Yup, Stuxnet's famous follow-on, the Flame worm is making its way through computers in the Middle East, showing that it can take snapshots of an infected computer's display screen, record audio conversations using the computer's microphones as well as steal normal computer files.
However, it can also be remotely re-programmed to switch from intel-gathering to offensive mode, turning itself into a cyber weapon capable of disrupting its targets functions, much like the Stuxnet virus did to Iran's Uranium enrichment centrifuges.
All of these advanced features in one worm led Internet security firm Kaspersky to call the arrival of Flame, "another phase in this [cyber ]war, and it's important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case."
Or as former DT cyber writer Kevin Coleman quoted another analyst as saying, "Flame redefines cyber espionage, it makes all the other software in that category look like cheap toys!"
Below, you'll find Iran's cyber emergency response team's statement on Flame. Keep in mind that Tehran's nuke program is the likely target of the worm that some experts say may take years to fully dissect.
Having conducted multiple investigations during the last few months, the Maher center, the Iranian CERTCC, following the continuous research on the targeted attacks of Stuxnet and Duqu since 2010, announces the latest detection of this attack for the very first time.
The attack, codenamed "Flame" is launched by a new malware. The name “Flame” comes from one of the attack modules, located at various places in the decrypted malware code. In fact this malware is a platform which is capable of receiving and installing various modules for different goals. At the time of writing, none of the 43 tested antiviruses could detect any of the malicious components. Nevertheless, a detector was created by Maher center and delivered to selected organizations and companies in first days of May. And now a removal tool is ready to be delivered.
Some features of the malware are as follows:
· Distribution via removable medias
· Distribution through local networks
· Network sniffing, detecting network resources and collecting lists of vulnerable passwords
· Scanning the disk of infected system looking for specific extensions and contents
· Creating series of user’s screen captures when some specific processes or windows are active
· Using the infected system’s attached microphone to record the environment sounds
· Transferring saved data to control servers
· Using more than 10 domains as C&C servers
· Establishment of secure connection with C&C servers through SSH and HTTPS protocols
· Bypassing tens of known antiviruses, anti malware and other security software
· Capable of infecting Windows Xp, Vista and 7 operating systems
· Infecting large scale local networks
According to file naming conventions, propagation methods, complexity level, precise targeting and superb functionality, it seems that there is a close relation to the Stuxnet and Duqu targeted attacks.
The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat.
