The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notorious Stuxnet virus, an Iranian cyberdefense organization confirmed on Tuesday.
Israel has dismissed suggestions that it might be behind the Flame cyber-attack.
Several media reports linked comments made by the country’s vice prime minister with the malware, which has infected more than 600 targets.
However, a spokesman for the Israeli government told the BBC that Moshe Ya’alon had been misrepresented.
Security experts said it was still too early to pinpoint the source of the attack.
Mr Ya’alon, who is also Israel’s minister of strategic affairs, discussed the attacks on Israel’s military radio station, Army Radio.
“There are quite a few governments in the west that have rich high-tech [capabilities] that view Iran, and particularly the Iranian nuclear threat, as a meaningful threat – and can possibly be involved with this field,” he said.
“I would imagine that everyone who sees the Iranian nuclear threat as a significant one, and that is not only Israel, it is the entire Western world, headed by the United States of America, would likely take every single measure available, including these, to harm the Iranian nuclear project.”
When asked to clarify Mr Ya’alon’s comments by the BBC, a spokesman for the minister said: “There was no part of the interview where the minister has said anything to imply that Israel was responsible for the virus.”
In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Center warned that the virus was dangerous. An expert at the organization said in a telephone interview that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.
Security experts have only begun examining the thousands of lines of code that make up Flame, an extensive, data-mining computer virus that has been designed to steal information from computers across the Middle East, but already digital clues point to its creators and capabilities.
Researchers at Kaspersky Lab, which first reported the virus Monday, believe Flame was written by a different group of programmers from those who had created other malware directed at computers in the Middle East, particularly those in Iran. But Flame appears to be part of the state-sponsored campaign that spied on and eventually set back Iran’s nuclear program in 2010, when a digital attack destroyed roughly a fifth of Iran’s nuclear centrifuges.
What is Flame?
Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting. The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee’s technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as “sKyWIper.”
“Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit,” Schouwenberg said. “We assume that we don’t have all the modules that exist in the wild.”
How does it spread?
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It’s unclear what the initial point of entry is. “We expect to find a spear phishing e-mail with a Zero-Day exploit,” Schouwenberg said.
How long has Flame been around?
“We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that,” Schouwenberg said Kaspersky Lab researchers discovered the malware several weeks ago after being asked by the United National’s International Telecommunication Union for help in uncovering malware dubbed “Wiper” that was stealing and deleting sensitive information on computers in Iran’s oil sector.
How does Flame relate to Wiper?
“Wiper could be a Flame module that is uploaded to a target machine when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental,” Schouwenberg said. “So, we have an open mind to Wiper being a Flame plug-in.” Iran’s National Computer Emergency Response Team (CERT), which is called “Maher,” said software to detect Flame was sent to companies in that country at the beginning of May and a removal tool is ready now. Recent incidents of mass data loss in Iran “could be the outcome of some installed module of this threat,” the center said, speculating that attacks in which data from Iran’s gas company computers may have been linked to Flame. Officials in Iran suspect that Wiper and Flame are somehow linked, the Associated Press reports.
Why wasn’t Flame discovered earlier?
Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. “Clearly it’s another multimillion-dollar project with government funding, so one of the top priorities has been stealth,” Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn’t look malicious at first glance. “Flame authors have adopted the concept of hiding in plain sight,” he said. Because Flame doesn’t use a rootkit technology, free anti-rootkit tools won’t be able to detect it. “Finding it is going to be more complicated,” according to Schouwenberg.
Who is being targeted with Flame?
The highest proportion of infections are in Iran, followed by “Israel/Palestine,” Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in “the Palestinian West Bank, Hungary, Iran and Lebanon.” “With Flame, we haven’t been able to say what binds all the targets together other than that they are in the same geographical region,” Schouwenberg said. “We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don’t know what type of data has been stolen.” Victims include educational institutions, state-related organizations and individuals.
This post sponsored by www.osxantimalware.com Antivirus for Mac