© Jim Urquhart/Reuters
An analyst looks at code in the malware lab of a cybersecurity defence lab at the Idaho National Laboratory. Computer viruses, such as the recently identified Flame worm, are being increasingly used as tools of state espionage.
A new kind of malware that is more sophisticated and damaging than the notorious Stuxnet and Duqu worms is likely being deployed by a nation state, say the cybersecurity firms that uncovered it.

"Duqu and Stuxnet raised the stakes in the cyberbattles being fought in the Middle East, but now we've found what might be the most sophisticated cyberweapon yet unleashed," wrote analyst Alexander Gostev in a blog post on the website of Kaspersky Lab Monday.

Moscow-based Kaspersky Lab, Budapest-based Laboratory of Cryptography and System Security (CrySysLab) and Iran's Maher Computer Emergency Response Team Co-ordination Centre (CERTCC) have all independently uncovered the Trojan while investigating widescale cyberattacks.

The worm, which has variously been dubbed Flame, Flamer or SkyWiper, is able to mine a vast array of data from infected machines by:
  • Surveying network traffic.
  • Taking screenshots, including in instant messaging programs.
  • Recording audio conversations via a computer's internal microphone.
  • Collecting passwords.
  • Intercepting keyboard actions
  • Gleaning information from devices connected to the infected machine by Bluetooth.
  • Scanning hard drives for specific file extensions or content.
  • Transmitting data to servers that control the malware
"Flame is one of the most complex threats ever discovered," Gostev wrote.

It far surpasses Stuxnet and Duqu, two worms behind cyberattacks against technology related to Iran's nuclear energy program, both in size - the program used to deploy it is 20 MB versus about 500 KB - and in its capability to steal information in so many different ways.

"It's a complete attack tool kit designed for general cyber-espionage purposes," writes Gostev.

7 countries hit

Like other viruses, it is able to replicate across a local network and removable devices such as USB sticks and portable drives and is controlled through a series of command-and-control servers around the world, which can also remotely remove every trace of the worm.

Just how it initially enters a computer is not yet known.

Kaspersky Lab discovered the worm, codenamed Worm.Win32.Flame, while carrying out work for the International Telecommunication Union, a United Nations agency, which had asked it to try to trace malware that was deleting sensitive information from computers in several countries in the Middle East.

Gostev said his company is still analysing the malware but that it is certain it was deployed in August 2010 and has been circulating since around February or March 2010 and possibly in earlier versions before that.

It has ruled out the possibility that the malware was created by hacktivists or cybercriminals because its intention is not to steal money, its architecture is vastly more complex than that used by hackers and its targets have been confined to several countries in the Middle East and Africa.

The company has concluded that it is likely the work of a nation state.

Kaspersky has so far identified seven countries that have been affected by Flame attacks:
  • Iran (189 targets)
  • Israel and Palestine (98 targets)
  • Sudan (32 targets)
  • Syria (30 targets)
  • Lebanon (18 targets)
  • Saudi Arabia (10 targets)
  • Egypt (5 targets)
Variety of targets

So far, there doesn't seem to be a pattern to the types of targets attacked. Individuals, educational institutions and state-related organizations have all been hit, Gostev said.

"From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence - emails, documents, messages, discussions inside sensitive locations, pretty much everything," Gostev writes. "We have not seen any specific signs indicating a particular target, such as the energy industry."

Iran's nuclear energy infrastructure was one of the targets of the Stuxnet cyberattack in 2010, so there will likely be suspicions that the newly identified worm might be deployed in similar ways.

The Stuxnet worm specifically targeted Siemens software and equipment, which is the basis of Iran's uranium-enrichment infrastructure, and did significant damage to Iran's nuclear capabilities.

Cybersecurity experts suspect it was created by Israeli or U.S. programmers at the behest of intelligence agencies in those countries.