Malicious new programme is actively being used in several countries
Abingdon, UK, 28 May 2012 – Kaspersky Lab has announced the discovery of a highly sophisticated malicious programme that is actively being used as a cyber weapon and is now attacking entities in several countries. The complexity and functionality of the newly discovered malicious program exceeds those of all other cyber menaces known to date.
The malware was discovered by Kaspersky Lab’s experts during an investigation prompted by the International Telecommunication Union (ITU). The malicious program, detected as Worm.Win32.Flame by Kaspersky Lab’s security products, is designed to carry out cyber espionage. It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversations.
The independent research was initiated by ITU and Kaspersky Lab after a series of incidents with another, still unknown, destructive malware programme – codenamed Wiper – which deleted data on a number of computers in the Western Asia region. This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in co-ordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been “in the wild” for more than two years - since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it.
Although the features of Flame differ compared with those of previous notable cyber weapons such as Duqu and Stuxnet, the geography of attacks, use of specific software vulnerabilities, and the fact that only selected computers are being targeted all indicate that Flame belongs to the same category of super-cyberweapons.
Commenting on uncovering Flame, Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, said: “The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet.
Alexander Gostev, Chief Security Expert at Kaspersky Lab, commented: “The preliminary findings of the research, conducted upon an urgent request from ITU, confirm the highly targeted nature of this malicious programme. One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveying infected systems, collecting information and targeting new systems to accomplish its unknown goals.”
Kaspersky Lab’s experts are currently conducting deeper analysis of Flame. Over the coming days a series of blog posts will reveal more details of the new threat as they become known. For now what is known is that it consists of multiple modules and is made up of several megabytes of executable code in total - making it around 20 times larger than Stuxnet. This means that analysing this cyber weapon requires a large team of top-tier security experts and reverse engineers with vast experience in the cyber defence field.
ITU will use the ITU-IMPACT network, consisting of 142 countries and several industry players, including Kaspersky Lab, to alert governments and the technical community about this cyber threat, and to expedite the technical analysis.
Further details can be found in the Flame FAQ prepared by Kaspersky Lab’s security researchers at Securelist.com.
ITU is the leading United Nations agency for information and communication technology. For over 145 years, ITU has coordinated the shared global use of the radio spectrum, promoted international cooperation in assigning satellite orbits, worked to improve communication infrastructure in the developing world, and established the worldwide standards that foster seamless interconnection of a vast range of communications systems. From broadband networks to new-generation wireless technologies, aeronautical and maritime navigation, radio astronomy, satellite-based meteorology and converging fixed-mobile phone, Internet and broadcasting technologies, ITU is committed to connecting the world. www.itu.int
About Kaspersky Lab
Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The company is ranked among the world’s top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry’s fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at www.kaspersky.co.uk. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit http://www.securelist.com.
Follow us on Twitter
Like us on Facebook
Telephone: 0118 909 0909
Fax: 0118 988 6911
1650 Arlington Business Park
RG7 4SA, Reading
Kaspersky Lab UK
Telephone: 0871 789 1633
Milton Business Park
OX14 4RY, Oxford
© 2012 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.