded so by its master.
Notable features of the Flame malware is that it is a particularly large file, about 20 megabytes, which is rather uncommon among malware that are trying to hide themselves from being detected by remaining small in file size.
It can also copy radio recordings through an internal microphone, which adds to its functions of collecting data in various means.
Flame can also utilize Bluetooth connectivity to collect information about discoverable devices near the infected device. In turn, it can also use the infected device into a “beacon” where it makes Bluetooth-enabled devices discoverable to only have their information captured.
The malware was discovered by Kaspersky Lab’s experts during an investigation prompted by the International Telecommunication Union (ITU). The malicious program, detected as Worm.Win32.Flame by Kaspersky Lab’s security products, is said to be designed to carry out cyber espionage. It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversations.
The malware was first detected, albeit accidentally, after the International Telecommunications Union (ITU) asked Kaspersky to investigate a series of incidents with related to another, equally destructive malware called “Wiper.” When Flame was instead discovered, it was later found out that it has been “in the wild” for over two years. Its relative programming complexity helped it to hide from most antivirus applications.
Kaspersky Lab experts led by its chief security expert Alexander Gostev found that Flame is even more complex than Duqu and Stuxnet, two other extremely malicious rootkits that were detected last year. Nevertheless, Flame shares many characteristics as Duqu and Stuxnet.
Flame’s infection of PCs has been found in at least seven Middle Eastern countries namely Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
Gostev explained that while Flame’s target countries indicate that it could come from a nation state that must have relations with these countries, it should be noted that they may still have to verify the source of Flame or its exact purpose.
“There doesn’t seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions. Of course, collecting information on the victims is difficult because of strict personal data collecting policies designed to protect the identity of our users,” said Gostev.
“The preliminary findings of the research, conducted upon an urgent request from ITU, confirm the highly targeted nature of this malicious program. One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” he added.