New 'Flame' spyware could be next super cyberweapon –Kaspersky, ITU
A new sophisticated malicious program is now being actively used as a cyberweapon against entities in several countries, a computer security firm warned.
Kaspersky Lab said the malware, initially dubbed "Flame," has capabilities that exceed those of all other cyber menaces known to date —including the notorious Stuxnet and Duqu.
It said its experts discovered the malware during an investigation prompted by the International Telecommunication Union (ITU), the United Nations' specialized agency for information and communication technologies.
"The malicious program, detected as Worm.Win32.Flame by Kaspersky Lab’s security products, is designed to carry out cyber espionage. It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversations," Kaspersky said.
It said it and the ITU initiated the research after a series of incidents with another destructive malware program codenamed Wiper, which deleted data on a number of computers in the Western Asia region.
While analyzing these incidents, Kaspersky Lab and ITU experts came across the new type of malware.
Targeted super cyberweapons
Targeted super cyberweapons
It said that while its initial findings show this malware has been “in the wild” for more than two years —since March 2010, to be exact— no security software detected it because of its extreme complexity and the targeted nature of the attacks.
Kaspersky said the geography of attacks, use of specific software vulnerabilities, and the fact that only selected computers are being targeted all indicate "Flame" belongs to the same category of super cyberweapons.
Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, said past malware like Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide.
But he said the "Flame" malware looks to be another phase in this war, "and it’s important to understand that such cyberweapons can easily be used against any country."
"Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case,” Kaspersky said.
Kaspersky said the primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines.
Such information is then sent to a network of command-and-control servers located in many different parts of the world.
"The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet," it said.
Alexander Gostev, Chief Security Expert at Kaspersky Lab, added the preliminary findings of the research, conducted upon an urgent request from ITU, confirm the highly targeted nature of this malicious program.
"One of the most alarming facts is that the Flame cyberattack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” he said.
20 times bigger than Stuxnet
For now, Kaspersky said what is known is that Flame consists of multiple modules and is made up of several megabytes of executable code in total —making it around 20 times larger than Stuxnet.
This means analyzing this cyberweapon requires a large team of top-tier security experts and reverse engineers with vast experience in the cyber defense field.
ITU will use the ITU-IMPACT network, consisting of 142 countries and several industry players, including Kaspersky Lab, to alert governments and the technical community about this cyber threat, and to expedite the technical analysis, Kaspersky said.
ITU warns nations of threat
A Reuters report said ITU may soon warn nations about the threat of the virus that has already hit Iran and parts of the Middle East, tech site CNET said.
"This is the most serious (cyber) warning we have ever put out," Marco Obiso, cyber security coordinator for the ITU, told Reuters. The warning will paint the virus as a "dangerous espionage tool that could potentially be used to attack critical infrastructure," CNET quoted Reuters as saying. — TJD, GMA News