Security players fan Flames of complex malware risk

Virus alert

Kaspersky has described the newly-discovered Flame malware as one of the most complex pieces of malicious software in the history of cybercrime.

The Russian anti-virus vendor claims the malware can steal information from targeted systems, stored files, contact data and audio conversations, and described it as a tool for "cyber espionage."

Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it.

The wide variety of data it can steal has led Kaspersky to describe it as "one of the most advanced and complete attack-toolkits ever discovered."

The firm claims to have uncovered the software following an investigation into another type of malware called Wiper that has been credited with erasing data from a number of computers in Western Asia.

"During the analysis of these incidents, Kaspersky Lab's experts came across a new type of malware, now known as Flame," explained the company in a blog post.

"Preliminary findings indicate that this malware has been in the wild' since March 2010...[and] due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it."

The malware is thought to operate by stealing data from infected machines, which is then passed onto a network of command-and-control servers located across the world.

"The exact infection vector is still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet," said the blog post.

Compared to Stuxnet, a piece of malware that emerged in 2010 with the capability to stage four zero-day attacks at once, Flame is around 20 times larger.

"What is known is that it consists of multiple modules and is made up of several megabytes of executable code in total, meaning that analysing this cyber weapon requires a large team of top-tier security experts and reverse engineers with vast experience in the cyber defence field," the post concluded.

David Harley, senior researcher at internet security vendor ESET, said the malware is also understood to have attacked systems in Western Asia and Eastern Europe.

"Perhaps the most interesting feature is that the Iran National CERT has volunteered to share samples with security vendors, despite the fact that many software vendors (notably those headquartered in the US) are unable to trade legally with Iran," said Harley.

"This restriction may have hampered initial detection of the malware by security vendors outside the region, but samples have subsequently trickled into the mainstream via secondary sources."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.