Russia-based cybersecurity firm Kapersky Lab has discovered the world’s largest, most complex, and potentially most dangerous “cyber weapons” ever found. Known as “Flame,” the malware has been detected in machines across the Middle East, with the highest concentration of Flame infections found in Iranian computers, leading experts to believe that the malware is government-created.
At 20 megabytes in size, and with many individual parts, Flame is 20 times larger than either Stuxnet or DuQu, the two piece of malware previously considered the most dangerous.
According to Alexander Gostev, Kapersky’s head of Global Research and Analysis, Flame first came to Kapersky Lab’s attention after the International Telecommunication Union (ITU), a part of the United Nations, requested that Kapersky look into a an “an unknown piece of malware which was deleting sensitive information across the Middle East.” Specifically, Flame, which earlier media reports on the mysterious malware refer to it as either “Wiper” or “Viper,” was found on computers of the Iranian Oil Ministry and the Iranian National Oil Compuany.
What Kapersky’s cybersecurity experts uncovered was “what might be the most sophisticated cyber weapon yet unleashed,” writes Gostev, on the Kapersky blog SecureList. Flame “is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master,” writes Gostev. Flame allows its operators vast spying capabilities, including the ability to take screenshots, take control of the keyboard, and even record audio over an infected computer’s microphone.
Like Stuxnet and DuQu, the creator of Flame remains a mystery. Based on certain details, however, Kapersky has narrowed down the choice of candidates to one category: nation states.
“Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states,” writes Gostev. “Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”
At the moment, a Western government (like the United States), or Israel, seem the most likely creators of Flame, given the fact that Iran — considered by some as one of the greatest threats to Israel — is the most-targeted country. Other areas that have Flame-infected computers include the Palestinian territories in Israel, Sudan, Syria, Lebanon, Saudi Arabia, Egypt, Austria, Hungry, Russia, United Arab Emirates, and Hong Kong.
As AFP reports, Israel’s Strategic Affairs Minister Moshe Yaalon issued a statement about Flame, which seems to implicate the Israeli government’s involvement with its development and/or distribution.
“For anyone who sees the Iranian threat as significant, it is reasonable that he would take different steps, including these, in order to hobble it,” he said in an interview with the Israeli army radio. “Israel is blessed with being a country which is technologically rich, and these tools open up all sorts of possibilities for us.”
The exact date of Flame’s release is currently unknown. Gostev says the files that could reveal this information have been updated repeatedly with fake dates, but that they know it has been “out in the wild” since at least February or March of 2010. Wired reports that at least one part of the massive Flame malware appeared on computers in Europe all the way back in December of 2007, and in Dubai at the end of April, 2008.
A number of antivirus firms, including Kapersky, BitDefender, and Semantec, are currently analyzing Flame. BitDefender has released tools for removing Flame from infected computers, available here. And Iran’s Computer Emergency Response Team has issued a statement, saying that it has created a detector to find the so-called “Flamer” malware on infected machines, as well as a way to remove the invasive bit of code.
To learn more about the Flame spyware, check out Kapersky’s Q&A here.
Lead image via Ilja Mašík/Shutterstock