Israel and the United States collaborated in the development of the powerful computer virus dubbed the “Flame,” which briefly affected Iran’s key oil industry, an official with knowledge of the effort said.
The Washington Post reports that the massive piece of malware, which collected critical intelligence information from Iran, was created with the aim of slowing the country’s suspected nuclear weapon development.
The Worm.Win32.Flame threat, or “Flame” for short, was likely built by the same nation-state responsible for the Stuxnet virus that targeted Iran’s nuclear power plant in 2010. Many suspect Stuxnet was the work of Israeli intelligence.
Experts specializing in malware from Bitdefender have uncovered a special capability in Flame’s code that allows the virus to steal data from computers that are not connected to the internet or networked machines.
Flame can move stolen data to a USB memory stick plugged into an infected harddrive. Bitdefender assert that this ability has never been witnessed before. This cyberespionage virus will move stolen information to an USB outlet, then seemingly wait for the chance to upload it to the malware controllers once the infected computer links to the internet.
Anyone who has spent longer than a day on a computer knows how dangerous to your hard drive malware and other malicious code can be. Most of us have fallen victim to one or the other and have cursed the day the hacker who developed it was born.
Now, according to reports, some of the most sophisticated malicious code ever developed is a product of the United States government, leaving more than a few tech experts and analysts concerned that maybe now, Washington has become a bigger info-terrorist than some of the country’s worst enemies.
Eugene Kaspersky, whose lab discovered the Flame virus that has attacked computers in Iran and elsewhere in the Middle East, said on Wednesday only a global effort could stop a new era of “cyber terrorism”.
“It’s not cyber war, it’s cyber terrorism and I’m afraid it’s just the beginning of the game … I’m afraid it will be the end of the world as we know it,” Kaspersky told reporters at a cyber security conference in Tel Aviv.
“I’m scared, believe me,” he said.
News of the Flame virus surfaced last week. Researchers said technical evidence suggests it was built for the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear programme in 2010.
In recent months U.S. officials have become more open about the work of the United States and Israel on Stuxnet, which targeted Iran’s Natanz nuclear enrichment facility.
Researchers digging through the code of the recently discovered Flame worm say they have come across a wealth of evidence that suggests Flame and the now-famous Stuxnet worm share a common origin.
Researchers from Kaspersky Lab say that a critical module that the Flame worm used to spread is identical to a module used by Stuxnet.a, an early variant of the Stuxnet worm that began circulating in 2009, more than a year before a later variant of the worm was discovered by antivirus researchers at the Belarussian firm VirusBlokAda. The claims are the most direct, to date, that link the Flame malware, which attacked Iranian oil facilities, with Stuxnet, which is believed to have targeted Iran’s uranium-enrichment facility at Natanz. If true, they suggest a widespread and multi-year campaign of offensive cyber attacks against multiple targets within that country.
According to the Kaspersky researchers, early versions of Stuxnet were, in fact, created out of components that were part of what they refer to as the “Flame platform”. But they believe development of the two malicious programs diverged after 2009, suggesting that two different development teams may have been working independently for a single entity to create malware with specific objectives, according to Kaspersky researchers, writing on the company’s blog, Securelist.
About 900 million Windows computers get their updates from Microsoft Update. In addition to the DNS root servers, this update system has always been considered one of the weak points of the net. Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it.
Turns out, it looks like this has now been done. And not by just any malware, but by Flame.
The full mechanism isn’t yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.
This file is signed by Microsoft with a certificate that is chained up to Microsoft root.