Security experts said on Monday a highly sophisticated computer virus is infecting computers in Iran
and other Middle East countries and may have been deployed at least
five years ago to engage in state-sponsored cyber espionage.
Evidence
suggest that the virus, dubbed Flame, may have been built on behalf of
the same nation or nations that commissioned the Stuxnet worm that
attacked Iran's nuclear program in 2010, according to Kaspersky Lab, the Russian cyber security software maker that took credit for discovering the infections.
Kaspersky
researchers said they have yet to determine whether Flame had a
specific mission like Stuxnet, and declined to say who they think built
it.
Iran has accused the United States and Israel of deploying Stuxnet.
Cyber
security experts said the discovery publicly demonstrates what experts
privy to classified information have long known: that nations have been
using pieces of malicious computer code as weapons to promote their
security interests for several years.
"This is
one of many, many campaigns that happen all the time and never make it
into the public domain," said Alexander Klimburg, a cyber security
expert at the Austrian Institute for International Affairs.
A cyber security agency in Iran
said on its English website that Flame bore a "close relation" to
Stuxnet, the notorious computer worm that attacked that country's
nuclear program in 2010 and is the first publicly known example of a
cyber weapon.
Iran's
National Computer Emergency Response Team also said Flame might be
linked to recent cyber attacks that officials in Tehran have said were
responsible for massive data losses on some Iranian computer systems.
Kaspersky Lab
said it discovered Flame after a U.N. telecommunications agency asked
it to analyze data on malicious software across the Middle East in
search of the data-wiping virus reported by Iran.
STUXNET CONNECTION
Experts at Kaspersky Lab
and Hungary's Laboratory of Cryptography and System Security who have
spent weeks studying Flame said they have yet to find any evidence that
it can attack infrastructure, delete data or inflict other physical
damage.
Yet they said they are in the early
stages of their investigations and that they may discover other
purposes beyond data theft. It took researchers months to determine the
key mysteries behind Stuxnet, including the purpose of modules used to
attack a uranium enrichment facility at Natanz, Iran.
If
Kaspersky's findings are validated, Flame could go down in history as
the third major cyber weapon uncovered after Stuxnet and its
data-stealing cousin Duqu, named after the Star Wars villain.
The
Moscow-based company is controlled by Russian malware researcher Eugene
Kaspersky. It gained notoriety after solving several mysteries
surrounding Stuxnet and Duqu.
Officials with
Symantec Corp and Intel Corp McAfee security division, the top 2 makers
of anti-virus software, said they were studying Flame.
"It
seems to be more complex than Duqu but it's too early to tell its place
in history," said Dave Marcus, director of advanced research and threat
intelligence with McAfee.
Symantec Security
Response manager Vikram Thakur said that his company's experts believed
there was a "high" probability that Flame was among the most complex
pieces of malicious software ever discovered.
At least one rival of Kaspersky expressed skepticism.
Privately
held Webroot said its automatic virus-scanning engines detected Flame
in December 2007, but that it did not pay much attention because the
code was not particularly menacing.
That is
partly because it was easy to discover and remove, said Webroot Vice
President Joe Jaroch. "There are many more dangerous threats out there
today," he said.
MAPPING IT OUT
Kaspersky's
research shows the largest number of infected machines are in Iran,
followed by Israel and the Palestinian territories, then Sudan and
Syria.
The virus contains about 20 times as much
code as Stuxnet, which caused centrifuges to fail at the Iranian
enrichment facility it attacked. It has about 100 times as much code as
a typical virus designed to steal financial information, said Kaspersky Lab senior researcher Roel Schouwenberg.
Flame
can gather data files, remotely change settings on computers, turn on
PC microphones to record conversations, take screen shots and log
instant messaging chats.
Kaspersky Lab
said Flame and Stuxnet appear to infect machines by exploiting the same
flaw in the Windows operating system and that both viruses employ a
similar way of spreading.
That means the teams
that built Stuxnet and Duqu might have had access to the same
technology as the team that built Flame, Schouwenberg said.
He
said that a nation state would have the capability to build such a
sophisticated tool, but declined to comment on which countries might do
so.
The question of who built flame is sure to become a hot topic in the security community as well as the diplomatic world.
There
is some controversy over who was behind Stuxnet and Duqu. Some experts
suspect the United States and Israel, a view that was laid out in a
January 2011 New York Times report that said it came from a joint
program begun around 2004 to undermine what they say are Iran's efforts
to build a bomb.
The U.S. Defense Department, CIA, State Department, National Security Agency, and U.S. Cyber Command declined to comment.
Hungarian
researcher Boldizsar Bencsath, whose Laboratory of Cryptography and
Systems Security first discovered Duqu, said his analysis shows that
Flame may have been active for at least five years and perhaps eight
years or more.
That implies it was active long before Stuxnet.
"It's
huge and overly complex, which makes me think it's a first-generation
data gathering tool," said Neil Fisher, vice president for global
security solutions at Unisys Corp. "We are going to find more of these
things over time."
Others said cyber weapons technology has inevitably advanced since Flame was built.
"The
scary thing for me is: if this is what they were capable of five years
ago, I can only think what they are developing now," Mohan Koo,
managing director of British-based Dtex Systems cyber security company.
Some
experts speculated that the discovery of the virus may have dealt a
psychological blow to its victims, on top of whatever damage Flame may
have already inflicted to their computers.
"If a
government initiated the attack it might not care that the attack was
discovered," said Klimburg of the Austrian Institute for International
Affairs. "The psychological effect of the penetration could be nearly
as profitable as the intelligence gathered."
(Additional
reporting by Jim Wolf in Washington, Daniel Fineran in Dubai and
William Maclean in London; editing by Edward Tobin, Ron Popeski and
Mohammad Zargham)