Turning on the microphones of Iranian computers (& rare gay showing in Iran)

May 30, 2012

* The Flame virus discovered to have infected certain Iranian and other computers, can gather data files, remotely change settings on computers, turn on PC microphones to record conversations of nearby persons, take screen shots and log instant messaging chats.

* Saudi King Abdullah tells Americans: If Iran goes nuclear, there is no question we will too

* Iran recalls its ambassador in Azerbaijan over Eurovision “gay parade”

* Photos: Brave Iranians publically display gay flags

* Cannes film festival cancels anti-Semitic Iranian-French film that, among other things, claims that Auschwitz “was one big party”

***

This is one of an occasional series of dispatches concerning Iran.

(You can comment on this dispatch here: www.facebook.com/TomGrossMedia. Please first press “Like” on that page.)

 

Flame

 

CONTENTS

1. “The most sophisticated computer virus ever discovered” hits computers of Iranian government personnel
2. Ya’alon hints that Israel is behind Flame malware
3. Iran “committed to Israel’s annihilation,” says country’s leading general
4. Senior Israeli official: Talks with Iran are not working
5. Netanyahu urges international community to stop appeasing the Iranian regime
6. Leading Ha’aretz editorial writer: Tehran is making a fool of Obama
7. Iran’s nuclear program is proceeding on track - Editorial in Al-Watan, Saudi Arabia
8. Saudi king Abdullah tells Americans: If Iran goes nuclear, we will too
9. Iran recalls Azerbaijan ambassador over Eurovision “gay parade”
10. Brave Iranians publically display gay flags
11. Cannes film festival cancels anti-Semitic Iranian-French film
12. “Powerful ‘Flame’ cyber weapon found in Iran” (Reuters, May 28, 2012)
13. “Meet ‘Flame,’ The massive spy malware infiltrating Iranian computers” (Wired magazine)


[All notes below by Tom Gross]

“THE MOST SOPHISTICATED COMPUTER VIRUS EVER DISCOVERED” HITS COMPUTERS OF IRANIAN GOVERNMENT PERSONNEL

Tehran has now admitted that a malicious software program dubbed “Flame” has been found on many of its computers, and Iranian authorities are running an urgent inspection of all computer systems in the country.

The virus can turn on computer microphones to record conversations of people nearby, take screenshots, gather data files and remotely change settings on computers. The data it collects is relayed back to the virus’s creators.

Research by Russia’s Kaspersky Lab, which announced on Monday that it had discovered Flame, said it is found in its highest concentration in Iranian computers. Kaspersky (which is one of the world’s leading computer virus detection companies) estimated that 189 computers in Iran had been targeted, as well as a number of computers in Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

“This is a large, organized system. It is possible that years were invested in creating it,” experts at Kaspersky said.

The program is controlled from a remote computer, Kaspersky said, and only begins operating when it receives an instruction to do so. “That is why it is hard to detect, because it is not active all of the time. This virus is so sophisticated that it can change its own characteristics and develop in accordance with instructions. It is a masterpiece of programming, not something that a bored student or some guy, talented as he may be, could do.”

According to Kaspersky, the virus has been active for as long as five years, but has only been detected now.

Evidence also suggests that Flame may have been built on behalf of the same person(s) or nation(s) that commissioned the Stuxnet worm that slowed down Iran’s nuclear program in 2010, according to experts quoted in the Reuters article below. Iran has accused the United States and Israel of being behind Stuxnet.

Computer experts said that it was probable that only a nation state would have the capability to build such a sophisticated tool. Last year, The New York Times reported that Stuxnet came from a joint program with an unnamed party begun around 2004 to undermine Iran’s efforts to build a bomb, and had been originally authorized by U.S. President George W. Bush, and then continued by his successor, Barack Obama.

 

YA’ALON HINTS THAT ISRAEL IS BEHIND FLAME MALWARE

Israel’s Deputy Prime Minister (and former IDF chief of staff) Moshe Ya’alon appeared to hint in a radio interview yesterday that Israel is behind the Flame malware that has attacked computers in Iran.

Asked about the attack, Ya’alon told IDF Radio: “Whoever sees the Iranian threat as a meaningful threat – it is reasonable he would take various measures, including this one.”

He continued: “Israel has been blessed with being a state rich in top level high-tech. These tools that we take pride in open up various possibilities for us.”

Moshe Ya’alon is a subscriber to this email list.

***

Tom Gross adds: Although Israeli security sources say that the Flame virus had a “massive impact on Iran,” and helped to gather “large quantities of information from various Iranian government agencies,” having evaded detection by 43 different anti-virus programs, and was 20 times as large as the Stuxnet computer worm, neither it nor Stuxnet has been sufficient in and of itself to stop the Iranian nuclear weapons program.

 

IRAN “COMMITTED TO ISRAEL’S ANNIHILATION,” SAYS COUNTRY’S LEADING GENERAL

When Iranian President Ahmadinejad said Israel “should be wiped off the map” there were some apologists for him in supposedly respectable Western newspapers and universities who tried to argue that he had been mistranslated (even though his words appear clearly on the Iranian government’s own website.)

These apologists will have trouble explaining the latest comments by the chief of staff of the Iranian armed forces.

Iran’s Fars news agency reports that while addressing a defense gathering in Tehran last week, Maj. Gen. Hassan Firouzabadi, the Chief of Staff of the Iranian Armed Forces, announced that a central policy of Iran remains the “full annihilation of the Zionist regime of Israel to the end.”

According to Fars, Firouzabadi reminded those present that this was the edict of Iran’s Supreme Leader Ali Khamenei and could not be changed.

***

Former Spanish Prime Minister Aznar also publically revealed earlier this month at a Jerusalem conference that on a visit he made to Iran, “Supreme Leader Khamenei told me that Israel must be burned”.

 

SENIOR ISRAELI OFFICIAL: TALKS WITH IRAN ARE NOT WORKING

The current round of negotiations between world powers and Iran is “not working,” a senior unnamed Israeli official told the Jerusalem Post, adding that after two meetings there is “not an iota of evidence indicating the Iranians are in any way serious about curbing their nuclear program.”

According to the official, the Iranians have succeeded in changing the world’s demands. “In the previous rounds of talks, when Iran was only enriching uranium up to three percent, the world’s demand was for a full halt to enrichment. Now that they are enriching up to 20% there are those in the world saying they are able to accept a certain amount of enrichment,” he said.

Israel, the official added, was “skeptical in the extreme” about the current talks, and said the Iranians have bought themselves two months to move their nuclear ambitions forward – five weeks from the first meeting in Istanbul on April 14 to last week’s session in Baghdad, and now another three weeks between that meeting and the next one scheduled for June 19 in Moscow.

“They are successfully playing for time,” the official said.

Another senior Israeli diplomat said Israel “hopes the West doesn’t acquiesce to Iran in exchange for a piece of paper.”

Some Western diplomats have also expressed doubts that Iran would abide by any deal granting the IAEA access to sites, people and documents, pointing out that Tehran has stonewalled the agency’s efforts since 2007.

 

NETANYAHU URGES INTERNATIONAL COMMUNITY TO STOP APPEASING THE IRANIAN REGIME

Israeli Prime Minister Benjamin Netanyahu urged the international community not to give in to Iran over its nuclear program.

Netanyahu said the Islamic Republic wants to destroy Israel, all the evidence was there but many in the West were determined to ignore or downplay it. He added that Iran is a threat to world peace.

Referring to the remarks of Iran’s top military leader (see item above), Netanyahu said “The Iranian chief of staff declared that Iran is committed to the complete destruction of Israel. Iran wants to eliminate Israel and it is working to attain nuclear weapons in order to achieve that ambition.”

He urged the international community to show strength in its dealings with Tehran, “not weakness.” There must “no capitulation,” he insisted.

Netanyahu said that the international community must call on Iran to halt all enrichment of uranium, must transfer all enriched uranium out of the country, and must dismantle its covertly built underground military facility near Qom.

Netanyahu’s comments came as the head of Iran’s nuclear agency announced plans for a second reactor at Bushehr scheduled for completion in the early part of 2014.

On Friday, the International Atomic Energy Agency revealed that it has evidence that the Iranians have enriched uranium at the Fordo plant to 27% -- significantly greater than any previous enrichment efforts have yielded.

 

LEADING HA’ARETZ EDITORIAL WRITER: TEHRAN IS MAKING A FOOL OF OBAMA

The lead columnist and senior member of the editorial board for the left-wing Israeli paper Ha’aretz (Israel’s equivalent of The New York Times or The Guardian), Ari Shavit, has made a very public and strongly-worded attack on U.S. President Barack Obama’s passivity with respect to Iran.

In an article headlined “The world should focus on Obama, not Netanyahu,” Shavit wrote:

“The man sitting in the Oval Office is ignoring the possibility that his inaction will make the Middle East go nuclear and undermine the world order. He doesn’t care that he might be responsible for losing the United States’ superpower status and turning the 21st century into a century of nuclear chaos.

“The dispassionate man from Chicago is proving every day what rare stuff he’s made of. The president sees how the Iranians mock him – and does nothing. Barack Obama watches the tsunami rolling toward America’s shores – and smiles…

“He is staging a deceptive show of a deal with the Iranians, which will seem to dull the … threat. He is trying to make a fool of Jerusalem as Tehran is making a fool of him. The president is pushing Israel into a corner, but is hoping that Israel will accept its fate submissively. He is counting on Benjamin Netanyahu not to surprise him and ruin his election season. Never has the United States had such a gambler for a president…

“The international community and international public opinion are preoccupied with King Netanyahu these days – will he or won’t he attack? But instead of focusing on a statesman who isn’t supposed to save the world from Iran’s nuclear program, it would be better to focus on the leader whose historic role is just that. In the past 40 months Barack Obama has been betraying his office. Will he wake up in the next four months, come to his senses and change his ways?”

 

IRAN’S NUCLEAR PROGRAM IS PROCEEDING ON TRACK - EDITORIAL IN AL-WATAN, SAUDI ARABIA

This is a summary of an editorial in yesterday’s edition of the Saudi paper, Al-Watan:

Quite simply, the Iranian nuclear program is proceeding on track according to the wishes of the Iranian leadership. It is based on the dream of reviving the Persian Empire and reinstating its control over the entire region. This agenda is based on territorial and Shi’ite expansionism, digging up the past from its grave in the service of this expansionist policy.

The Iranian project in the region is no longer a secret to anyone. Even if it assumes different forms and adopts various guises, such as “backing the resistance against Zionism,” it ultimately aims at ensuring Tehran’s control over the so-called “Shiite Crescent.”

This is the prelude to taking over the rest of the region – something that the region’s states and nations should consider a grave danger.

(The full editorial, in Arabic, can be found here: www.alwatan.com.sa )

 

SAUDI KING ABDULLAH TELLS AMERICANS: IF IRAN GOES NUCLEAR, WE WILL TOO

Former senior U.S. diplomat Dennis Ross confirmed yesterday that Saudi Arabia’s King Abdullah told the U.S. that if Iran obtains nuclear weapons, Saudi Arabia will do so as well.

“If they get nuclear weapons, we will get nuclear weapons,” Abdullah told Ross in April 2009.

Ross said he responded to the king’s statement by making a lengthy appeal against allowing there to be nuclear proliferation in the Middle East, but after hearing him out, the king responded by repeating the same line.

 

IRAN RECALLS AZERBAIJAN AMBASSADOR OVER EUROVISION “GAY PARADE”

Iran has recalled its ambassador to Azerbaijan after accusing its neighbour of holding a “gay parade” at last Saturday’s Eurovision Song Contest.

This year marked the first time that Azerbaijan had hosted the Eurovision Song Contest – a flamboyant annual pageant of pop music from around Europe and neighboring countries, which is the world’s most watched non-sporting event.

A senior Iranian cleric, Ayatollah Sobhani, issued a statement urging Muslims in the region to protest what he described as anti-Islamic behavior by Azerbaijan’s government by hosting the contest.

This is the latest in a series of spats between Iran’s Islamic government and Azerbaijan’s secular Muslim one.

Iran has accused Azerbaijan of assisting Israel in what it claims was the Jewish state’s assassination of Iranian nuclear scientists.

And Azerbaijan has arrested dozens of people on suspicion of links with Iran’s Revolutionary Guards and of plotting attacks on targets that include the Israeli ambassador and U.S. officials in Azerbaijan.

About one third of Iranians are ethnically Azeri, and many claim that the whole of southern Azerbaijan is occupied by Iran.

 

BRAVE IRANIANS PUBLICALLY DISPLAY GAY FLAGS

On May 17, the “International Day Against Homophobia,” a small group of brave Iranians publicly demonstrated support for gay rights by displaying the gay “rainbow” flag, despite Iran’s extremely tough laws against homosexuality, including a possible death sentence.

Please click here to see pictures taken in Tehran.

You can see from these pictures, that the individuals have hidden their faces to avoid being identified. The rainbow flag shown in these pictures is the symbol of the lesbian, gay, bisexual, and transgender (LGBT) rights movement, although many Iranians may not know that.

 

CANNES FILM FESTIVAL CANCELS ANTI-SEMITIC IRANIAN-FRENCH FILM

The Cannes film festival has dropped from its program an anti-Semitic film by the racist French “comic” performer Dieudonné M’Bala M’Bala.

The film, titled “Yahod Setiz” (or “The Anti-Semite”) was produced by the Iranian Documentary and Experimental Film Center. It is said to poke fun at the Nazi death camp Auschwitz, where over 1.5 million Jews were murdered, and stars Dieudonné dressed as a Nazi officer saying Auschwitz was one big party. Robert Faurisson, a French “historian” who has been convicted of Holocaust denial, also briefly appears in the film.

A spokesperson for the Cannes festival said that the festival has a policy of banning films that threaten public order or insult religious beliefs, and that Dieudonné’s film clearly violated that policy and should never have been included in the program in the first place.

Dieudonne is infamous for performances that deny the Holocaust, praise Hitler, and demonize Jews and people of Jewish origin. He recently announced his candidacy for the French parliament in upcoming elections as a member of the Anti-Zionist Party (Parti Anti-Sioniste, or PAS).

***

Among previous dispatches mentioning Dieudonné, please see “ Fury at French comic’s ‘Heil Israel’ jibe” (Dec. 8, 2003). www.tomgrossmedia.com/mideastdispatches/archives/000147.html

And also this dispatch: www.tomgrossmedia.com/mideastdispatches/archives/000664.html

***

I attach two articles below, from Reuters and from Wired magazine.

-- Tom Gross


ARTICLES

Powerful “Flame” cyber weapon found in Iran
By Jim Finkle
Reuters
May 28, 2012

BOSTON (Reuters) - Security experts have discovered a highly sophisticated computer virus in Iran and the Middle East that they believe was deployed at least five years ago to engage in state-sponsored cyber espionage.

Evidence suggest that the virus, dubbed Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010, according to Kaspersky Lab, the Russian cyber security software maker that claimed responsibility for discovering the virus.

Kaspersky researchers said on Monday they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.

Iran has accused the United States and Israel of deploying Stuxnet.

Cyber security experts said the discovery provides new evidence to the public to show what experts privy to classified information have long known: that nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.

“This is one of many, many campaigns that happen all the time and never make it into the public domain,” said Alexander Klimburg, a cyber security expert at the Austrian Institute for International Affairs.

A cyber security agency in Iran said on its website on Monday that Flame bore a “close relation” to Stuxnet, the notorious computer worm that attacked that country’s nuclear program in 2010 and is the first publicly known example of a cyber weapon.

Iran’s National Computer Emergency Response Team also said Flame might be linked to recent cyber attacks that officials in Tehran have said were responsible for massive data losses on some Iranian computer systems.

Kaspersky Lab said it discovered Flame after a U.N. telecommunications agency asked it to analyze data on malicious software across the Middle East in search of the data-wiping virus reported by Iran.

STUXNET CONNECTION

Experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security who have spent weeks studying Flame said they have yet to find any evidence that it can attack infrastructure, delete data or inflict other physical damage.

Yet they said they are in the early stages of their investigations and that they may discover other purposes beyond data theft. It took researchers months to determine the key mysteries behind Stuxnet, including the purpose of modules used to attack a uranium enrichment facility at Natanz, Iran.

“Their initial research suggest that this was probably written by the authors of Stuxnet for covert intelligence collection,” said John Bumgarner, a cyber warfare expert with the non-profit U.S. Cyber Consequences Unit think tank.

Flame appears poised to go down in history as the third major cyber weapon uncovered after Stuxnet and its data-stealing cousin Duqu, named after the Star Wars villain.

The Moscow-based company is controlled by Russian malware researcher Eugene Kaspersky. It gained notoriety in cyber weapons research after solving several mysteries surrounding Stuxnet and Duqu.

Their research shows the largest number of infected machines are in Iran, followed by Israel and the Palestinian territories, then Sudan and Syria.

The virus contains about 20 times as much code as Stuxnet, which caused centrifuges to fail at the Iranian enrichment facility it attacked. It has about 100 times as much code as a typical virus designed to steal financial information, said Kaspersky Lab senior researcher Roel Schouwenberg.

GATHERING DATA

Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats.

Kaspersky Lab said Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and that both viruses employ a similar way of spreading.

That means the teams that built Stuxnet and Duqu might have had access to the same technology as the team that built Flame, Schouwenberg said.

He said that a nation state would have the capability to build such a sophisticated tool, but declined to comment on which countries might do so.

The question of who built flame is sure to become a hot topic in the security community as well as the diplomatic world.

There is some controversy over who was behind Stuxnet and Duqu.

Some experts suspect the United States and Israel, a view that was laid out in a January 2011 New York Times report that said it came from a joint program begun around 2004 to undermine what they say are Iran’s efforts to build a bomb. That article said the program was originally authorized by U.S. President George W. Bush, and then accelerated by his successor, Barack Obama.

A U.S. Defense Department spokesman, David Oten, declined to comment on Flame on Monday.

The CIA, the State Department, the National Security Agency, and the U.S. Cyber Command declined to comment.

Hungarian researcher Boldizsar Bencsath, whose Laboratory of Cryptography and Systems Security first discovered Duqu, said his analysis shows that Flame may have been active for at least five years and perhaps eight years or more.

“The scary thing for me is: if this is what they were capable of five years ago, I can only think what they are developing now,” Mohan Koo, managing director of British-based Dtex Systems cyber security company.

Mikko Hypponen, chief research officer for anti-virus software maker F-Secure of Finland, described Flame as the latest of high-profile viruses that show makers of anti-virus software need to improve their performance.

“Stuxnet, Duqu and Flame are all examples where we - the anti-virus industry - have dramatically failed,” he said. “All of these cases were spreading undetected for extended periods of time ... Yet, anti-virus products failed to protect users against these attacks.”

 

MEET ‘FLAME,’ THE MASSIVE SPY MALWARE INFILTRATING IRANIAN COMPUTERS

Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers
By Kim Zetter
Wired magazine online
May 28, 2012

Click here for a map showing the number and geographical location of Flame infections detected by Kaspersky Lab on customer machines: www.wired.com/threatlevel/2012/05/flame/

***

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based antivirus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size — the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”

Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.

Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.

“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time period when Stuxnet and DuQu are believed to have been created.

Gostev says that because of its size and complexity, complete analysis of the code may take years.

“It took us half a year to analyze Stuxnet,” he said. “This is 20 times more complicated. It will take us 10 years to fully understand everything.”

Kaspersky discovered the malware about two weeks ago after the United Nations’ International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems. The malware was named alternatively in news articles as “Wiper” and “Viper,” a discrepancy that may be due to a translation mixup.

Kaspersky researchers searched through their reporting archive, which contains suspicious filenames sent automatically from customer machines so the names can be checked against whitelists of known malware, and found an MD5 hash and filename that appeared to have been deployed only on machines in Iran and other Middle East countries. As the researchers dug further, they found other components infecting machines in the region, which they pieced together as parts of Flame.

Kaspersky, however, is currently treating Flame as if it is not connected to Wiper/Viper, and believes it is a separate infection entirely. The researchers dubbed the toolkit “Flame” after the name of a module inside it.

Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

Flame does contain a module named Viper, adding more confusion to the Wiper/Viper issue, but this component is used to transfer stolen data from infected machines to command-and-control servers. News reports out of Iran indicated the Wiper/Viper program that infected the oil ministry was designed to delete large swaths of data from infected systems.

Kaspersky’s researchers examined a system that was destroyed by Wiper/Viper and found no traces of that malware on it, preventing them from comparing it to the Flame files. The disk destroyed by Wiper/Viper was filled primarily with random trash, and almost nothing could be recovered from it, Gostev said. “We did not see any sign of Flame on that disk.”

Because Flame is so big, it gets loaded to a system in pieces. The machine first gets hit with a 6-megabyte component, which contains about half a dozen other compressed modules inside. The main component extracts, decompresses and decrypts these modules and writes them to various locations on disk. The number of modules in an infection depends on what the attackers want to do on a particular machine.

Once the modules are unpacked and loaded, the malware connects to one of about 80 command-and-control domains to deliver information about the infected machine to the attackers and await further instruction from them. The malware contains a hardcoded list of about five domains, but also has an updatable list, to which the attackers can add new domains if these others have been taken down or abandoned.

While the malware awaits further instruction, the various modules in it might take screenshots and sniff the network. The screenshot module grabs desktop images every 15 seconds when a high-value communication application is being used, such as instant messaging or Outlook, and once every 60 seconds when other applications are being used.

Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet.

Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009. It is widely believed to have been designed to sabotage centrifuges used in Iran’s uranium enrichment program. DuQu was an espionage tool discovered on machines in Iran, Sudan, and elsewhere in 2011 that was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques.

But Flame doesn’t resemble either of these in framework, design or functionality.

Stuxnet and DuQu were made of compact and efficient code that was pared down to its essentials. Flame is 20 megabytes in size, compared to Stuxnet’s 500 kilobytes, and contains a lot of components that are not used by the code by default, but appear to be there to provide the attackers with options to turn on post-installation.

“It was obvious DuQu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities,” Gostev said. “Everything is completely different, with the exception of two specific things.”

One of these is an interesting export function in both Stuxnet and Flame, which may turn out to link the two pieces of malware upon further analysis, Gostev said. The export function allows the malware to be executed on the system.

Also, like Stuxnet, Flame has the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also uses the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. This suggests that the authors of Flame may have had access to the same menu of exploits that the creators of Stuxnet used.

Unlike Stuxnet, however, Flame does not replicate automatically. The spreading mechanisms are turned off by default and must be switched on by the attackers before the malware will spread. Once it infects a USB stick inserted into an infected machine, the USB exploit is disabled immediately.

This is likely intended to control the spread of the malware and lessen the likelihood that it will be detected. This may be the attackers’ response to the out-of-control spreading that occurred with Stuxnet and accelerated the discovery of that malware.

It’s possible the exploits were enabled in early versions of the malware to allow the malware to spread automatically, but were then disabled after Stuxnet went public in July 2010 and after the .lnk and print spooler vulnerabilities were patched. Flame was launched prior to Stuxnet’s discovery, and Microsoft patched the .lnk and print spooler vulnerabilities in August and September 2010. Any malware attempting to use the vulnerabilities now would be detected if the infected machines were running updated versions of antivirus programs. Flame, in fact, checks for the presence of updated versions of these programs on a machine and, based on what it finds, determines if the environment is conducive for using the exploits to spread.

The researchers say they don’t know yet how an initial infection of Flame occurs on a machine before it starts spreading. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.

The earliest sign of Flame that Kaspersky found on customer systems is a filename belonging to Flame that popped up on a customer’s machine in Lebanon on Aug. 23, 2010. An internet search on the file’s name showed that security firm Webroot had reported the same filename appearing on a computer in Iran on Mar. 1, 2010. But online searches for the names of other unique files found in Flame show that it may have been in the wild even earlier than this. At least one component of Flame appears to have popped up on machines in Europe on Dec. 5, 2007 and in Dubai on Apr. 28, 2008.

Kaspersky estimates that Flame has infected about 1,000 machines. The researchers arrived at this figure by calculating the number of its own customers who have been infected and extrapolating that to estimate the number of infected machines belonging to customers of other antivirus firms.

All of the infections of Kaspersky customers appear to have been targeted and show no indication that a specific industry, such as the energy industry, or specific systems, such as industrial control systems, were singled out. Instead, the researchers believe Flame was designed to be an all-purpose tool that so far has infected a wide variety of victims. Among those hit have been individuals, private companies, educational institutions and government-run organizations.

Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.

Researchers say the compilation date of modules in Flame appear to have been manipulated by the attackers, perhaps in an attempt to thwart researchers from determining when they were created.

“Whoever created it was careful to mess up the compilation dates in every single module,” Gostev said. “The modules appear to have been compiled in 1994 and 1995, but they’re using code that was only released in 2010.”

The malware has no kill date, though the operators have the ability to send a kill module to it if needed. The kill module, named browse32, searches for every trace of the malware on the system, including stored files full of screenshots and data stolen by the malware, and eliminates them, picking up any breadcrumbs that might be left behind.

“When the kill module is activated, there’s nothing left whatsoever,” Gostev said.

UPDATE PDT: Iran’s Computer Emergency Response Team announced on Monday that it had developed a detector to uncover what it calls the “Flamer” malware on infected machines and delivered it to select organizations at the beginning of May. It has also developed a removal tool for the malware. Kaspersky believes the “Flamer” malware is the same as the Flame malware its researchers analyzed.


All notes and summaries copyright © Tom Gross. All rights reserved.