The most “sophisticated cyberweapon yet unleashed” has been uncovered in computers in the Middle East and is believed to have been developed by a “nation state.”
The unusually complex malware has been dubbed ‘Flame’ by Kaspersky Labs and ‘SKyWIper’ by the Hungarian Laboratory of Cryptography and System Security (CrySyS Lab).
Incredibly intelligent and unnaturally large in size, the malware gathers user information from a computer’s keyboard, screen, microphone, storage device, network, Wi-Fi, Bluetooth and USB system processes, according to a Wall Street Journal report.
Antivirus researchers and software developers believe Flame’s unprecedented complexity indicates it was developed by a government-sponsored entity.
“The geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it,” Kaspersky Labs said in a report.
 Click to enlarge |
| Flame is a highly concentrated virus focussing primarily in the Middle East. Source: Kaspersky Labs |
CrySyS allege it is arguably the most complex malware ever found.
“sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”
It is believed the virus has been in operation for at least two years.
Orla Cox, the Security Operations Manager for Symantec Corp in Ireland, believes Flame’s data stealing practices are reminiscent of ‘old school’ cyberespionage.
“Usually with a standard attack malware writers will try to limit the amount of data coming off the machine because otherwise it is very hard to find what you are looking for,” begun Cox.
“This is like old-school espionage. Take everything you can and sift through it. This shows there is an agency at the back end that has the bandwidth to deal with this.”
Whereas most viruses target a large number of users and corporations, Flame was highly concentrated. So far, only 382 infections have been reported, of which 189 were in Iran.
It is believed to have been introduced via a USB stick or removable drive. The initial module is estimated to be 6MB in size with an additional 20 or so modules downloaded thereafter, bringing its total to 20MB. In contrast, typical malware measures a few hundred kilobytes.
 |
| How Flame attacks. Source: Kaspersky |
The virus is believed to be “20-times more complicated” than the Stuxnet worm; a complex virus that destroyed an Iranian nuclear plant.
At present it is unknown who is responsible for the cyberweapon.
“A lot of the text strings we have been able to extract are written in very good English,” said Kaspersky’s Chief Malware Expert Vitaly Kamluk.
“But that does not tell us very much.”
Kamluk also found the choice of programming language unusual.
“Parts of it are written in LUA. This is a language usually used for gaming. I have never seen it used in any piece of malware before.”
Read: Terrorists Will Turn To Cyberwarfare, Professional Warns
It is likely Flame attacked more computers as Orla Cox suggests it could have been remotely wiped.
“It is possible that the command and control server could erase the infection so a user may not know they have ever been targeted.”
