Russian security firm spots cyber supervirus that tops Stuxnet

Russian Internet security firm Kaspersky Labs says the complexity and targets of the virus – which is infecting computers in Iran and elsewhere in the Middle East – imply its creator is a government.

Vahid Salemi/AP
In this January 2011 file photo, Iranian journalism students use computers in an internet cafe in central Tehran, Iran. A new supervirus, which the Russian Internet security firm Kaspersky Labs discovered and named 'Flame,' designed to scoop up secret information like an 'industrial vacuum cleaner' is infecting computers in Iran and elsewhere in the Middle East.

A computer virus designed to scoop up secret information like an "industrial vacuum cleaner" is infecting computers in Iran and elsewhere in the Middle East, according to the Russian Internet security firm Kaspersky Labs.

The new supervirus, which Kaspersky discovered and named "Flame," is one of the most complex items of malicious software ever conceived – many times more sophisticated than the notorious Stuxnet worm – and could well be a purposeful "cyberweapon" directed against Iran, the firm said in a statement late yesterday.

Flame is "actively being used as a cyberweapon attacking entities in several countries," Kaspersky said in a statement. It is "one of the most advanced and complete attack-toolkits ever discovered.… The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date."

According to Kaspersky, the majority of infected computers are in Iran, followed by the Palestinian territories, Lebanon, Saudi Arabia, and Egypt. It said the virus has probably been active for at least two years, but has not been detected until now due to its "extreme complexity."

"Over recent years the danger of military operations in Cyberspace has been one of the most serious issues of information safety," Yevgeny Kaspersky, the firm's director, is quoted as saying in the statement. "Stuxnet and Duqu were parts of one circuit of cyber attacks; their application raised concerns of a potential unleashing of global cyber war. Harmful Flame, most likely, is next stage of that war. It is important to understand, that this cyberweapon can be easily turned against any state."

The firm said it found the virus accidentally, after it was hired by the United Nations International Telecommunications Agency to trace the source of unexplained glitches and deletions of sensitive information in the agency's Middle East operations. A spokesman for Kaspersky told journalists yesterday that the virus's creator "remains unknown"; but it is probably a government, not only because of its huge size and complexity, but also because it does not appear to be designed to steal bank account information or perform the sorts of tasks usually set by private criminal hackers.

Stuxnet, which reportedly wreaked havoc on Iran's nuclear program, was designed to disrupt and destroy sensitive industrial systems. The new virus, which Kaspersky admits it does not yet fully understand, appears to evade detection, bury itself deeply, and continue siphoning off vital data for years.

Iran's official Maher Labs, a division of Iran's telecommunications ministry, said on its website today that "tools to recognize and clean this malware have been developed and, as of today, they will be available for those [Iranian] organizations and companies who want it."

Among the key characteristics of the virus, Maher said, are "distribution via removable medias and local networks, network sniffing, detecting network resources and collecting lists of vulnerable passwords, scanning the disk of infected system looking for specific extensions and contents, creating series of user’s screen captures when some specific processes or windows are active, transferring saved data to control servers, and bypassing tens of known antiviruses, anti malware and other security software."

The virus can infect computers running any Windows-based operating system, it said.

"We can clean this virus now, but we are still analyzing and discovering what it's capable of," says Vitaly Kamluk, chief malware expert at Kaspersky. "It took years to detect and understand Duqu and Stuxnet. These were highly profesional tools that evaded us for a long time. Flame is the newest, but there's no doubt that worse things may be out there. You can count on it."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.