A frightening computer virus called Flame is on the loose in Iran and other parts of the Middle East, infecting PCs and stealing sensitive data. Now, the United Nations' International Telecommunications Union warns that other nations face the risk of attack.
But what is Flame, exactly, and is it cause for concern among ordinary PC users? Here's what you need to know about what Kaspersky calls "one of the most complex threats ever discovered."
[ Also on InfoWorld: Flamer starts a flame war over origin. | Learn how to secure your systems with InfoWorld's Malware Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]
Flame virus: The basics
Kaspersky describes Flame as a backdoor and a Trojan with worm-like features. The initial point of entry for the virus is unknown -- spear phishing or infected websites are possibilities -- but after the initial infection, the virus can spread through USB sticks or local networks.
Flame is meant to gather information from infected PCs. As Kaspersky's Vitaly Kamlyuk told RT, the virus can sniff out information from input boxes, including passwords hidden by asterisks, record audio from a connected microphone, and take screenshots of applications that the virus deems important, such as IM programs. It can also collect information about nearby discoverable Bluetooth devices. The virus then uploads all this information to command and control servers, of which there are about a dozen scattered around the world.
The virus is reminiscent of the Stuxnet worm that wreaked havoc on Iran in 2010, but Kaspersky says Flame is much complex, with its modules occupying more than 20MB of code. "Consider this: it took us several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame," the firm said.
What are Flame's origins?
Flame has been in the wild since 2010, according to Kaspersky, but its creation date is unclear. The virus was discovered a month ago after Iran's oil ministry learned that several companies' servers had been attacked. That finding led to more evidence of attacks on other government ministries and industries in Iran.
Iran has claimed that the attacks also wiped the hard drives of some machines, but Kaspersky claims that the malware responsible, called Wiper, isn't necessarily related. Wiper attacks were isolated to Iran, while Flame has been found in other countries.
Flame's creator is also unknown, but a nation-state was likely behind it. The virus is not designed to steal money from bank accounts, and is much more complex than anything commonly used by "hacktivists," so a nation-created virus is the only other possibility that makes sense.
Who is at risk?
The United Nations' International Telecommunications Union is now warning other nations to "be on alert" for the virus, which could potentially be used to attack critical infrastructure. In a statement to Reuters, the U.S. Department of Homeland Security said it was "notified of the malware and has been working with our federal partners to determine and analyze its potential impact on the U.S."
Security firms have not been warning of any direct risk to average Internet users. Sophos' Graham Cluley noted that Flame has only been discovered in a few hundred computers. "Certainly, it's pretty insignificant when you compare it to the 600,000 Mac computers which were infected by the Flashback malware earlier this year," Cluley wrote in a blog post.
This story, "FAQs: The Flame virus" was originally published by PCWorld.