The Middle East fights the Flame, but virus spreads anyway

Flame virus has infected more than 1,000 Windows-powered computers across the Middle East, according to reports.

Vahid Salemi/AP/File
This file photo shows the Maroun Petrochemical plant in southwestern Iran. In September 2011 engineers took the plant -- and Iran's oil ministry -- offline in response to a computer virus. Flame, a new virus, doesn't seem to be targeting any specific industry, but it is mining data from infected computers in Iran and other parts of the Middle East.

Iranian IT workers just can't catch a break.

Two years ago there was Stuxnet, a virus that targeted Iranian uranium-enrichment infrastructure. Now Flame, a mutating piece of malware, is continuing to spread, infecting more than 1,000 Windows-powered computers across the Middle East. It's centered on Iran, but has also spread to Israel and Palestine, Saudi Arabia, Syria, and even Sudan.

Although Flame was first discovered about two weeks ago, it's still not clear who is behind the software. Last week the New York Times quoted an Iranian cyberdefense official who said the virus's encryption looked like Israel's handiwork. Kaspersky Lab, a Russian antivirus company, said Flame might have been created by the same contractors who were responsible for Stuxnet, working with a different team of programmers. Flame is a targeted virus, just as Stuxnet was, but while the latter was aimed at industrial control systems, Flame doesn't appear to be targeting any particular industry or system -- just Windows PCs in the Middle East.

Flame makes use of what are called "zero-day" vulnerabilities: flaws in software (in this case, the Windows 7 operating system) that no one else knew about. One of the ways Flame spreads is by faking the Windows Update dialog: it tricks the user into downloading an "update," when really they're receiving malware from another infected machine. This vulnerability allows Flame to infect even computers with recent Windows security patches. On Monday Microsoft announced that it had fixed the fake-update bug, and told users that the update would protect from further infection.

Flame is a huge virus -- 20 megabytes of various modules, databases, and varying levels of encryption. It's 40 times larger than Stuxnet, and it's been operating for at least two years without having been detected. So far researchers have a pretty good idea of what it's designed to do -- steal and transmit information from infected machines -- but because it contains so much code, it will take years to fully analyze. So far we know it can activate a computer's built-in microphone to record Skype conversations, siphon contact information from an address book, and transmit screenshots of user activity.

Here's the funny thing, though: many of Flame's modules aren't turned on by default -- they appear to be included in the program to give attackers more options after it's is installed. For example, in addition to the bogus update dialog, the virus has the capability to spread itself through infected USB drives or through a shared printer. But computers with up-to-date antivirus software would be able to detect and prevent this tactic, so Flame first checks to see whether it's running on a patched system, and won't attempt to spread through these methods if it is. Researchers think this low-profile design is what has allowed the virus to operate quietly since 2010.

In spite of its fairly conventional data-theft tactics, the consensus is that it's the work of a nation-state rather than just a group of programmers -- Finnish security firm F-Secure said that it was "most likely launched by a Western intelligence agency." So it may be another indication of the role that cyberwarfare will play in future conflicts.

For more tech news, follow us on Twitter @venturenaut.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.