The map above is a list of the top 7 countries and the number of infections detected by the new “Flame” malware.  Researchers are saying this new advanced backdoor Trojan “Flame” is “20 times more complicated” than the Stuxnet worm that shut down Iran’s nuclear weapons facilities.  This new advanced virus has been described as a “vacuum cleaner for sensitive information”; it targets individual’s computers and sends pictures, video, audio and can auto upgrade.

“The geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”
~Kaspersky Labs

Kaspersky Labs explains what they found HERE:

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.

Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.

From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence – e-mails, documents, messages, discussions inside sensitive locations, pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry – making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.

This is how it spreads:

“It took us half-a-year to analyze Stuxnet.  This is 20-times more complicated. It will take us 10 years to fully understand everything.”
~Alexander Gostev – Analyst at Kaspersky Labs

Wired adds some context HERE:

Kaspersky discovered the malware about two weeks ago after the United Nations’ International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems. The malware was named alternatively in news articles as “Wiper”and “Viper,” a discrepancy that may be due to a translation mixup.

Kaspersky researchers searched through their reporting archive, which contains suspicious filenames sent automatically from customer machines so the names can be checked against whitelists of known malware, and found an MD5 hash and filename that appeared to have been deployed only on machines in Iran and other Middle East countries. As the researchers dug further, they found other components infecting machines in the region, which they pieced together as parts of Flame.

Kaspersky, however, is currently treating Flame as if it is not connected to Wiper/Viper, and believes it is a separate infection entirely. The researchers dubbed the toolkit “Flame” after the name of a module inside it.

 

Comments

comments