Skip to comments."Flame" computer virus strikes Middle East; Israel speculation continues
Posted on 05/30/2012 10:03:45 AM PDT by Signalman
AP) LONDON - A massive, data-slurping cyberweapon is circulating in the Middle East, and computers in Iran appear to have been particularly affected, according to a Russian Internet security firm.
Moscow-based Kaspersky Lab ZAO said the "Flame" virus was unprecedented both in terms of its size and complexity, possessing the ability to turn infected computers into all-purpose spying machines that can even suck information out of nearby cell phones.
"This is on a completely different level," Kaspersky researcher Roel Schouwenberg said in a telephone interview Tuesday. "It can be used to spy on everything that a user is doing."
The announcement sent a ripple of excitement across the computer security sector. Flame is the third major cyberweapon discovered in the past two years, and Kaspersky's conclusion that it was crafted at the behest of a national government fueled speculation that the virus could be part of an Israeli-backed campaign of electronic sabotage aimed at archrival Iran.
Although their coding is different, Schouwenberg said there was some evidence to suggest that the people behind Flame also helped craft Stuxnet, a notorious virus that disrupted controls of some nuclear centrifuges in Iran in 2010.
"Whoever was behind Flame had access to the same exploits and same vulnerabilities as the Stuxnet guys," he said, speculating that two teams may have been working in parallel to write both programs.
Stuxnet revolutionized the cybersecurity field because it targeted physical infrastructure rather than data, one of the first demonstrations of how savvy hackers can take control of industrial systems to wreak real-world havoc.
So far, Flame appears focused on espionage. The virus can activate a computer's audio systems to eavesdrop on Skype calls or office chatter, for example. It can also take screenshots, log keystrokes, and - in one of its more novel functions - steal data from Bluetooth-enabled cell phones.
Tehran has not said whether it lost any data to the virus, but a unit of the Iranian communications and information technology ministry said it had produced an anti-virus capable of identifying and removing Flame from its computers.
Speaking Tuesday, Israel's vice premier did little to deflect suspicion about the Jewish state's possible involvement in the latest attack.
"Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," Israeli Vice Premier Moshe Yaalon told Army Radio when asked about Flame. "Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us."
Flame is unusually large.
Malicious programs collected by U.K. security firm Sophos averaged about 340 kilobytes in 2010, the same year that Kaspersky believes Flame first started spreading. Flame weighs in at 20 megabytes - nearly 60 times that figure.
Alan Woodward, a professor of computing at the University of Surrey in southern England, said the virus was modular - meaning that functions could be added or subtracted to it as needed. He compared it to a smartphone, saying that, depending on what kind of espionage you want to carry out, "you just add apps."
He was particularly struck by Flame's ability to attack Bluetooth-enabled devices left near an infected computer.
Bluetooth is a short-range wireless communications protocol generally used for wireless headsets, in-car audio systems or file-swapping between mobile phones. Woodward said that Flame can turn an infected computer into a kind of "industrial vacuum cleaner," copying data from vulnerable cell phones or other devices left near it.
"I don't believe I've seen it before," he said.
Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, said he thought four countries, in no particular order, had the technological know-how to develop so sophisticated an electronic offensive: Israel, the U.S., China and Russia.
"It was 20 times more sophisticated than Stuxnet," with thousands of lines of code that took a large team, ample funding and months, if not years, to develop, he said. "It's a live program that communicates back to its master. It asks, `Where should I go? What should I do now?' It's really almost like a science fiction movie," he said.
It's not clear what exactly the virus was targeting. Kaspersky said it had detected the program in hundreds of computers, mainly in Iran but also in Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
The company has declined to go into detail about the nature of the victims, saying only that they "range from individuals to certain state-related organizations or educational institutions."
Schouwenberg, the Kaspersky researcher, said stolen data was being sent to some 80 different servers, something which would give the virus's controllers time to readjust their tactics if they were discovered. He added that some of Flame's functions still weren't clear.
"Maybe it's just espionage," he said. "Maybe it's also sabotage."
Kaspersky said it first detected the virus after the United Nations' International Telecommunication Union asked it for help in finding a piece of malware that was deleting sensitive information across the Middle East. The company stumbled across Flame when searching for that other code, it said.
Spokespeople for the Geneva-based Telecommunication Union didn't return emails seeking comment.
The discovery of the Flame virus comes just days after nuclear talks between Iran and six world powers in Baghdad failed to persuade Tehran to freeze uranium enrichment. A new round of talks is expected to take place in Moscow next month.
Yaalon, the Israeli vice premier, told Army Radio on Tuesday that the talks in Iraq "yielded no significant achievement" except to let Iran buy time. He appeared to take a swipe at President Barack Obama by saying it might "even be in the interest of some players in the West to play for time."
“Mr. Finch” created it.
I’m happy with Stuxnet, Duqu, and Flame as tools to delay evil, but it’s about time to send a large array of MOAB or similar solutions to impose a much bigger delay. In the event that Israel is afraid to act while the anti-Semite is in our White House, they should plan a strike for January 19 or 20, 2013, immediately prior to a real president taking office in America - if they can afford to wait that long. It would be nice to let the next real president treat the attack as “old news” from a prior administration, while allowing Obama to treat it as something to pass down to his successor.
Even if an attack cannot permanently prevent Iran from going nuclear, a well-planned strike has the potential to make nukes so expensive that Iran will choose not to proceed.
OK, so who found it? The UK? Shame on them for blabbing...whoever did it.
Just imagine someone creating chaos for Iran (or any other terrorist supporting country) from the comfort of a keyboard. Imagine the nuke weapon engineer logging into his PC to find all files replaced with endless-loop youtube videos of coke & mentos experiments. Or the chaos of an electrical grid being randomly powered up & down. Or perhaps all their top secret electronic files randombly sent to news outlets across the planet. Would be fun to watch...
I’m pretty sure that ‘Moscow-based Kaspersky Lab ZAO’ isn’t in the UK.
ZAO just referred to a UK virus collation firm for historical virus size statistics.
wait til they get their nukes and make them detonate WITHOUT launch!
It would be more fun to instal a “Press to test/Release to detonate” bug in their first assembled weapon...
I would hope there are hundreds of people writing microcontroller code for industrial equipment to be installed in Iran’s nuke facilities.
A little self modifying code (very easy to do and very hard to detect) in some assembly language could do some mighty interesting things. Self modifying code allows the programmer to alter one or more instructions so they fetch or put data into the wrong area of memory or even to change the type of instruction which alters program flow at the modified instruction.
When the code is modified there may very well be no obvious change in operation or loss of data until a centrifuge goes ballistic. At that time it is too late.
PC viruses are much more prevalent and therefore more attention is paid to what goes on than down at the lowly but all so powerful microcontroller level.
That would be an amusing “oopsie”. I wonder if Flame picked up the information on any planned permissive action link codes.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.