facebook rss twitter

Flame espionage virus has targeted Iran for last 2 years

by Mark Tyson on 28 May 2012, 18:19

Tags: Kaspersky

Quick Link: HEXUS.net/qabhcn

Add to My Vault: x

Since March 2010 Iran has been targeted by a data monitoring and collecting piece of malware now known as Flame. Analysts say the malware is so complex in nature that they believe it could only have been developed by a government agency or state with a very big budget. The purpose of the Flame malware is to gather data and send it to its command and control servers of which there are approximately 80 known to exist.

Crysys Lab, a special unit that investigates computer viruses at Budapest University said of Flame “It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, Wi Fi, Bluetooth, USB and system processes. Information gathering from a large network of infected computers was never crafted as carefully”.

The “Worm.Win32.Flame” malware infects Windows based computers and weighs in at a rather large 20MB. Unlike single-shot predecessors Stuxnet and Duqu Flame is a complete attack toolkit that can steal data from many different sources. For example rather than just recording VoIP calls the program can turn on the computer microphone and begin recordings at will, while simultaneously taking screenshots of interesting apps (usually instant messaging apps).

The main features of the virus as listed by the Iran Maher CERTCC are:

  • Distribution via removable medias
  • Distribution through local networks
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  • Scanning the disk of infected system looking for specific extensions and contents
  • Creating series of user’s screen captures when some specific processes or windows are active
  • Using the infected system’s attached microphone to record the environment sounds
  • Transferring saved data to control servers
  • Using more than 10 domains as C&C servers
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  • Bypassing tens of known antiviruses, anti malware and other security software
  • Capable of infecting Windows XP, Vista and 7 operating systems
  • Infecting large scale local networks


Flame infections detected by Kaspersky Lab

Experts believe the Flame espionage virus spread itself via phishing, website download or USB pen drives and perhaps further unidentified methods. The complexity of the virus is such that researchers are only just beginning to see how it works and what it does. Kaspersky Labs Alexander Gostev told Wired. “It took us half-a-year to analyze Stuxnet. This is 20-times more complicated. It will take us 10 years to fully understand everything.” On trying to pin down exactly how to classify Flame the Kaspersky Lab expert said “It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”

In a Kaspersky blog update today the company confirmed Flame is the same virus as SkyWiper detailed by Crysys Lab and Flamer as found by the Iran Maher Cert Group. This very large and complex malware has been mining data for over 2 years specifically targeting Iran. High profile organisations in Iran received software capable of neutralising Flame in early May. Some experts believe the Flame espionage virus is related to the Stuxnet virus and was created by a USA or Israel based agency.

HEXUS Forums :: 12 Comments

Login with Forum Account

Don't have an account? Register today!
And we are worried about SOPA and PIPA type legislation…
Now I'm worried that I may have worms too.
“have been developed by a government agency or state with a very big budget” = CIA

Why are US and UK after Iran ? US and UK have their own nukes and they even gave away their nukes to a tiny country like Israel. Are they ONly allowed to have nukes? It's like Goddamn sinners preaching of religion.

It's not as if Iran in threatening the world like N. Korea. Then, why ? Here's why , cos Iran is self-sufficient and not dependent on US donations.
its nothing to do with nukes - its about oil , and the fact they are srsly upset with the events of 1979 when there puppet was thrown out….
I thought it was about Israel and the strength of the Israeli lobby in the US. I would have thought that Israel were the most likely culprits, 6 months programming for no-risk intelligence. Just the sort of strategy that would appeal to a small country.