longbrained
SENIOR MEMBER
- Joined
- Mar 28, 2011
- Messages
- 3,390
- Reaction score
- 0
Iran uncovers Stuxnet-style Flame attack
Iran claims to have uncovered a new high-profile malware attack targeting its IT systems called Flame, following on from the Stuxnet and Duqu attacks dating back to 2010.
The Iranian Computer Emergency Response Team (Maher) revealed it had discovered the attack in a statement on its website. Maher claimed it had avoided detection from 43 different anti-virus tools but was now in the process of being removed.
"The name 'Flamer' comes from one of the attack modules, located at various places in the decrypted malware code. In fact this malware is a platform which is capable of receiving and installing various modules for different goals," the team explained.
"A detector was created by Maher centre and delivered to selected organisations and companies in [the] first days of May. And now a removal tool is ready to be delivered."
Maher said the malware was able to carry out several high-profile functions, including network monitoring, disk scanning, screen capturing, recording sound from in-built microphones and infiltrating various Windows systems. It added that Flame can be passed on via devices such as USB sticks.
The agency hinted that the advanced nature of the attack suggested it could well be the same organisation or group behind previous attacks on Iran's infrastructure.
"According to file naming conventions, propagation methods, complexity level, precise targeting and superb functionality, it seems that there is a close relation to the Stuxnet and targeted attacks," it said.
"The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat."
No-one has ever been identified as launching the previous attacks on Iran but several major nations have been cited as potential antagonists such as Israel.
Kaspersky Labs revealed it helped uncovered the Flame malware, having been contacted by the UN’s International Telecommunication Union to help discover why sensitive information was being deleted across the Middle East. In the process, the security vendor discovered Flame, which it said might be the “most sophisticated cyber weapon yet unleashed”.
“Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators,” wrote Kaspersky researcher Alexander Gostev.
“Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyber-espionage.”
Iran uncovers Stuxnet-style Flame attack - IT News from V3.co.uk
Iran targeted by 'Flame' espionage virus
Iran targeted by 'Flame' espionage virus - Telegraph
Iranian computer networks have been targeted by a cyber espionage virus many times more complicated than any malicious software ever seen before, security experts have said.
The virus, named Flame or Skywiper, could only have been created by a state, according to analysts who have investigated it and the pattern of infection.
The results of our technical analysis support the hypotheses that Skywiper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities,” said Crysys Lab, a unit that investigates computer viruses at Budapest University.
The discover of the Flame/Skywiper, which may have been in circulation for more than five years, offers further confirmation of the secret battle being waged by intelligence agencies online.
Although its purpose is to steal information rather than cause physical damage, Flame/Skywiper is said to be a much more complicated piece of malicious software than Stuxnet, the groundbreaking virus designed to cripple Iranian uranium enrichment.
"Information gathering from a large network of infected computers was never crafted as carefully," Crysys Lab said.
"It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB and system processes."
In their preliminary technical report, the investiagtors describe unprecedented layers of software, designed to allow Flame/Skywiper to penetrate computer networks undetected. The 20MB file, which infects Microsoft Windows computers, has five encryption algorithms, exotic data storage formats and the ability to steal documents, spy on computer users and more.
Various components of Flame/Skywiper enable those behind it, who use a network of rapidly-shifting “command and control” servers to direct the virus, to turn microphone into listening devices, siphon off documents and log keystrokes.
Eugene Kaspersky, the founder of the Russian anti-virus firm Kaspersky Lab, which has also analysed the virus, noted that “it took us 6 months to analyze Stuxnet. [This] is 20 times more complicated”.
Iran’s Computer Emergency Response Team, Maher, today issued a statement claiming Flame/Skywiper was "a close relation" of Stuxnet, which has itself been linked to Duqu, another complicated information-stealing virus is believed to be the work of state intelligence. Many experts suspect Stuxnet was created by the United States and Israel.
Crysys Lab said the technical evidence for a link between Flame/Skywiper and Stuxnet or Duqu was inconclusive, however. While they shared many common components, the newly-discovered virus bears little resemblance; for instance Flame/Skywiper does not spread itself automatically but only when hidden controllers allow it.
In its statement, published online, Maher said selected organisations had been given software to detect and remove the newly-discovered virus at the beginning of May.
As well as Iran, Flame/Skywiper infections have been detected in the West Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
Iran claims to have uncovered a new high-profile malware attack targeting its IT systems called Flame, following on from the Stuxnet and Duqu attacks dating back to 2010.
The Iranian Computer Emergency Response Team (Maher) revealed it had discovered the attack in a statement on its website. Maher claimed it had avoided detection from 43 different anti-virus tools but was now in the process of being removed.
"The name 'Flamer' comes from one of the attack modules, located at various places in the decrypted malware code. In fact this malware is a platform which is capable of receiving and installing various modules for different goals," the team explained.
"A detector was created by Maher centre and delivered to selected organisations and companies in [the] first days of May. And now a removal tool is ready to be delivered."
Maher said the malware was able to carry out several high-profile functions, including network monitoring, disk scanning, screen capturing, recording sound from in-built microphones and infiltrating various Windows systems. It added that Flame can be passed on via devices such as USB sticks.
The agency hinted that the advanced nature of the attack suggested it could well be the same organisation or group behind previous attacks on Iran's infrastructure.
"According to file naming conventions, propagation methods, complexity level, precise targeting and superb functionality, it seems that there is a close relation to the Stuxnet and targeted attacks," it said.
"The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat."
No-one has ever been identified as launching the previous attacks on Iran but several major nations have been cited as potential antagonists such as Israel.
Kaspersky Labs revealed it helped uncovered the Flame malware, having been contacted by the UN’s International Telecommunication Union to help discover why sensitive information was being deleted across the Middle East. In the process, the security vendor discovered Flame, which it said might be the “most sophisticated cyber weapon yet unleashed”.
“Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators,” wrote Kaspersky researcher Alexander Gostev.
“Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyber-espionage.”
Iran uncovers Stuxnet-style Flame attack - IT News from V3.co.uk
Iran targeted by 'Flame' espionage virus
Iran targeted by 'Flame' espionage virus - Telegraph
Iranian computer networks have been targeted by a cyber espionage virus many times more complicated than any malicious software ever seen before, security experts have said.
The virus, named Flame or Skywiper, could only have been created by a state, according to analysts who have investigated it and the pattern of infection.
The results of our technical analysis support the hypotheses that Skywiper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities,” said Crysys Lab, a unit that investigates computer viruses at Budapest University.
The discover of the Flame/Skywiper, which may have been in circulation for more than five years, offers further confirmation of the secret battle being waged by intelligence agencies online.
Although its purpose is to steal information rather than cause physical damage, Flame/Skywiper is said to be a much more complicated piece of malicious software than Stuxnet, the groundbreaking virus designed to cripple Iranian uranium enrichment.
"Information gathering from a large network of infected computers was never crafted as carefully," Crysys Lab said.
"It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB and system processes."
In their preliminary technical report, the investiagtors describe unprecedented layers of software, designed to allow Flame/Skywiper to penetrate computer networks undetected. The 20MB file, which infects Microsoft Windows computers, has five encryption algorithms, exotic data storage formats and the ability to steal documents, spy on computer users and more.
Various components of Flame/Skywiper enable those behind it, who use a network of rapidly-shifting “command and control” servers to direct the virus, to turn microphone into listening devices, siphon off documents and log keystrokes.
Eugene Kaspersky, the founder of the Russian anti-virus firm Kaspersky Lab, which has also analysed the virus, noted that “it took us 6 months to analyze Stuxnet. [This] is 20 times more complicated”.
Iran’s Computer Emergency Response Team, Maher, today issued a statement claiming Flame/Skywiper was "a close relation" of Stuxnet, which has itself been linked to Duqu, another complicated information-stealing virus is believed to be the work of state intelligence. Many experts suspect Stuxnet was created by the United States and Israel.
Crysys Lab said the technical evidence for a link between Flame/Skywiper and Stuxnet or Duqu was inconclusive, however. While they shared many common components, the newly-discovered virus bears little resemblance; for instance Flame/Skywiper does not spread itself automatically but only when hidden controllers allow it.
In its statement, published online, Maher said selected organisations had been given software to detect and remove the newly-discovered virus at the beginning of May.
As well as Iran, Flame/Skywiper infections have been detected in the West Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
