Following a report by Russian experts, Iran confirmed on May 28 that a new cyber virus codenamed “Flame” had penetrated Iran’s computer system. The new virus is unlike earlier worms because it was designed to steal information rather than to destroy systems, according to the first report issued by Russia’s Kaspersky Lab.
The report concluded, “The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” including Stuxnet, which damaged the centrifuges involved in Iran’s controversial nuclear program. Flame was unleashed at least two years ago, the Russian report claimed. The website also reported:
The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet.
“One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” said Alexander Gostev, Chief Security Expert at Kaspersky Lab on the Kaspersky Lab website.
The Russian report claimed that Iran was the hardest hit country but that Flame had also infected Israel/Palestine as well as Syria, Saudi Arabia, Sudan, Lebanon and Egypt. The full report can be found at: http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat
Iran’s Computer Emergency Response Team Coordination Center confirmed the attack on its website, but provided limited details. It said Flame appeared to have a “close relation” to the earlier Stuxnet and Duqu system attacks on Iranian computers. “The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat,” it said.
The Iranian website reported that Flame was able to do the following operations:
· Distribution via removable medias
· Distribution through local networks
· Network sniffing, detecting network resources and collecting lists of vulnerable passwords
· Scanning the disk of infected system looking for specific extensions and contents
· Creating series of user’s screen captures when some specific processes or windows are active
· Using the infected system’s attached microphone to record the environment sounds
· Transferring saved data to control servers
· Using more than 10 domains as C&C servers
· Establishment of secure connection with C&C servers through SSH and HTTPS protocols
· Bypassing tens of known antiviruses, anti malware and other security software
· Capable of infecting Windows Xp, Vista and 7 operating systems
· Infecting large scale local networks
On May 29, the Iran website announced the release of a cyber tool to both detect and remove the Flame virus. The full Iranian report is available at: http://www.certcc.ir/index.php?newlang=eng