Iran is once again in the crosshairs of an international cyberattack. On May 28, almost two years after a sophisticated virus known as Stuxnet wrecked some of the country’s uranium enrichment equipment, Tehran asked international security researchers for help fighting off an infection targeting computers in the energy sector. Experts have just begun to analyze the oversized virus’s 650,000 lines of code. McAfee’s Dave Marcus notes that big pieces of malware are often called “100-meter dashes”—the length of the code if printed out. “This one is 1.5 miles in printed paper,” he says.
One thing that’s already apparent is that the virus, known as Flame, is hungry for information. It can orchestrate a number of furtive actions that usually don’t all appear in a single virus. Flame can monitor keystrokes, steal passwords, turn on victims’ microphones to record conversations, and take screenshots of Internet sessions. It’s able to send the captured information to so-called command-and-control servers around the world and receive software updates from them. It’s essentially a permanent desktop spy.
Because of the target and the malware’s complexity, Flame is suspected of being the work of a government, possibly spy agencies in the U.S. and Israel. Both countries have deflected questions about their involvement. When asked by Israel’s Army Radio, Israeli Vice Prime Minister Moshe Yaalon said it is “reasonable whoever sees the Iranian threat as significant would use various measures, including this, in order to hurt it.” He added that Israel is “blessed as a country rich in advanced technology” and that the tools “open to us all sorts of possibilities.” The U.S. Department of Homeland Security has no comment.
Kaspersky Lab, a Moscow-based security company, says that Flame is among the most powerful cyber “super-weapons” used in the Middle East, putting it on par with the Stuxnet attack, which reportedly set back Iran’s nuclear program by several months. Stuxnet impressed security researchers in part because it attacked computers using four “zero-day” exploits, which are essentially passageways into a computer’s operating system unknown to anyone but the attackers—and therefore unguarded. Flame is different, and targets vulnerabilities that are well known to technologists at this point, including two of the same ones exploited by Stuxnet. Security patches have been created to protect against them, but many users don’t update their software regularly.
That doesn’t mean Flame is any less sophisticated or effective, however. “Good attackers know their victims,” says Marcus, who heads McAfee’s Advanced Research and Threat Intelligence division. Whoever wrote Flame may have done reconnaissance, analyzing the operating systems on target computers in Iran and noting which patches they lacked and how best to infiltrate them. If the machines didn’t have the latest software updates, it would have been unnecessary to use a Stuxnet-style zero-day exploit, which are extremely difficult to find and sell for hundreds of thousands of dollars on underground markets. “You don’t waste your zero-days on low-hanging fruit,” says Marcus.
It’s also possible Flame predates Stuxnet but was just now discovered. There is evidence in the virus’s code that it has been active since 2007, though Marcus warns such signs can be faked or interpreted incorrectly. Despite the possibility that it’s been spreading for years, the virus has been highly selective and is on only a few hundred machines, according to Kaspersky. The low profile may have helped Flame stay hidden. “This is the classic case of a targeted threat,” says Joe Jaroch, a security researcher at Webroot, a security firm. “The most effective way to get around security measures is to send to only a handful of users.”
In the few days security researchers have had to unravel the virus, they’ve been able to pinpoint and shut down dozens of the command-and-control servers used to relay instructions to infected machines, according to McAfee’s Marcus. Flame can also communicate wirelessly, via a Bluetooth signal—a rare capability for malware. That means that even if all the command-and-control servers are cut off, a person with a mobile device walking or driving near any of the infected machines could still communicate with them.
Dave Aitel, a former computer scientist with the National Security Agency and now CEO of Immunity Inc., a security firm, says that “once a hacker gets into your system, it’s almost impossible to get them out. They know everything about you. It’s sort of like pulling an ex-wife out of your system.”