New, wide-spread surveillance malware discovered in several Middle East countries

The Takeaway

Iran’s nuclear program was setback in 2010 when a computer worm called “Stuxnet” struck uranium enrichment facilities in the country, causing them to malfunction.

At the time, many suggested that Israel, and maybe America, had designed the computer worm specifically to target Iran. Richard Clarke, a counter-terrorism advisor to three presidents, said computer worms like Stuxnet were changing the face of international espionage. Lines of code that can take screenshots and delete documents are changing the face of spy craft.

Now, a Moscow-based cyber security company has discovered a similar worm in the Middle East, Iran, Lebanon and even some of the Gulf countries. This one, they say, is much more sophisticated than Stuxnet, and perhaps the most sophisticated malware ever of its kind. 

They’re calling it “Flame.” And it's been in action for more than two years.

Roel Schouwenberg, a senior policy analyst for Kaspersky Labs, the company that discovered Flame, described Flame as a "complete spy kit."

"The attackers have the ability to upload any module into the computer as they see fit," he said. "Flame is very reliant on different modules. Depending on what the attackers want to achieve with a specific target, they can decide to upload different modules. Right now, we don't believe we've uncovered all the modules that are out there in the world."

Schouwenberg said it appears that Flame is all about gathering information, and not directing the computers to take any action. But because they haven't found all of the modules, they're not quite sure whether that's in fact the case.

Kim Zetter, a senior writer at Wired Magazine, said that among the modules that have been discovered are ones that allow covert operation of a webcam or computer microphone, in order to capture important images or private conversations through or near the computer. It's also capable of activating a computer's bluetooth, which could enable the virus to spread to other bluetooth-enabled devices.

"If you have a bluetooth-enabled laptop and you have your phone nearby, they can use your laptop in order to get into your phone and download the contacts in your address book," Zetter said.

Schouwenberg said at this point, it's hard to judge who the actual target of the virus is, which makes it even harder to guess who may have designed the malware.

"We have seen some of these cyber-operations happening in Iran before," he said, but pointed out that those had very narrowly defined target lists. "With Flame, we see hundreds of targets so far. We expect to see over 1,000 globally as our research continues. So far, we haven't been able to determine what the commonality is between all the targets."

But, perhaps significantly, some of the techniques used in Flame were only previously used in Stuxnet.

"That makes us believe that whoever commissioned Flame also commissioned Stuxnet," Schouwenberg said.

Zetter said the only counter-measures available will, at least for consumers, be the ones that are developed by anti-virus companies. Those haven't yet been released.

"There is a component, one of the modules that Kaspersky found, that will actually remotely kill the malware on your system. So, if they can send out this command before you do a scan on your machine, they can eliminate any trace of it, so you might not even know you were infected," Zetter said.

Schouwenberg said that's becoming popular with malware as a way of self-protection. Significantly, in Flame, it's so effective it really wipes out any trace of the virus ever existing.

"Normally when we see uninstall commands within malware, there are still some traces left," he said. "But, these guys were very thorough in their uninstall routines."

Sign up for our daily newsletter

Sign up for The Top of the World, delivered to your inbox every weekday morning.