It is perhaps the most sophisticated piece of malicious software ever designed – a digital surveillance device so complex it ran on sensitive government computer networks for years, undetected.
And now, a tool that was almost certainly developed for state-sanctioned cyberwarfare is out in the open, soon to make its way into the hands of everyone from computer virus researchers to criminal gangs.
This week, researchers at anti-virus firm Kaspersky Lab announced the discovery of a new piece of malware, dubbed Flame. Like other high-profile malicious programs, such as Stuxnet, Flame has infected computers across the Middle East – predominantly in Iran. But unlike Stuxnet, Flame wasn’t design to damage computers. Instead, the software simply listened, giving those behind Flame the ability to record keystrokes, operate a computer’s built-in camera or even infect other devices via Bluetooth.
More significantly, Flame was designed to be modular. Its creators could stealthily add new functionality over time. The software, it seems, was designed to snoop on infected machines for years on end.
“It’s a blend of artificial intelligence with the capacity to be updated and become more sophisticated on the fly,” said Tom Kellermann, a security expert with Trend Micro and a member of U.S. President Barack Obama’s commission on cybersecurity.
On Tuesday, Tehran acknowledged it had been hit by the malware. In a Web post, Iran’s Computer Emergency Response Team Co-ordination Centre said Iranian engineers have now built a removal tool to wipe the malicious software from infected computers.
“At the time of writing, none of the 43 tested antiviruses could detect any of the malicious components [of Flame]” the CERTCC said.
Given the complexity of the software, it likely took Flame’s authors millions of dollars and years of development to build. But now, Mr. Kellermann cautioned, what was a highly secret piece of software is going to find its way to the Web’s black market.
“The second it’s discovered, you’ll start to see immediate replication of this attack code in the underground,” he said. “If it was a nation state [that built Flame] now Joe the hacker and his friends can replicate this themselves.”
Flame’s discovery raises the stakes in an already rampant cyberwar being fought throughout the Middle East. In fact, the Kaspersky researchers who discovered the software were initially looking for an entirely different piece of malware that was deleting sensitive information on computers in the region.
Stuxnet, the software that previously crippled many computers within Iran’s nuclear facilities, is believed by some to be the work of U.S. or Israeli agencies, although the origin has never been definitively confirmed. Now, the virus research community is engaged in a similar whodunnit.
“You can immediately eliminate certain parties,” said Vikram Thakur, principal security response manager at computer security software producer Symantec. “Who would want to run a long-standing campaign against individuals in the Middle East? Who would have the funding to sustain this for years? You can pretty much eliminate the basement hacker from being the potential author.”
Mr. Thakur said Flame has been running on infected computers for at least two years, and likely much longer than that.
In addition to Iran, infected machines were found in Israel, Syria, United Arab Emirates and Lebanon. However, it’s unclear whether all these countries were targeted, or if the software simply propagated outside its intended target zone unpredictably.
Regardless, Mr. Kellermann of Trend Micro said that even though such sophisticated attacks can start as actions between states, the same technology inevitably finds its way to myriad others.
“There’s been an awakening in Washington about this since last fall, due to many systemic attacks we've seen, not all of them reported in the media,” he said. “[The government]believed more technology could solve a technological problem and assumed that not any person could leverage this type of capability. But you don't need to know how to build a gun in order to pull the trigger in cyberspace.”
WHAT IS FLAME?
As far as malicious software goes, Flame is less of a virus and more of an attack toolkit. The software is made of modules, each providing a certain capability, such as giving the software’s authors the ability to take screenshots or download data from an infected machine. The code was written to allow Flame’s authors to add new modules at later dates.
What makes it effective?
Besides its modularity, Flame is also geographically aware, able to execute certain commands depending on where in the world the infected machine is located. As far as malicious software goes, Flame is also extremely large – an order of magnitude larger than malware such as Stuxnet. That means researchers will need much more time to pore over the many lines of code that make up the program. Because it is designed to snoop rather than wreak havoc, Flame became much more difficult to detect.
Who’s behind it?
Researchers agree it is highly unlikely that an individual programmer built such a complex piece of malware. Instead, the software may well have been developed by a state agency, or by an organized group at the behest of such an agency. Vikram Thakur, principal security response manager at Symantec, said his team has found about 20 instances of words or phrases within Flame’s source code that would likely only be used by a native English speaker. But because the software is so geographically amorphous, its true authors may never be known with total certainty.
How much damage did it do?
Flame has been infecting computers for years, according to the researchers who have discovered it. During that time, the software collected all kinds of data. Among its features are the abilities to take screenshots, record video through the infected computer’s camera, download data from a hard drive, and even turn on Bluetooth functions and look for nearby electronics.