Kaspersky has reported discovering a really super piece of spyware after being requested to investigate suspected malware causing information loss at the Iranian oil refinery/depot. They believe it’s been around since August 2010.
Photocredit: Kaspersky Labs
The countries affected appear to be Israel, Iran, Sudan, Syria, Lebanon and Saudi Arabia.
There are three classes of malware/spyware producers: Hacktivists, cybercriminals and nation states. The backtracking and identification of the targets yields the suspicion of just who and what group he/she/they belong to.
In this case, there’s no doubt some nation state is responsible…. based on the targets, sophistication of the attack and research needed to produce such software. I’m betting the NSA.
This spyware takes pictures of emails every time an email program is opened, and if a conversation is going on near a computer with a microphone, it compresses and sends the conversation. It appears to be an information only tool, not designed to damage the systems it resides on.
Stuxnet was simple minded compared to this one. Flame is like a tool kit which can go after whatever the sender wants, since after initial infection, additional modules can be added like plugins to a browser. Apparently there are more than twenty such modules in its full library. I read hints of this in the past (and there being five such modules), about the time I brought Duqu to your attention. At that time, Flame hadn’t been differentiated from Duqu publicly.
Flame appears to have infected over 600 very specific targets. So don’t worry, I doubt yours is on the list.
There will be many more interesting developments in this story, and as they come up, I’ll try my best to keep you all abreast.
Update (6/5/2012): It now appears that the Flame/Skywiper virus/Trojan exploited a 'hole' in an MS program to disguise itself as the program to grab blueprints and specs of the Iranian-Russian reactors, as well as take pictures of and the communications of those using those specs, and more.
http://www.wired.com/threatlevel/2012/05/flame/ – Much more comprehensive history and analysis.