Flame, a stealthy and complex cyberweapon, was found to be spying on Iran’s government officials and computer systems.
NEW YORK (CNNMoney) — The “Flame” virus, the most complex computer bug ever discovered, has been lurking for years inside Iranian government computers, spying on the country’s officials.
Publicly unveiled this week, the bug is one of the most potent cyber weapons ever spotted in the wild. Security professionals say it marks a new milestone in the escalating digital espionage battle.
Flame’s complexity and power “exceed[s] those of all other cyber menaces known to date,” research firm Kaspersky Lab wrote in a dispatch about its investigation into Flame.
In a statement posted on its website on Monday, the Iranian National Computer Emergency Response Team (CERT) said it discovered Flame after “multiple investigations” over the past few months.
The stealthy malware has been in the wild for at least two years, the CERT team said, evading detection by security software.
It’s a spy bug that’s capable of, among other things, capturing what’s on a user’s screen, turning on a computer’s microphone to record conversations, detecting who and what is on a network, collecting lists of vulnerable passwords, and transferring a user’s computer files to another server.
The attack worked. Flame was likely responsible for recent incidents of “mass data loss” in the government, Iran’s CERT team said in its terse announcement.
Patrik Runald, director of research at Websense Security Labs, said Flame is “potentially the most advanced malware to date, at least in terms of functionality combined with ability to stay hidden over a long period of time.”
Flame is an unusually giant piece of malware: At 20 megabytes, it’s about 20 to 30 times larger than typical computer bugs.
Yet it remained undetected in Iran’s government computer systems dating back to at least 2010, and it was not discovered by any of the 43 antivirus programs the CERT team tested on it.
Now that Flame has been exposed, Iran is taking defensive measures. Iran’s CERT said it developed a Flame detector over the past few weeks and it is spreading around a removal tool to rid the government’s systems of the virus.
Computer viruses don’t stay where you put them, and Iran probably isn’t the only victim.
A Hungarian research lab that has been doing its own analysis said it has found traces of the bug in Europe and the United Arab Emirates. The lab, which began studying the virus this month, estimates that it may have been active “for as long as five to eight years.”
So if Flame was spying, who was it spying for?
The Iranian CERT team said it believes there is a “close relation” between Flame two previous cyber attacks on Iran, known as the Stuxnet and Duqu computer worms.
“Stuxnet” is a word that sends a shiver of fear through cybersecurity pros.
In an extensive feature on the virus, Vanity Fair calls it “one of the great technical blockbusters in malware history.” The bug targets “industrial control systems” — that’s jargon for critical national infrastructure — and it had the unprecedented ability to sabotage its target and then cover its tracks.
Stuxnet was used to attack Iran’s nuclear program in 2010. The virus caused centrifuges in a targeted facility to spin out of control, ultimately destroying it.
A related bug, Duqu, also targeted Iran’s nuclear program. It was discovered last year and shows evidence of having been developed by engineers with access to Stuxnet’s source code.
Who are those engineers? The widespread industry belief is that Stuxnet was created by the United States, Israel, or through the collaboration of both.
“Israel is blessed to be a nation possessing superior technology,” Moshe Yaalon, Israel’s minister of strategic affairs, said Tuesday in an interview with Israeli Army radio. “In that respect our achievements open up all sorts of opportunities for us.”
But cyber war isn’t a one-sided affair. If Flame was a targeted cyber attack carried out by United States or Israel, the same code could be reverse-engineered by Iran and sent back our way.
“It’s important to understand that such cyber weapons can easily be used against any country,” Kaspersky said about Flame. “Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
This isn’t traditional war. The Internet has leveled the playing field, allowing governments that would never launch military attacks on one another to target one another in cyberspace.
“In warfare, when a bomb goes off it detonates; in cyberwarfare, malware keeps going and gets proliferated,” said Roger Cressey, senior vice president at security consultancy Booz Allen Hamilton, at a Bloomberg cybersecurity conference held in New York last month.
“Once a piece of malware is launched in wild, what happens to that code and its capability?” he added. “Things like Stuxnet are being reverse-engineered.”
Once it’s out there, the code get also get into the hands of citizens or terrorists with a sophisticated knowledge of software coding. That’s why some cybersecurity advocates are calling on the U.S. government tobetter protect itself against an all-out “code war” that some see as inevitable.
“The terrifying thing is that governments no longer have a monopoly on this capability,” said Tom Kellerman, former commissioner of President Obama’s cyber security council, at the Bloomberg conference. “There is code out there that puts it in anyone’s hands.”