Tuesday, May 29, 2012

Flame/Skywiper: New, Improved ‘Cyber Espionage Virus’ Targets Iran & Mideast

The Daily Telegraph reports on a what it calls a computer virus, nicknamed Flame or Skywiper, that has infected computers in Iran (with particular emphasis on the Iranian nuclear weapons program), and has compared it favorably (or unfavorably if one is Iranian) to the earlier Stuxnet and Duqu.


(It seems to me that the term ‘virus’ could be misapplied here.  In nature, a virus – an incredibly simple yet malignant infectious agent – spreads uncontrollably and with no other purpose but to survive and multiply, and no other outcome but to deleteriously affect its host, even to the point of destruction.  There are similar computer versions that exist, but these cases here involve a sophisticated program that is directed and has a particular target.  I would suggest something like a ‘cyber-war program’ instead.)

Like Stuxnet and Duqu, Flame has been discovered and analysed by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics.  While there is some discussion as to the extent of connectedness between the earlier two and this new programme (as detailed at the report by Fox News), Flame is much more complex.  While it has just recently been discovered and analysed, it could have been in place for up to five years.

Although its purpose is to steal information rather than cause physical damage, Flame/Skywiper is said to be a much more complicated piece of malicious software than Stuxnet, the groundbreaking virus designed to cripple Iranian uranium enrichment. . . .
In their preliminary technical report, the investigators describe unprecedented layers of software, designed to allow Flame/Skywiper to penetrate computer networks undetected. The 20MB file, which infects Microsoft Windows computers, has five encryption algorithms, exotic data storage formats and the ability to steal documents, spy on computer users and more. 
Various components of Flame/Skywiper enable those behind it, who use a network of rapidly-shifting “command and control” servers to direct the virus, to turn microphones into listening devices, siphon off documents and log keystrokes. 
Eugene Kaspersky, the founder of the Russian anti-virus firm Kaspersky Lab, which has also analysed the virus, noted that “it took us 6 months to analyze Stuxnet. [This] is 20 times more complicated”.
The background of this cyberwar attack is fascinating, and its enormous complexity lends at least circumstantial proof that these programmes had to be developed with the backing of national magnitude, though it is currently unknown which country or countries are behind them.  (The smart money, though, is betting on Israel and the US, but I would not rule out other players as well.)  For example, once Siemens, the German industrial giant whose Iranian computers were primarily infected, tried to introduce detection and removal software, Stuxnet not only defeated the attempt but co-opted it and incorporated it into its protective software.  In an exquisite touch, the Siemens equipment was embargoed for use by Iran but was secretly aquired anyway
As well as Iran, Flame/Skywiper infections have been detected in the West Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt [and elsewhere].
 There is also this tidbit from the Fox report:
Detecting these and other incidents becomes harder as the coders become more clever.  Schouwenberg [of Kaspersky] said that one Flame module is an incredibly savvy uninstaller, which lets the cyberweapon carefully extract itself from a computer before buffing the insides to clean out all traces of itself.
“You have no idea that that machine was previously infected with Flame.  Which is kind of scary, when you think about it.”

No comments:

Post a Comment

Comments are welcome and discussion is open and encouraged. I expect that there will be some occasional disagreement (heaven knows why) or welcome clarification and embellishment, and such are freely solicited.

Consider that all such comments are in the public domain and are expected to be polite, even while contentious. I will delete comments which are ad hominem, as well as those needlessly profane beyond the realm of sputtering incredulity in reaction to some inanity, unless attributed to a quote.

Links to other sources are fine so long as they further the argument or expand on the discussion. All such comments and links are the responsibility of the commenter, and the mere presence herein does not necessarily constitute my agreement.

I will also delete all comments that link to a commercial site.