Flame: 'Most complex' cyber-attack ever discovered

Flame: 'Most complex' cyber-attack ever discovered

Summary: The world's "largest cyberattack" has been uncovered. Business and universities -- and governments -- were the main target of the attack by the data-stealing malware.

TOPICS: Security

Security researchers have discovered a new 'data-vacuuming' malware which has targeted a number of Middle Eastern countries including Israel and Iran.

Kaspersky said it believes "Flame" is larger than its apparent infamous counterparts Stuxnet and Duqu, and has been described as the "most complex threat" ever discovered.

Kaspersky's Alexander Gostev said in an extensive questions and answers SecureList blog post that Flame "redefines the notion of cyberwar and cyberespionage".

Flame is an attack toolkit --- rather than a 'throwaway' single-operating piece of malware --- like Stuxnet and Duqu --- which has the ability to relay back through the "eyes and ears" of a computer.

Along with Iran and Israel, Sudan and Syria found infected networks, as did Lebanon, Saudi Arabia, and Egypt. Others have been infected but Kaspersky did not name the individual countries.

Reuters however reports that Kaspersky's Roel Schouwenberg, who discovered the malware, said Flame was "highly targeted" and directed at businesses and universities, adding: "no more than 5,000 personal computers around the world have been infected, including a handful in North America."

Iran's National Computer Emergency Response Team updated its security alert pages stating it believed Flame was the cause of a number of incidents of "mass data loss" in the country's computer networks.

Flame has the components of a Trojan, a backdoor, and a worm, and is designed to attack Windows machines. Researchers do not appear to know how Flame initially enters a network, but have identified a Windows vulnerability that the malware exploits.

Compared to Duqu's 300KB payload versus Stuxnet's 500KB payload, Flame is a massive 20MB in size. Wired explains that Flame does not resemble either Stuxnet or Duqu in "framework, design or functionality," despite their on-the-surface properties and similarities.

Flame sniffs network traffic and has the ability to take screenshots, record conversations by microphones that are plugged in or embedded to the PC, and keylogs input data and so forth.

The malware is unique in that it has the ability to steal so much data in so many different ways, allowing a complete overview in "eyes and ears" of anything and everyone in the vicinity of the infected machine.

Kamluk said the "size and sophistication" of Flame makes it more likely to be government-backed. Considering the malware has been designed to target Israeli networks, an allied nation to the U.K. and the U.S., the attack is unlikely to originate from the West.

Gostev explained in a SecureList posting:

"Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists,"

"By excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."

In 2010, Stuxnet was used to attacked Iranian nuclear facilities, while Duqu --- found spreading exactly a year later in 2011 --- was used to infiltrate networks and steal corporate and government data.

Kapersky believes that the original creation of the Flame project began no earlier than 2010, which coincides with the discovery of the security loophole it exploits.

ZDNet's Charlie Osborne contributed to this report.

Image credit: Kaspersky Lab.


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Fixed in 2010. Youd think these people would use windows update, they can

    afford not to pirate. It'd be well worth their while.
    Johnny Vegas
  • Is it me

    or did the author not really state that this was patched back in 2010, trying to make it sound like a current zero day makes me think that he is trying to create a click bait article. This was patched 2 years ago so it wouldn't be a current zero day.
    • Edited

      Thanks -- made an edit and taken it out. My mistake.
    • However, immediately before your horror

      Was aroused by a patched vulnerability, the dear wee author makes a note that [i]"Researchers do not appear to know how Flame initially enters a network"[/i].

      One supposes that that entirely escaped your notice or you're suffering from a kneejerk reflex for instant defence of any/all things Microsoft.
      • Can you remind me?

        I can never remember if we are supposed to believe everything that AV companies say or if everything they say is a lie in order to increase their sales?

        In fact, wasn't Kaspersky the one that said Apple was 10 years behind MS when it came to security? Isn't it common knowledge on ZDNet forums that Kaspersky are just liars, every single one of them? Or are we choosing to believe everything Kaspersky says but just for today? Tomorrow, we'll decide again if we are to believe anything they say, depending on whether they are talking about Apple or not?
      • Although none of your talking points apply to any personal past

        comments on my part regarding Kaspersky and his AV company, to be fair however, I did go on record stating my acceptance of the Apple policy that refused a Kaspersky AV iOS app.

        However, if Russia or China decide to attack my iOS devices and steal my Valuable Golf League Data than I will offer my sincerest apologies to Mr. Kaspersky and his company employees.

        As I stated in the past, all public based computers and networks are open prey to the type of attack described in this article.
      • Was there a point in there?

        Or is it just that you think this flame thing doesn't exist?

        Probably neither, so I suggest you tootle off and tiptoe through some tulips. Or perhaps you could take up a career as a zombie in Florida. Now there's a growth area.
      • No, this Flame thing doesn't exist

        Until we get confirmation from at least 5 major organisations that do not sell AV or security solutions, and until I personally see 100+ infected computers, then this Flame thing doesn't exist.

        At least those are the requirements that I remember from the Flashback days.
      • @toddbottom

        Confirmed as to its existence by at least one other research facility. Plus I'd tend to believe this was created in an English speaking country, possibly in NA due to the name of the dll they use to "jimmy" their way into the system with it.
      • @BrewmanNH

        You shouldn't have bothered. Folk like the dear Mr. Bottom have never cared. Also, it's amusing to play with them. The truly intriguing thing is the up/downvoting that happens. It's a bit like slashdot but with less fun.
      • Going to the bottom of it all

        Well, for those spiffy wee drooling drones who are saying it doesn't exist. It appears that Iran says it does, the ITU says it does, Sophos too, the dept of Homeland Security of the US of A does and even dear old McAfee does.

  • If you believe any of this...

    then I have a new, super-duper, guaranteed to never rust, fully-functional, fabulous anti-phishing, anti-malware, anti-everything to sell you..

    There has NEVER been one documented instance of over-the-air information nabbing.

    "Data vacuuming", my ass...

    The whole security industry is built on fear, not facts.

      You've got to read about TEMPEST attacks. Many of them are LITERALLY over the air, many of them are documented.
  • Israeli Infections and the Creator of "Flame"

    "Considering the malware has been designed to target Israeli networks, an allied nation to the U.K. and the U.S., the attack is unlikely to originate from the West."

    Not necessarily true. First of all, i believe that they first discovered this virus after it was stealing data and manipulating systems of Iran's state run oil business. What non-western nation(s) would want to do that?

    Also, perhaps the infections in Israel are targeted at Islamist Radicals and/or suspected foreign intelligence agents, not at Israeli officials themselves.
    • China and Russia receive significant quanties of petroleum products from

      Iran. Last time I looked, both of those countries were not considered a western state.
      • Seems to me the Shah of Iran was a puppet of the and propped up by the USA?

        Then Saddam Hussein of Iraq was also a puppet of the USA, until things went sour?

        And finally Bin-Laden was trained by the CIA to fight the Russians in Afghanistan?

        Are you saying we do not consume petroleum here in the Western hemisphere?

        Hmmm... How things change?
        The Danger is Apple
  • Exclusive, targeted hijacks are never discovered

    How "Flare" was sending all the stolen information? Via what communication channel? Was there any firewall or proxy in place?

    What's the next story from anti-virus laboratories, a mass-destructive virus so "powerful" and "insidious" that must be shipped on a DVD or in a blue-ray movie release?!
  • Flamer Removal Tool

    Hey guys,

    Just wanted to let you know that Bitdefender released a tool to find and remove this complex spy tool.

    To determine whether your computer is infected with Flamer, download the Bitdefender removal tool from:

  • More mis-information...

    It's very interesting that the author states that it is their conclusion that a nation state is behind this but that it is not the "West." Especially considering that 2 of the most infected countries infrastructures are countries we are actively trying to undermine and go to war with currently (Iran & Syria).
    • Talk about "mis-information..."

      this is total BS - "...we are actively trying to undermine and go to war with currently (Iran & Syria). "