The Flame worm that has targeted computers in the Middle East is being called “the most sophisticated cyberweapon yet unleashed” by Kaspersky Lab researchers who discovered it. Lurking on computers for at least five years, the malware has the ability to steal data, eavesdrop on conversations, and take screen captures of instant message exchanges, making it dangerous to any victim. But a possible link to malware found on computers in Iran’s oil sector has experts saying it’s got to be the work of a nation-state.
CNET talked with Roel Schouwenberg, senior researcher at Kaspersky, the company that uncovered the malware, to find out who is behind it and how dangerous it really is.
What is Flame? Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting. The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee’s technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as “sKyWIper.”
“Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit,” Schouwenberg said. “We assume that we don’t have all the modules that exist in the wild.” (Read More)