The Russian cybersecurity company Kaspersky has discovered that a truly massive piece of malware has been lurking on computers in Iran and other Islamic locations for at least two years. The software discovered is believed to be state-sponsored, and everyone is refraining in print from finger-pointing at the United States.
A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.
The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.
Dubbed â€œFlameâ€ by Kaspersky, the malicious code dwarfs Stuxnet in size â€“ the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iranâ€™s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals â€” marking it as yet another tool in the growing arsenal of cyberweaponry.
The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.
â€œStuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,â€ said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. â€œThe Flame malware looks to be another phase in this war, and itâ€™s important to understand that such cyber weapons can easily be used against any country.â€
Early analysis of Flame by the Lab indicates that itâ€™s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.
The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption â€” some strong, some weak â€” and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language â€” an uncommon choice for malware.
Kaspersky Lab is calling it â€œone of the most complex threats ever discovered.â€
â€œItâ€™s pretty fantastic and incredible in complexity,â€ said Alexander Gostev, chief security expert at Kaspersky Lab.
Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.
â€œItâ€™s a very big chunk of code. Because of that, itâ€™s quite interesting that it stayed undetected for at least two years,â€ Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time-period when Stuxnet and DuQu are believed to have been created.
Read the whole thing.