A new piece of malware called “Flame” has been uncovered by Kaspersky Lab and is thought to be part of a well-organized, state-run cyber espionage operation affecting Iran, Israel and other Middle Eastern countries. Because the new malware seems to attack computer mainly in the Middle East and because of the specific software vulnerabilities exploited, analysts are saying that although Flame differs from Duqu and Stuxnet it belongs to the same family.
“The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet” wrote Kaspersky Lab in a statement.
According to the the Iranian CERTCC, the file naming conventions, propagation methods, complexity level, and precise targeting indicate that Flame is a close relation to the Stuxnet. However one important difference is that Flame is modularised. Once a machine has been infected the operators can upload new modules to increase Flame’s functionality. So far 20 modules have been found but it is expected that researchers will find more.
Flame can perform a number of complex operations including network sniffing, making screenshots, recording audio, logging keyboard strokes, and so on. All this data is sent to the operators via command-and-control servers.
According to Reuters, it is possible that Flame has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign. Further details can be found in Kaspersky Lab’s Flame FAQ.