Published May 29, 2012
The most sophisticated and powerful cyberweapon to date -- a Swiss Army Knife spy tool that can evolve and change to deal with any situation -- has been discovered on the loose in several Middle Eastern countries, security researchers said Tuesday.
The Worm.Win32.Flame threat, or “Flame” for short, was likely built by the same nation-state responsible for the Stuxnet virus that targeted Iran’s nuclear power plant in 2010. But this new weapon is twenty times the size of that cyberbomb and far more powerful, making it practically an army on its own, said Roel Schouwenberg, a senior security researcher with Kaspersky Labs.
“Flame is a cyberespionage operation,” he told FoxNews.com.
Its prime goal: capturing data from a machine. To accomplish that task, this unusually large and complex espionage tool is made up of several modules designed to accomplish specific tasks, explained Liam O Murchu, operations manager with Symantec Security Response.
“It can record your keystrokes, it can record from the microphone on your computer, it can take screen shots, and it sends this info to a remote computer for someone to siphon off,” he told FoxNews.com.
Flame can grow and change, too: What makes this cyberweapon so powerful is the ability to be reconfigured with new modules that turn an infected PC or industrial control system into whatever tool a spy dreams up.
One module makes it a secret tape recorder, using the computer’s microphone to record nearby conversations. One makes it a radio, using a wireless Bluetooth connection to receive fresh commands and suck the address books out of nearby cell phones. One may turn it into a shredder, chewing through hard drives -- as the Wiper virus did to Iran’s computers.
“When a machine gets hit with Wiper, there’s nothing you can do, no forensics,” Schouwenberg said. “It’s a very interesting coincidence that we stumble on this now.”
Indeed, certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry, Symantec’s experts noted.
There are potentially hundreds of these modules, more yet to be uncovered, making Flame as versatile as a Swiss Army Knife.
And while there are no similarities in terms of code between Stuxnet, its successor Duqu, and the Flame, experts say the authors of Flame and Stuxnet had access to common resources.
“Our current working theory is that flame and Stuxnet were parallel projects,” Schouwenberg told FoxNews.com. “Whoever commissioned Stuxnet also commissioned Flame.”
That cyberattack was very specific, however, while the Flame attack is broad, having been detected in more than half a dozen countries already: Hungary, Iran, and Lebanon, Austria, Russia, Hong Kong, and the United Arab Emirates, as well the Palestinian West Bank.
It also appears to target individuals rather than the company they are employed by, Symantec said. Many of the compromised computers appear to be personal systems being used from home Internet connections, according to the security agency.
“If they get on to a home computer they could pretty much ‘Hoover up’ anything that’s on it. It’s strange to see that,” O Murchu said.
Researchers said it will take months if not years to fully dissect the massive program, which uses a database to store information rather than a simple text file -- one more clue to the scope of the cyberspying.
While programs like Stuxnet and Flame seem to be the backbone of a cybersnooping agency, both Schouwenberg and O Murchu cautioned that these tools aren’t necessarily a declaration of war.
“It does appear that this threat was being used in a covert way, most likely written by a government or government agency, and operating in specific countries in a covert way,” O Murchu told FoxNews.com.
But covert actions aren’t necessarily acts of war, Schouwenberg said.
“It’s very clear that there’s a lot of development in this area, every government is allocating more resources to cyberoffense. But can we call it a war? I’m not sure.”
Detecting these and other incidents becomes harder as the coders become more clever. Schouwenberg said that one Flame module is an incredibly savvy uninstaller, which lets the cyberweapon carefully extract itself from a computer before buffing the insides to clean out all traces of itself.
“You have no idea that that machine was previously infected with Flame. Which is kind of scary, when you think about it,” he told FoxNews.com.