Beyond Stuxnet: massively complex Flame malware ups ante for cyberwar

Flame is something new in cyberwar, experts say. It can take screenshots and record audio on infected computers. The malware was almost certainly made by a nation-state.

By Mark Clayton,?Staff writer / May 29, 2012

A cyber warfare expert holds a notebook computer while posing for a portrait in Charlotte in this December 2011 file photo. A United Nations agency charged with helping member nations secure their national infrastructures plans to issue a sharp warning about the risk of the Flame virus that was recently discovered in Iran and other parts of the Middle East.

John Adkisson/Reuters/Files

Enlarge

Stuxnet move over. Cybersecurity researchers on Monday announced the discovery of Flame,?a piece of malicious software that one firm has called "arguably ...?the most complex malware ever found."

Skip to next paragraph

' + google_ads[0].line2 + '
' + google_ads[0].line3 + '

'; } else if (google_ads.length > 1) { ad_unit += ''; } } document.getElementById("ad_unit").innerHTML += ad_unit; google_adnum += google_ads.length; return; } var google_adnum = 0; google_ad_client = "pub-6743622525202572"; google_ad_output = 'js'; google_max_num_ads = '1'; google_feedback = "on"; google_ad_type = "text"; google_adtest = "off"; google_image_size = '230x105'; google_skip = '0'; // -->

At this early stage of analysis, only a few of Flame's functions are understood,?reports Kaspersky Lab, the Boston-based cybersecurity company that uncovered it.?Because of Flame's size and complexity, it could take years to unpack completely what the program can ? and has ? done, experts add.

From what is known now, however, Flame can spread?via a USB drive, a Bluetooth device, or other machines on a network. In affected machines, it can wait?for certain software programs of interest to run, then take screenshots, turn on the internal microphone to record conversations, and intercept e-mail, chats, or other network traffic. It can package these data, encrypt them, and send them off to designated command-and-control computers worldwide.

"It pretty much redefines the notion of cyberwar and cyberespionage," writes Alexander Gostev, head Kaspersky's Global Research and Analysis Team, in his blog.

Kaspersky found that Flame has been snaking through computer networks ? predominantly in the Middle East ? for at least the past two years, but possibly longer. The way it works and what it does suggests that Flame was made by a nation-state, experts say, and only?four candidates have the technical know-how to create such software: the US, Russia, China, and Israel.?

"Flame can easily be described as one of the most complex threats ever discovered," writes Mr. Gostev. "It?s big and incredibly sophisticated."

In fact, at 20 megabytes, Flame is?about 20 times bigger than the Stuxnet digital weapon that wreaked havoc on Iran's nuclear centrifuge fuel-enrichment program around 2009.

Like Stuxnet, Flame has been deposited ? nobody knows just how ? on a few thousand computers across the Mideast, meaning that it is highly targeted.?Stuxnet's key flaw was that it spread far too broadly ? to an estimated 100,000 machines around the world and blew its cover as a result. Flame's creators ? apparently some government with a keen interest in Iran, the Palestinian West Bank, Hungary, and Lebanon ? may have tried to learn from that misstep.

While Flame's internal structure allows it to spread via a USB drive, Bluetooth device, or network, it is programmed to prevent spreading indiscriminately.

"While its features are different [from Stuxnet], the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ?super-weapons? currently deployed in the Middle East by unknown perpetrators," Gostev writes.

john dillinger carlos zambrano clemson pellet gun clay aiken zambrano orange bowl