Thread: Powerful cyber weapon uncovered that might be Stuxnet kin

Powerful cyber weapon uncovered that might be Stuxnet kin

Tue, 2012-05-29 07:51 AM
By: Mark Rockwell

Flame targets

Security experts have uncovered a cyber weapon they said was the most sophisticated they had ever come across, and that shares characteristics with the Stuxnet virus that wreaked havoc on Iranian nuclear facilities in 2010.

The “Flame” cyber espionage worm, said experts at Russian computer security firm Kaspersky Lab on May 28, has apparently been attacking computers and networks in the Middle East and appears to have been fashioned by the same entity that created Stuxnet.

In an extensive post on a cyber security blog, Alexander Gotsev, head of Kaspersky’s global research and analysis team, said the Flame worm was found after the United Nation’s International Telecommunication Union came to the firm for help in finding an unknown piece of malware that was deleting sensitive information across the Middle East. “While searching for that code -- nicknamed Wiper -- we discovered a new malware codenamed Worm.Win32.Flame,” Gotsev said.

The highly sophisticated computer virus has been infecting computers in Iran and other middle eastern countries, according to Gotsev and may have been deployed at least five years ago to engage in state-sponsored Cyber espionage.

The worm shares many of the same characteristics as the infamous Stuxnet and Duqu viruses, he said, adding that while some of its features are different, the geography it has been operating in and its carefully targeted attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the middle east by unknown perpetrators. “Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of Cyber war and Cyber espionage,” he said.

Once Flame infects a system, he said, it begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. According to Gotsev, all the data is available to the operators through the link to Flame’s command-and-control servers.

Gotsev said although the company was still investigating, Flame appears to be able to record audio via a computer’s microphone, if one is present, storing recorded audio in compressed format, using of a public-source library.

Recorded data is sent to the command and control through a covert SSL channel, on a regular schedule, he said.

The malware also has the apparent ability to regularly take screenshots when “interesting” applications, like instant messaging, are run by the computer’s user. Screenshots are stored and sent like the pilfered audio recordings, he said.

Flame has been used to “systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria and Israel, he said.

He explained that Flame is a sophisticated attack toolkit, more complex than Duqu. “It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master,” he said.

Gotsev said Flame’s initial point of entry and how it spreads is unknown, but said it is apparently deployed in targeted attacks. He said the malware is looking for any kind of intelligence, from e-mail, documents, messages, discussions inside sensitive locations, “pretty much everything.” It doesn’t seem to have been targeted to specific industries, bringing the company to believe it is a “complete toolkit designed for general Cyber-espionage purposes,” he said.

Powerful cyber weapon uncovered that might be Stuxnet kin | Government Security News

RELATED

http://www.alipac.us/f19/obama-order...s-iran-258583/