* Most complex piece of malicious software yet found
* Speculation may grow over countries wielding cyber weapons
* Virus targeted mainly in Middle East
By Jim Finkle
BOSTON, May 28 (Reuters) – Security experts have discovered
a highly sophisticated computer virus in Iran and the Middle
East that they believe was deployed at least five years ago to
engage in state-sponsored cyber espionage.
Evidence suggest that the virus, dubbed Flame, may have been
built on behalf of the same nation or nations that commissioned
the Stuxnet worm that attacked Iran’s nuclear program in 2010,
according to Kaspersky Lab, the Russian cyber security software
maker that claimed responsibility for discovering the virus.
Kaspersky researchers said on Monday they have yet to
determine whether Flame had a specific mission like Stuxnet, and
declined to say who they think built it.
Iran has accused the United States and Israel of deploying
Stuxnet.
Cyber security experts said the discovery provides new
evidence to the public to show what experts privy to classified
information have long known: that nations have been using pieces
of malicious computer code as weapons to promote their security
interests for several years.
“This is one of many, many campaigns that happen all the
time and never make it into the public domain,” said Alexander
Klimburg, a cyber security expert at the Austrian Institute for
International Affairs.
A cyber security agency in Iran said on its website on
Monday that Flame bore a “close relation” to Stuxnet, the
notorious computer worm that attacked that country’s nuclear
program in 2010 and is the first publicly known example of a
cyber weapon.
Iran’s National Computer Emergency Response Team also said
Flame might be linked to recent cyber attacks that officials in
Tehran have said were responsible for massive data losses on
some Iranian computer systems.
Kaspersky Lab said it discovered Flame after a U.N.
telecommunications agency asked it to analyze data on malicious
software across the Middle East in search of the data-wiping
virus reported by Iran.
STUXNET CONNECTION
Experts at Kaspersky Lab and Hungary’s Laboratory of
Cryptography and System Security who have spent weeks studying
Flame said they have yet to find any evidence that it can attack
infrastructure, delete data or inflict other physical damage.
Yet they said they are in the early stages of their
investigations and that they may discover other purposes beyond
data theft. It took researchers months to determine the key
mysteries behind Stuxnet, including the purpose of modules used
to attack a uranium enrichment facility at Natanz, Iran.
“Their initial research suggest that this was probably
written by the authors of Stuxnet for covert intelligence
collection,” said John Bumgarner, a cyber warfare expert with
the non-profit U.S. Cyber Consequences Unit think tank.
Flame appears poised to go down in history as the third
major cyber weapon uncovered after Stuxnet and its data-stealing
cousin Duqu, named after the Star Wars villain.
The Moscow-based company is controlled by Russian malware
researcher Eugene Kaspersky. It gained notoriety in cyber
weapons research after solving several mysteries surrounding
Stuxnet and Duqu.
Their research shows the largest number of infected machines
are in Iran, followed by Israel and the Palestinian territories,
then Sudan and Syria.
The virus contains about 20 times as much code as Stuxnet,
which caused centrifuges to fail at the Iranian enrichment
facility it attacked. It has about 100 times as much code as a
typical virus designed to steal financial information, said
Kaspersky Lab senior researcher Roel Schouwenberg.
GATHERING DATA
Flame can gather data files, remotely change settings on
computers, turn on PC microphones to record conversations, take
screen shots and log instant messaging chats.
Kaspersky Lab said Flame and Stuxnet appear to infect
machines by exploiting the same flaw in the Windows operating
system and that both viruses employ a similar way of spreading.
That means the teams that built Stuxnet and Duqu might have
had access to the same technology as the team that built Flame,
Schouwenberg said.
He said that a nation state would have the capability to
build such a sophisticated tool, but declined to comment on
which countries might do so.
The question of who built flame is sure to become a hot
topic in the security community as well as the diplomatic world.
There is some controversy over who was behind Stuxnet and
Duqu.
Some experts suspect the United States and Israel, a view
that was laid out in a January 2011 New York Times report that
said it came from a joint program begun around 2004 to undermine
what they say are Iran’s efforts to build a bomb. That article
said the program was originally authorized by U.S. President
George W. Bush, and then accelerated by his successor, Barack
Obama.
A U.S. Defense Department spokesman, David Oten, declined to
comment on Flame on Monday, saying it may take “some time”
because of the U.S. Memorial Day holiday.
The CIA, the State Department, the National Security Agency,
and the U.S. Cyber Command declined to comment.
Hungarian researcher Boldizsar Bencsath, whose Laboratory of
Cryptography and Systems Security first discovered Duqu, said
his analysis shows that Flame may have been active for at least
five years and perhaps eight years or more.
“The scary thing for me is: if this is what they were
capable of five years ago, I can only think what they are
developing now,” Mohan Koo, managing director of British-based
Dtex Systems cyber security company.
Mikko Hypponen, chief research officer for anti-virus
software maker F-Secure of Finland, described Flame as the
latest of high-profile viruses that show makers of anti-virus
software need to improve their performance.
“Stuxnet, Duqu and Flame are all examples where we – the
anti-virus industry – have dramatically failed,” he said. “All
of these cases were spreading undetected for extended periods of
time … Yet, anti-virus products failed to protect users
against these attacks.”
