Kaspersky Lab and ITU research reveal advanced new cyber threat
By Hanleigh Daniels 29 May 2012 | Categories: newsAfter recently releasing its latest monthly report on spammer activity, Kaspersky Lab now focuses its attention on viruses and malware. The Russian web security firm announced the discovery of a highly sophisticated malicious program that is actively being used as a cyber weapon, attacking entities in several countries.
According to Kaspersky Lab, this newly discovered malicious program exceeds all other cyber menaces known to date, in terms of its complexity as well as its functionality. The company discovered this malware during an investigation prompted by the International Telecommunication Union (ITU), with the malicious program being detected as Worm.Win32.Flame.
Dubbed Flame, the program has been designed to carry out cyber espionage by stealing valuable information that includes PC display contents, data on targeted systems, stored files, contact data and even audio conversations.
Researching one piece of malware, leads to the discovery of another
The independent research was initiated by ITU and Kaspersky Lab after a series of incidents with another, still unknown destructive malware program codenamed Wiper, which deleted data on a number of PCs in the Western Asia region. This particular malware is yet to be discovered, but during the analysis of these incidents, the company working in coordination with ITU, came across a new type of malware, now identified as Flame.
Preliminary findings indicate that this malware has been ‘in the wild’ since March 2010, but due to its extreme complexity and the targeted nature of the attacks, no security software managed to detect it.
Same category super-malware as Duqu and Stuxnet
Kaspersky Lab noted that even though the features of Flame differ compared with those of previous notable cyber weapons the likes of Duqu and Stuxnet, the geography of attacks, use of specific software vulnerabilities, and the fact that only selected PCs are being targeted, all indicate that Flame belongs to the same category of super-cyber weapons.
Flame’s primary purpose appears to be stealing information from infected machines. This information is then sent to a network of command-and-control servers located in many different parts of the world.
The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered, according to Kaspersky Lab.
Commenting on the discovery of Flame, Eugene Kaspersky, CEO and co-founder of Kaspersky Lab said: “The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide.”
“The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case,” Kaspersky concluded.
The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet.
Alexander Gostev, chief security expert at Kaspersky Lab added: “The preliminary findings of the research, conducted upon an urgent request from ITU, confirm the highly targeted nature of this malicious program.”
Gostev stated that one of the most alarming facts about the Flame cyber-attack campaign is that it is currently in its active phase. This means that this malware’s operators is consistently surveilling infected systems, collecting data and targeting new systems to accomplish their unknown goals.
Kaspersky Lab analysing Flame
Kaspersky Lab’s experts are currently conducting deeper analysis of Flame. What is known is that it consists of multiple modules and is made up of several megabytes of executable code in total. This makes it approximately 20 times bigger than Stuxnet, meaning that analysing this cyber weapon requires a large team of top-tier security experts and reverse engineers with vast experience in the cyber defence field.
ITU will use the ITU-IMPACT network, consisting of 142 countries and several industry players including Kaspersky Lab, to alert governments and the technical community about this cyber threat, and to help expedite the technical analysis.
Additional information can be found in the Flame FAQ at: Securelist.com.
Most Read Articles
Have Your Say
What new tech or developments are you most anticipating this year?