Archive for May, 2012

Iran targeted by ‘Flame’ espionage virus

Source: The Telegraph

Iranian computer networks have been targeted by a cyber espionage virus many   times more complicated than any malicious software ever seen before,   security experts have said.

The virus, named Flame or Skywiper, could only have been created by a state,   according to analysts who have investigated it and the pattern of infection.

The results of our technical analysis support the hypotheses that Skywiper was   developed by a government agency of a nation state with significant budget   and effort, and it may be related to cyber warfare activities,” said Crysys   Lab, a unit that investigates computer viruses at Budapest University.

The discover of the Flame/Skywiper, which may have been in circulation for   more than five years, offers further confirmation of the secret battle being   waged by intelligence agencies online.

Although its purpose is to steal information rather than cause physical   damage, Flame/Skywiper is said to be a much more complicated piece of   malicious software than Stuxnet, the groundbreaking virus designed to   cripple Iranian uranium enrichment.

“Information gathering from a large network of infected computers was   never crafted as carefully,” Crysys Lab said.

“It covers all major possibilities to gather intelligence, including   keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB   and system processes.”

In their preliminary   technical report, the investiagtors describe unprecedented layers of   software, designed to allow Flame/Skywiper to penetrate computer networks   undetected. The 20MB file, which infects Microsoft Windows computers, has   five encryption algorithms, exotic data storage formats and the ability to   steal documents, spy on computer users and more.

Various components of Flame/Skywiper enable those behind it, who use a network   of rapidly-shifting “command and control” servers to direct the virus, to   turn microphone into listening devices, siphon off documents and log   keystrokes.

Eugene Kaspersky, the founder of the Russian anti-virus firm Kaspersky Lab,   which has also analysed the virus, noted that “it took us 6 months to   analyze Stuxnet. [This] is 20 times more complicated”.

Iran’s Computer Emergency Response Team, Maher, today issued a statement   claiming Flame/Skywiper was “a close relation” of Stuxnet, which   has itself been linked to Duqu, another complicated information-stealing   virus is believed to be the work of state intelligence. Many experts suspect   Stuxnet was created by the United States and Israel.

Crysys Lab said the technical evidence for a link between Flame/Skywiper and   Stuxnet or Duqu was inconclusive, however. While they shared many common   components, the newly-discovered virus bears little resemblance; for   instance Flame/Skywiper does not spread itself automatically but only when   hidden controllers allow it.

In its statement, published online, Maher said selected organisations had been   given software to detect and remove the newly-discovered virus at the   beginning of May.

As well as Iran, Flame/Skywiper infections have been detected in the West   Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.