Flame: ‘20 Times Larger than Stuxnet’

Tuesday, May 29, 2012 @ 12:05 PM gHale


By Gregory Hale
A powerful computer virus with data-snatching capabilities is not only hitting machines in Iran, but elsewhere in the Middle East, and is “20 times larger than Stuxnet.”

The origin of the new spyware virus, called “Flame,” is not yet known, said researchers from Kaspersky Lab, who found the virus. While some reports say it could be coming from Israel, while others said Flame is a program that originated in Brazil, systems in the Middle East are still falling victim to the data-capturing virus.

This virus comes on the heels of an ISSSource report that in the event of war with Iran, Israel will deploy a vast array of high tech weapons that would “take out” Iran’s air defense systems by rendering them deaf, dumb and blind, and then insert and activate a new version of the Stuxnet virus to destroy its command centers, said serving and former U.S. intelligence officials.

RELATED STORIES
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

While it is too early to tell if this latest virus is them invoking their cyber battle plan, Israel’s program also called for the destruction of all of Tehran’s communication and network surveillance including its electrical plants, radar sites and command centers, said officials who requested anonymity because of their close proximity to ongoing investigations.

Israel’s multi-billion dollar program, developed with U.S. assistance, would include other high value targets such as Iran’s electric grid, its Internet, cell phone network, and even emergency frequencies for firefighters and police officers, these sources said.

Israel has already prepared measures to take down Iran’s electric grid making a list of more than two dozen sites.

“The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” Kaspersky said in a release.

“The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now,” said Eugene Kaspersky, chief executive and co-founder of Kaspersky Lab. “Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

Flame came to being, Kaspersky Labs believes, no earlier than in 2010, but it is still undergoing active development to date. “Its creators are constantly introducing changes into different modules, while continuing to use the same architecture and file names. A number of modules were either created of changed in 2011 and 2012,” Kaspersky Lab’s Alexander Gostev said in a blog post.

The virus eluded detection because of its “extreme complexity” and the fact the virus is targeting only selected computers. Flame’s primary purpose, Kaspersky said, “appears to be cyber espionage, by stealing information from infected machines” and sending it to servers across the world.

“In size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage features. Flame has no major similarities with Stuxnet/Duqu. Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. There are, however, some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project — such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet’s authors,” Gostev said.

“It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master,” Gostev said.

“Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on, Gostev said. “All this data is available to the operators through the link to Flame’s command-and-control servers.”

“Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.”

The virus collected information in Iran, Israel and the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt, Kaspersky researchers said. Iran was county hit the most.

A unit of the Iranian communications and information technology ministry said it has produced an antivirus capable of identifying and removing the new malware. The Flame virus is the fourth known cyber attack on Iranian computer systems.

Israel’s vice premier did little to deflect suspicion about possible Israeli involvement in the latest attack.

“Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it,” Vice Premier Moshe Yaalon said. “Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us.”

As ISSSource reported, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.

The Stuxnet scenario was possible, as ISSSource learned, because an Israeli proxy — an Iranian, who used a corrupt “memory stick.32” implanted the virus that damaged Iran’s nuclear program, said former and serving U.S. intelligence officials said.

In the continuing battle to hold off the Iranian nuclear program, Iranian proxies have also been active in assassinating Iran’s nuclear scientists, these sources said.

These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.

Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism. He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” Other former agency officials confirmed this.

Israel, like the West, rejects Tehran’s statements saying its nuclear program is there to produce energy only. Israel considers Iran to be the greatest threat to its survival and repeatedly threatened to attack Iran’s nuclear facilities if Tehran doesn’t abandon its uranium enrichment project, a key element of bomb making.

Because Flame is so complex and not designed to hack into bank accounts and doesn’t have the hallmarks of amateur hackers, Kaspersky concluded the research that went into the code was government-sponsored.

The code offers no information that can tie Flame to any specific country, Kaspersky Lab researchers said.

Iran claims Stuxnet and other computer viruses have done no serious harm to Iran’s nuclear or industrial facilities, and sees them as part of a campaign by Israel, the U.S. and their allies, which includes the assassination of Iranian nuclear scientists, to undermine the Iranian nuclear program.



Leave a Reply

You must be logged in to post a comment.