The supervirus, known variously as The Flame or Skywiper to those who have been tracking it, is described as “complex” and “incredibly sophisticated.” It was apparently programmed to identify software that could make its existence easier to track and, rather than infecting those tools, avoiding them and moving on to different programs, thereby avoiding detection.
Once inside a host system, the malware can choose to operate as a trojan, wiping out the computer’s data and software, or it sits idly by as a backdoor, allowing intruders to monitor everything that happens.
“Flame can easily be described as one of the most complex threats ever discovered,” said Kapersky Labs’ Alexander Gostev in a blog post. “It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.”
The existence of this cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to the cyber intelligence company for help. At the time, the UN said it was looking for “an unknown piece of malware which was deleting sensitive information across the Middle East.” While searching for that code – nicknamed Wiper – Kapersky Labs discovered a new malware codenamed Worm.Win32.Flame.
“Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on,” said Gostev. “All this data is available to the operators through the link to Flame’s command-and-control servers.
“Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.”
The malware has a variety of features that make it highly unusual and difficult to remove. For example, while the fully deployed malware is huge – up to 20 Megabytes – it uses local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, Windows Management Instrumentation scripting, batch scripting and more. Running and debugging the malware is also not trivial as it’s not a conventional executable application, but several DLL files that are loaded on system boot.
“Overall,” said Gustov, “we can say Flame is one of the most complex threats ever discovered.”
Malware watchdog site Sophos reports that at least seven countries have infected systems, mostly in the Middle East.
VentureBeat today reported that Kaspersky Lab found the worm while digging around for more information about the Wiper virus — another piece of malware aimed at the Middle East. Wiper, also known as Viper, would infect a system and delete any number of files from it, wiping out anything that came in its path. At the time, Wiper infected Iran’s Oil Ministry, deleted whole hard drives within the ministry, and causing it to shut down Internet access to all of its oil facilities and rigs.