The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.All you need is the soundtrack to 24, Jack Bauer shouting “There’s no time!” every couple of minutes, and you have a gripping film.
Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.
It’s unclear at this point how exactly Flame gains a point of entry--Kaspersky thinks it’s probably targeted attacks--but they do know that the cyber weapon is a Trojan with worm-like features. It can replicate itself within local networks and on removable media. Flame’s operators can see just about anything and everything on an infected machine, from keystrokes to screenshots to network traffic sniffing.
Part of the reason that Flame is that it’s really large (20MB), hiding in plain sight as it were, as opposed to most malware, which is compactly written so as to be inconspicuous. One terrifying feature of Flame is that it can record audio through a device’s internal microphone.
Kaspersky believes that Flame was originated by a nation state, as opposed to a hacktivist or cybercriminal group. Flame doesn’t appear to be targeting any particular industry or organization, although there are multiple variations of the malware in the wild already.
In an update to the post, Kaspersky said that Flame is the same malware as “SkyWiper”, discovered by CrySys Lab, and “Flamer”, which was found by the Iran Maher CERT group.