News blog

Uncovered spyware may have been at work for years

Some of sKyWIper's encryption-related code

A massive computer virus dubbed Flame or sKyWIper may have been targeting computers in the Middle East, and Iran in particular, for the past five years, according to a report by a research team involved in analysing the sophisticated computer code.

The report, released on 28 May by the Laboratory of Cryptography and System Security in Budapest, Hungary, which was part of a team analysing the malware, bases its estimate on file names that were first spotted in Europe in 2007.

Analysts say that the virus is designed to steal information by turning infected computers into spying machines, capturing screen shots, turning on microphones and otherwise probing them for other information that can be transferred to servers under the malware’s control.

“It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes,” the Hungarian researchers wrote.

Although Flame is being compared to Stuxnet, the infamous malware that is credited with damaging Iran’s nuclear centrifuges in 2010, it does not appear to target industrial security processes. Rather, it is a highly complex version of spyware. Kaspersky Lab, the antivirus company that first revealed the existence of the Flame malware, describes it as “a huge package of modules comprising almost 20 megabytes in size when fully deployed”.

“This is on a completely different level,” Roel Schouwenberg, a Kaspersky researcher, told the Associated Press on Tuesday. “It can be used to spy on everything that a user is doing.”

Indeed, what makes Flame similar to Stuxnet is its size and complexity, which has led researchers and computer-security firms to suggest that it is the work of a government-backed team, rather than a criminal network or hacking group. “[T]his code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives,” Symantec, another leading computer security firm, wrote on its blog.

Another similarity with the Stuxnet virus is that Flame appears to be most prevalent in the Middle East, and in Iran in particular. The malware may also have been involved in an April cyberattack against the Iranian Oil Ministry, according to Symantec.

Iran’s Computer Emergency Response Team, the Maher Center, which provided an alert of the malware on Monday, claimed that it had already developed ways to detect Flame and to remove it. Although a report by Iran’s Fars New Agency links the attack to Israel, there is no specific evidence pointing to who developed or deployed Flame.

Although Flame is being described as spyware at present, researchers acknowledge that there may be elements of the malware attack that are not yet fully known or understood.

But one thing that researchers seem to agree on is the significance of the new attack. “Overall,” the Kaspersky Lab notes on its blog, “we can say Flame is one of the most complex threats ever discovered.”


Comments are closed.