In association with heise online

29 May 2012, 16:09

Security researchers ensnare Flame super worm

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Botnet icon Security researchers have discovered "the most sophisticated cyber weapon" ever seen in the Middle East. The malicious program, called "Flame", has a modular structure and specialises in collecting information. Its functionality includes the ability to record audio, monitor keystrokes, listen in on network traffic and take screenshots of a victim's system. It appears to have been deployed for several years and has been used for targeted attacks in countries such as Iran, Israel, Sudan, Syria and Lebanon, while remaining undetected by anti-virus software.

Security specialists at Kaspersky and Symantec have discovered up to 20 plugin modules, of which only a handful have so far been investigated in detail. It contains a virtual machine for the Lua scripting language, making it very easy to put together flexible extensions. The super-spy, which is also know as Flamer or SkyWiper, is also a conventional bot, which regularly contacts a command-and-control server from which it obtains new instructions and delivers the information that it has collected using an SSL-encrypted connection.

Zoom Many roads lead to Flame - the super-bot uses many different methods to spread
Source: Kaspersky Labs
The bot has various means of spreading, including via USB flash drives and local networks. On a local area network, Flame is able to use the domain controller to create user accounts on other computers, which it then uses to infect them. It is not yet clear whether it spreads via unpatched Windows vulnerabilities – Kaspersky is reporting cases in which Flame has managed to infect fully-patched Windows 7 systems over a network.

In view of the sheer breadth of its functionality, the security experts at Kaspersky believe that Flame is professional espionage software developed by a nation state. The malware weighs in at an impressive 20MB. This is about 20 times the size of Stuxnet, though the latter was developed specifically for a single objective – to sabotage the uranium enrichment facility in Natanz.

However, the target of the super-spyware remains uncertain. It has probably been deployed several times in a range of scenarios to penetrate specific targets. The virus researchers have observed Flame on systems belonging to government organisations, educational institutions and private individuals. The researchers estimate that thousands of computers are infected.

According to a reportPDF from Hungarian CrySys Lab, it was first spotted in Europe in 2007. Flame may have been in action for as long as eight years – without being detected by standard anti-virus software. It appears to have achieved this by confining itself to very specific targets. In general, the botnet herders have restricted themselves to infecting just a few dozen systems at any one time. After carrying out initial analysis, the bot herders appear to have removed the spyware from systems on which they were unable to find any interesting information.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit