Another powerful virus has been discovered infecting computer systems in the Middle East. Unlike the previous high profile infection, Stuxnet, this seems to have been primarily aimed at espionage and data collection, not overt sabotage.
According to antivirus company Kaspersky Labs, who discovered this espionage toolkit, Flame has been infiltrating systems since February 2010. The primary target of this virus seems to have been Iran, particularly their Oil Ministry. The virus had a ‘high interest in AutoCAD drawings, PDF and text files’ according to Kaspersky researchers, but was also capable of sniffing network traffic, taking screenshots, recording audio conversations and intercepting keyboard input.
How Flame was initially deployed is still unknown, but it seems to have used the same 0-day exploit to propagate through USB drives as an early build of Stuxnet. The program also propagates through LAN but like Stuxnet, one of the initial points of infection would have been a carelessly inserted, infected USB drive. The shared code between these programs confirms that the groups behind each program worked together.
Once a computer has been infected, Flame’s operators can further customize their spying experience by uploading modules. There are about 20 modules for Flame, each of which is still being studied and their purpose yet to be identified. The most interesting thing about Flame is how varied the amount of information captured is. It is capable of recording audio from a system’s microphone, of taking screenshots regularly and also especially when ‘interesting’ programs are run on the system, eg an Internet Messenger. It also records information about discoverable Bluetooth devices near the infected machine, if Bluetooth is available, and can even turn the infected machine discoverable and into a Bluetooth beacon. Another of its features is the ability to scan the host machine for any installed antivirus programs and tailor its own file extensions to avoid discovery. It also uses a forged Microsoft certificate so some components appear to be from Microsoft, and hides its creation date by setting module creation dates to dates from 1994. Lastly, a module can be uploaded by the controllers which, upon receiving a suicide command from the operators, will locate every Flame file sitting on the PC, remove it and overwrite memory locations with gibberish to prevent forensic examination and leave no traces of itself behind.
Unlike Stuxnet, this toolkit will not spread further or infect a wide range of public computers. After the media publicity about this program, a suicide command was issued by its controllers. This command does not just protect the identity of the programs creators but also removes the program entirely from all infected systems, making it hard for any interested party in studying and/or reverse engineering this incredibly sophisticated attack software.
News about this software comes at an inopportune time. American President Barack Obama recently admitted to authorizing the continuation of Stuxnet’s attacks against the Iranian nuclear enrichment systems. This coming so soon, and with Flame sharing code with Stuxnet, has left many making speculations on the parties behind Flame. As yet, no power has admitted to any responsibility but it seems the first clashes in a virtual war have been discovered. Any response or further action has yet to come to light, however we can only hope that these sophisticated attack programs stay with their targets and do not spread worldwide.