Flame, one of the most sophisticated pieces of malicious software ever seen, has been loose inside Iran and elsewhere, undetected, for at least two years. It’s yet more clear evidence that a cold war is well under way online — and defences on all sides are inadequate.
Flame’s existence was first announced by Iran’s Computer Emergency Response Team (MAHER) and confirmed by Kaspersky Lab, the major Russian information security company, which detected the malware while checking out another threat in conjunction with the UN’s International Telecommunication Union.
Flame’s job is espionage on a grand scale.
“This is basically an industrial vacuum cleaner for sensitive information,” professor Alan Woodward, from the Department of Computing at the University of Surrey, told the BBC. ”This is an extremely advanced attack. It is more like a toolkit for compiling different code-based weapons than a single tool. It can steal everything from the keys you are pressing to what is on your screen to what is being said near the machine.”
Espionage software is nothing new. For years, criminals have had access to malware that can take over computers, log keystrokes and mouse movements, record screenshots, turn on the camera and microphone without turning on the red lights and so on. You can buy such tools from the criminal underground for a couple hundred dollars, including technical support.
What is new about Flame is the sheer scale of the thing, its highly modular structure, its comprehensive espionage capabilities — and the fact that it remained undetected for so long.
Now that they’ve trawled back through their logs, Kaspersky Lab said its first detection of Flame was August 2010 on a computer in Lebanon. It has now found Flame on customers’ computers in Iran, Israel, Palestine, Sudan, Syria, Saudi Arabia and Egypt.
Meanwhile the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics has published an in-depth analysis on malware it dubbed sKyWIper, and which it had detected well beyond the Middle East.
“It is obvious from the list of its files that sKyWIper must be identical to [Flame],” it writes. “sKyWIper may have been active for as long as five to eight years, or even more.”
sKyWIper can also use the infected computer’s Wi-Fi and Bluetooth connections to discover and monitor other nearby devices.
“Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper,” CrySyS writes. “sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”
Without a doubt Flame/sKyWIper was developed by a nation-state with a significant budget.
Until now the benchmarks for complex malware were Stuxnet, the worm that sabotaged Iran’s uranium enrichment program in 2009 and 2010, and DuQu, the espionage malware discovered in Iran, Sudan and elsewhere last year that appeared to be built on the same framework.
No one’s owned up to building them, but my money is on the US — possibly with some Israeli help in the case of Stuxnet.
Flame is 20 times the size of Stuxnet, and yet it remained hidden. Forget trying to sneak midget submarines into Sydney Harbour. Flame is like sneaking in the Kursk.
Flame isn’t the only large-scale long-term hack to have gone undetected. Last year McAfee Labs published its report on what it dubbed Operation Shady RAT, in which dozens of organisations had been systematically infiltrated often for years, without knowing it.
While there’s always the risk of exaggeration as infosec companies talk up the threat, it’s clear that more than a few countries are putting plenty of money into the development of these online tools.
As F-Secure chief reseach officer Mikko Hypponen told the AusCERT information security conference earlier this month, you only need to search the job adverts. US defence contractors have hundreds of positions available right now for software developers with a top-secret clearance and experience in developing exploits — that is, ways of breaking into computer systems.
The cold war has begun.
*Disclosure: Stilgherrian travelled to Kaspersky Lab’s September 2011 media and partner briefing in Kuala Lumpur as their guest, and to McAfee’s October 2011 conference in Las Vegas as theirs