• Home
• GOVERNMENT CXO
• GOVERNMENT CFO
• INFORMATION MANAGEMENT
• E-GOVERNMENT
• CONNECTED GOVERNMENT
• OPEN GOVERNMENT
• MOBILE GOVERNMENT
• CITIZEN ENGAGEMENT
• INFORMATION SECURITY
• GOVERNMENT CLOUD
• GOVERNMENT GIS
• DIGITAL INCLUSION
• EDUCATION IT
• HEALTHCARE IT
• PUBLIC SAFETY
• PUBLIC INFRASTRUCTURE

Information Security

Sophisticated “State Sponsored” Malware Detected

By Richard Pain | 29 May 2012 | Views: 1467

A new breed of malware, described as “one of the most complex threats ever”, has been detected by researchers at Kapersky Lab, in coordination with the International Telecommunication Union.

Photos

View photos

Related Categories

• INFORMATION SECURITY

From this Section

• NEWS

The malware, named Flame, is a large, sophisticated attack toolkit made up of multiple modules, with backdoor, Trojan and worm-like features, seemingly designed for general cyber-espionage.

Flame’s sophistication, targets and activity has led researchers to conclude that its development was state sponsored, however the identity of its developers or the states involved are at present unknown.

Once on a target’s computer, Flame begins monitoring network traffic, taking screenshots, logging keystrokes and recording audio. This information is then compressed and covertly sent to the operator on a regular schedule. Flame can also identify when “interesting” applications, such as instant messaging programmes, are in use and adapt its activity to capture information.

Flame’s functionality can later be augmented by the operator, through the upload of modules, of which there are currently estimated to be about 20. Their exact purpose is still being investigated but they are presumed to add functionality, akin to the installation of apps on a smartphone.

By analysis of the infected computers, Flame does not appear to be targeting specific organisations or industries. The victims have been found to include individuals, state-related organizations and educational institutions.

The countries with the most computers infected by the Flame malware are detected as being Iran, Israel Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt respectively.

It is estimated that there are likely thousands of as yet undetected victims worldwide.

Flame is thought to have been active since early 2010 but information as to its origins or designers are at present unknown.

Alexander Gostev, Chief Security Expert at Kaspersky Lab, states that “the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”

Flame can infect computers through the internet and email attachments, it has the ability to replicate itself though local area networks and can infect USB sticks. “At the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day” says Gostev.

Flame is said to have remained undetected so long because of its unusually large size. Whilst most malware tends to be small, so to make it is easier to spread and hide, Flame is almost 20 MB when fully deployed. By comparison, the Stuxnet virus, the cyber weapon that disrupted Iran’s nuclear enrichment programme in June 2010, was only 500 KB.

“Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyber espionage” says Gostev.

Research into the origin and techniques used by Flame is ongoing but due to its size and sophistication, this is expected to be a lengthy process. “It took us several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame”.