The Flame malware that infected computers across the Middle East and North Africa is a “cyber weapon”, probably developed by a nation state for the purpose of espionage.
This is the view of Vitaly Kamluk, chief malware expert at Russia’s Kaspersky Lab, the antivirus company that played an instrumental role in uncovering the malware, which has been described as the most sophisticated software of its kind ever detected.
Kamluk was speaking to TechCentral from Moscow on Wednesday. He says Kaspersky has been unable to determine the origin of the malware or how it was first propagated, but says it is a highly complex piece of software — 20 times more complex than the Stuxnet worm, discovered in 2010, that targeted Siemens industrial software and equipment. It’s been speculated that Israel and/or the US were behind development of both Flame and Stuxnet. Stuxnet targeted five Iranian organisations, reportedly damaging Iran’s nuclear programme.
Through its antivirus software, Kaspersky is aware of the virus infecting 600 machines, but Kamluk believes there are probably thousands of machines that were compromised. It can record audio, grab screenshots and monitor keyboard activity and network traffic. It can even record Skype conversations and download contact information from nearby Bluetooth-enabled mobile phones.
Kamluk says it appears the developers and controllers of the Flame malware, which spreads through Microsoft Windows-based computers, were able to use it to obtain vital information use it to “destroy” operating systems, rendering machines “completely broken”.
Flame, Kamluk says, is part of a “small group of malicious applications that can be referred to as ‘cyber weapons’”. With all its modules, the virus is 20MB in size, which is unusually large for malware.
Kaspersky Lab has tried to determine who wrote the software, but admits it hit a brick wall in its investigations. “There was obviously no contact information in the body of the malware, so we tried to find out what it does and where it is controlled from,” Kamluk says. “We discovered dozens of servers located in different countries.”
He explains that if the software was developed by a nation-state government, as seems likely, it would have been “silly” to locate the command-and-control servers in the country of origin.
Kaspersky then tried a different approach, which it uses often to try to narrow down the likely source of malware. Often, Korean- or Chinese-developed malware is “quite identifiable” because of certain characters used in the code unique to those markets. “We tried to extract all the text from all the modules [in the malware],” he says. “What we found was it was all in pure English. But English is a universal language and quite common. All we know is that the developer probably speaks English very well.”
All indications are that the software was not developed by common cyber criminals, who usually develop malware for the purpose of stealing personal information in order to get access to sources of electronic money, such as bank account login credentials. The sole purpose of Flame appears to be espionage.
“This doesn’t look like [it was developed by] traditional cyber-criminal developers,” Kamluk says.
Also, the highly sophisticated architecture of the malware points to something way beyond what common cyber criminals would or could develop. “It consists of many modules written in a not very popular programming language [called Lua] and required huge amounts of human resources to program and test it. That’s why we think it’s a nation state or organisation that might be behind this threat.”
It appears the virus was planted initially using a USB stick but has different means of propagation. For example, it can be spread over local-area networks or through any machine-attached media. Operators can command the malware to start spreading. However, the initial attack vector “remains a mystery”.
“We don’t know how they managed to infect the first computer,” Kamluk says, adding that the virus has been in the wild since at least early 2010.
He says ordinary consumers should be aware of and concerned about malware like Flame. Governments developing cyber weapons is a “rising problem and we need to pay more attention to this”.
Kamluk says there is an urgent need to regulate the use of these weapons. “There are no goals and no conventions to regulate the use of such weapons. In our view, this has to change.” — (c) 2012 NewsCentral Media