Newly discovered malware most lethal cyberweapon to date

A new kind ofmalware that is more sophisticated anddamaging than the notorious Stuxnetand Duqu wormsis likely being deployed by a nation state, say the cybersecurity experts who uncovered it.

"Duqu and Stuxnet raised the stakes in the cyberbattles being fought in the Middle East, but now we've found what might be the most sophisticated cyberweapon yet unleashed,"wrote analyst Alexander Gostevin a blog poston the website of Kaspersky Lab Monday.

Moscow-based Kaspersky Lab, Iran'sMaher Computer Emergency Response Team Co-ordination Centreand thecryptography and system security labat the Budapest University of Technology and Economics in Hungaryhave all independentlyuncoveredtheTrojan computer virus while investigating wide-scale cyberattacks.

The worm, which has variously been dubbed Flame, FlamerandsKyWIperbased on filenames that appear in the decrypted malware code, is able to minea vast array of data from infected machines by:

• Surveying network traffic.
• Taking screenshots, includingin instant messaging programs.
• Recording audio conversations viaacomputer'sinternal microphone.
• Collecting passwords.
• Intercepting keyboard actions
• Gleaning information from devices connected to the infected machine by Bluetooth.
• Scanning hard drives for specific file extensions or content.
• Transmitting data to servers that control the malware

"Flame is one of the most complex threats ever discovered," Gostevwrote.

'It's a complete attack tool kit designed for general cyber-espionage purposes.' Alexander Gostev, analyst, Kaspersky Lab

It far surpasses Stuxnet and Duqu, two wormsbehind cyberattacks against technology related toIran's nuclear energy program,both in sizethe program used to deploy it is 20 MB versus about500 KB and in its capability to steal information in so many different ways.

"It's a complete attack tool kit designed for general cyber-espionage purposes," writes Gostev.

State-sponsored initiative

Like other viruses, it is able to replicate across a local network and removable devices such as USB sticks andportable drives and is controlled through a series of command-and-control servers around the world, which can also remotely remove every trace of the worm.

Just how it initially enters a computeris not yet known.

Kaspersky Lab discovered the worm, which it found under the codename Worm.Win32.Flame, while carrying out work forthe International Telecommunication Union, a United Nations agency, which had asked it to try to trace malwarethat was deleting sensitive information from computers in several countries in the Middle East.

Gostev said his company is still analysing the malware but that it is certain it was deployed in August 2010 and has been circulating since around February or March 2010 andpossibly in earlier versions before that. The Hungarian team found evidence of the worm as early as 2007.

Kasperskyhas ruled out the possibility that the malware was created by hacktivists or cybercriminals because its intention is not to steal money, its architecture is vastly more complex than that used by hackers and its targets have been confined to several countries in the Middle East and Africa.

The company has concluded that it is likely the work of a nation state.

The Hungarian lab concurs, saying inits analysisthat the worm was probably "developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities."

"SKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found," it said in its analysis.

On Tuesday, Israel's vice-prime minister Moshe Yaalon seemedto give credence to the theory that a state is behind the computer virus and that that state could possibly be Israel.

"Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," Yaalon told Galei Tzahal, the radio network of the Israel Defence Forces, when asked about Flame. "Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us."

Several Mideast countries hit

Kaspersky has so faridentified seven countries that have been affected by Flame attacks:

• Iran (189 infections)
• Israel and Palestine (98 targets)
• Sudan (32 targets)
• Syria (30 targets)
• Lebanon (18 targets)
• Saudi Arabia (10 targets)
• Egypt (5 targets)

The Hungarianexpertsfound that theworm, whichthey traced under the filename wavesup3.drv, was active in several European countries, including Hungary, as well as the United Arab Emirates and Iran.

Variety of targets

So far, there doesn't seem to bea pattern to the types of targets attacked. Individuals, educational institutions and state-related organizations have all been hit, Gostev said.

"From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligenceemails, documents, messages, discussions inside sensitive locations, pretty much everything," Gostev writes. "We have not seen any specific signs indicating a particular target, such as the energy industry."

Iran's nuclearenergy infrastructure was one of the targets of the Stuxnet cyberattackin 2010, so there will likely be suspicions that the newly identified worm might be deployed in similar ways.

The Stuxnet worm specifically targeted Siemens software and equipment, which is the basis of Iran's uranium-enrichment infrastructure, and did significant damage to Iran's nuclear capabilities.

Cybersecurity experts suspect it was created by Israeli or U.S. programmers at the behest of intelligence agencies in those countries.

Inasecurity advisoryissued Monday, Iran's Maher centre said that recent incidents of "mass data loss" in Iran could be the result of the new worm that it and its counterparts in Russia and Hungary have identified.

Gostev said that while there are indications in the Flame code that its creators might have had access to the same technology as was used in Stuxnet and may have exploited some of the same vulnerabilities as that virus, the twopieces of malwarewere likely created by separate groups.

Initially, Kaspersky experts suspected Flame was deployed in parallel but not in conjunction with Stuxnet.

But on June 11, they revised that analysis and said they had found evidence that the creators of the two viruses co-operated at least once and shared some source code.

Kaspersky expert Alexander Gostev said in ablog postthat his company had identified a similarity between a subset of the code used in Flame and another set of code used in an early version of Stuxnet.

Stuxnet is believed to have been created by U.S. and Israeli intelligence agencies, a suspicion that surfaced again in a new book by New York Times journalist David E. Sanger.