Meet ‘Flame,’ the massive spy malware infiltrating Iranian computers

May 31, 2012

Map showing the number and geographical location of Flame infections detected by Kaspersky Lab on customer machines (credit: Kaspersky)

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation, Wired Threat Level reports.

Dubbed “Flame,” the malware is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, and other countries in the Middle East and North Africa for at least two years.

Early analysis of Flame by Kaspersky Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

Like Stuxnet, Flame has the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also uses the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. This suggests that the authors of Flame may have had access to the same menu of exploits that the creators of Stuxnet used.

Unlike Stuxnet, however, Flame does not replicate automatically. This is likely intended to control the spread of the malware and lessen the likelihood that it will be detected.

Kaspersky estimates that Flame has infected about 1,000 machines.

Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.

Iran’s Computer Emergency Response Team announced on Monday that it had developed a detector to uncover what it calls the “Flamer” malware on infected machines and delivered it to select organizations at the beginning of May. It has also developed a removal tool for the malware.