NewsApp (Free)

Read news as it happens
Download NewsApp

Available on  

Rediff News  All News  » Business » Flame, a new cyber weapon found in Iran

Flame, a new cyber weapon found in Iran

June 04, 2012 11:03 IST

The world was taken by storm when Stuxnet hit the cyber space and threatened to compromise Iran's nuclear programme. Then there was a menace of the Duqu which was similar to Stuxnet.

While the threat of both Stuxnet and Duqu continue to loom large, it is another piece of malware which is causing a great deal of concern and it is known as Flame.

Flame according to experts is a sophisticated malware which has struck Iran. The primary job that is undertaken by Flame is to spy on documents, recorded conversations and also keystrokes. In addition to this, it also allows the attackers to tweak programmes and add new functionalities.

This piece of malware which is 20 megabytes in all was first discovered by the Kaspersky lab in Russia. Research on the virus has indicated that it has hit Iran the hardest and it is also present in Sudan, Lebanon, Syria and also the Middle East.

Flame, like the Stuxnet, has also been developed by a country's spy agency and is not the handiwork of common cyber criminals.

Indian cyber crime experts point out that there has been no infection in India. However looking at the manner in which it has been programmed and the way in which it infects a system, it is clear that this is not handiwork of some crook on the cyber space.

The intention is to gather very important data pertaining to national security and it could be considered to be a war between two nations.

Moreover Flame, like Stuxnet has not infected private systems, but the data bases that these malwares have infected are state operated system mainly in the defence sectors.

Shantanu Ghosh, vice president and managing director, Product Operations, Symantec tells that on a par with Stuxnet and Duqu, Symantec's security response team is analysing a new highly sophisticated and discreet threat: W32.Flamer.

The analysis so far reveals that the malware was built with the ability to obtain information from infected systems primarily located in the Middle East.

As with the previous two threats, this code was not written by a single individual but by an organised well funded group of personnel with directives.

The code includes multiple references to the string 'FLAME' which may be indicative of either instances of attacks by various parts of the code, or the malware's development

project name.

The threat has operated discreetly for at least two years with the ability to steal documents, take screenshots of users' desktops, spread via USB drives, disable security vendor products, and under certain conditions spread to other systems.

The threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows, in order to spread across a network.

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon.

Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates.  The industry sectors or affiliations of individuals targeted are currently unclear.

However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment.

Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections.

Use of Bluetooth:

Flame is potentially the first Windows-based malware ever observed to use Bluetooth. Why exactly the attackers built this functionality into the threat is still a mystery, but three theories have emerged as a result of research and analysis.

1. To map infected users' social and professional circles by cataloguing the various other Bluetooth-enabled devices encountered.

2. Identify the physical locations of infected users to determine their proximity to high-priority targets, whether those targets be other individuals or computing systems.

3. Target other Bluetooth devices within range to steal information off them, us them to eavesdrop or leverage their data connections to exfiltrate already-stolen data.

Though the precise intentions of including Bluetooth connectivity into the threat's code cannot yet be determined, these three plausible scenarios further confirm Flamer's sophistication as an advanced espionage tool.

Many security agencies believe that like Stuxnet, this malware could have also emerged from Israel. Look at the sophistication levels it becomes clear that it is a government backed operation.

There are multiple libraries, SQLite3 data bases and also several levels of encryption. Moreover what has foxed researchers is the LUA programming language which is an uncommon for a malware.

Vicky Nanjappa
Tags: Stuxnet, Iran, Duqu, LUA, USB