Kaspersky Labs detects “The Flame”, the most sophisticated cyber weapon unleashed on the Middle East

Security experts Kaspersky Labs have unraveled a worm called the Flame, which the company says could be the most sophisticated cyber weapon yet unleashed. Kaspersky Labs believe it is a nation sponsored virus as it is not designed to steal money from bank accounts and is also different from cyber attack tools of hacktivists. The report says that its sole operation is to systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, Israel and so on.
The security software vendor first discovered the malware after the International Telecommunications Union intimated the company about an unknown piece of malware that was deleting information across the Middle East about two weeks ago. Since then, it has be ascertained that the malware has been operating since early 2010.
While we have seen cyber weapons like Stuxnet, which wrecked havoc on Iran’s nuclear program in 2009 and its sister offshoot Duqu, The Flame is 20 times more complex than Stuxnet and it might take researchers 10 years to fully understand it. The malware is 20 megabytes in size and once all its modules are installed it contains multiple libraries, SQLite3 databases, various levels of encryption and 20 plugins that can be swapped out for attackers. Weirdly though, its code, at least some of it, has been written in LUA programming language, a rarity for malware.
Initial analysis of the Flame suggests that it has been designed to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It has been discovered among its various modules, there is one that can activate a computers microphone to secretly record conversations on Skype or other IMs or even conversations in the computer’s vicinity.
Another module in the worm can turn Bluetooth-enabled devices into Bluetooth beacons scanning for other Bluetooth devices to siphon phone numbers and contact names. And lastly, another module takes frequent screenshots of the PCs activity such as IMs and e-mails and sends them via a covert SSL channel to the attackers command center. The Flame can also scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network.
Unlike Stuxnet, it does not self replicate on its own, however self replication can be activated at the attackers behest. This has perhaps been done to reduce its detection.
As of now, since Kaspersky broke the news last night, Iran’s Computer Emergency response team has announced that it has developed a detector for what it calls the Flamer, and has delivered it to select organizations in the beginning of May. It also claims to have developed a removal tool for the malware.
For more information on the enormity of this piece of malware, head down to the read link where Kaspersky Labs have provided an in-depth analysis.