Wired.com is reporting that Russian security researchers from Kaspersky Labs have found a sophisticated computer virus that is infecting computers in Iran and other Middle East countries. Indications are that the virus appears to be designed to gather private data from the targeted computer systems. Described by Kaspersky as sophisticated, the virus is known as “Flame” and was discovered as the security group was called in to analyze a different malicious threat.
The origin of the virus reportedly dates back to 2007, and it is being considered a state-sponsored group at the heart of the virus. Flame also appears to be much more sophisticated than the two previously discovered cyber weapons known as Duqu and Stuxnet. Once the Flame virus infects a system, it begins to collect network traffic, take screenshots, remotely change computer settings, initiates and records audio, and intercepts the keyboard input. Unlike Stuxnet, there does not appear to be a physical target. It is believed that Stuxnet was designed to attack the computer systems that drove Iran’s nuclear centrifuges, feeding the systems false data and causing the centrifuges to fail.
“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time-period when Stuxnet and DuQu are believed to have been created”
Fully analyzing the Flame code may take several years. At 20MB in size, the code dwarfs the Stuxnet code by a factor of 20, but reports are that it utilizes the same flaw in Windows to exploit and spread. These similarities leave little conclusion but to assume that the development of this virus is state sponsored and the list of likely nations that could deploy such a weapon is rather small. The virus as described was designed to stay hidden and collect information for a good long time, while staying undetected. Given its size and all the monitoring and data collecting features that it is reported to have, the virus’ lineage no doubt has the hallmarks of a complex and targeted state sponsored development. Internalizing what this means to the security community today, one thing is for sure, that if this represents what was being released five years ago, then what is likely being produced today could be worlds more sophisticated, as it is in any five year advance in technology. More analysis will certainly be taking place in the days and weeks to come. Perhaps there will be even more surprises in store for the community to review.