Flamer starts a flame war over origin

Nation-state or not? Security researchers find indications the malware that targeted Iranian systems was professionally developed, but evidence is still scarce

Calling it "what might be the most sophisticated cyber weapon yet unleashed," security firm Kaspersky announced on Monday it had begun analyzing a large and complex program that had plagued Iranian computers for at least the last two years.The program -- alternately referred to by researchers as Flamer, Flame, and Skywiper -- has some circumstantial similarities to Stuxnet and Duqu, two other attacks that researchers believe smack of government involvement.

Conjecture over Flamer's origin is already reaching a fever pitch. As with Stuxnet and Duqu, all three attacked targeted systems in Iran, although they were found in other countries as well. Each program appeared to have been programmed by a group of "well-funded" programmers.

"Flame can easily be described as one of the most complex threats ever discovered," writes Aleks Gostev, chief security expert at antivirus firm Kaspersky Labs. "It's big and incredibly sophisticated. It pretty much redefines the notion of cyber war and cyber espionage."

Security firm Symantec and academic research group CrySyS Lab echoed the sentiments in their own analyses of the program, calling the attack "complex (and) modular" and "very advanced," (PDF) respectively. CrySys Lab is the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics.

"The fact that the threat has been around for so long and just looking at the scope of things that the threat actually does -- these things are not written by a basement hacker," says Vikram Thakur, security response manager for Symantec.

The claims garnered a mixed, but vocal, response from other security researchers, some of who apparently doubt the claims that the malware is the work of a well-funded program. The fact that the attack could use a variety of methods to spread and monitored those channels was nothing special, said Chris Wysopal, CTO for Veracode, an application vulnerability management firm. His sarcastic take: "Flame is so sophisticated it can spread via USB, insecure network shares, and known vulnerabilities!" Most modern malicious programs include those capabilities.

Other security researchers also were skeptical that the only explanation for the attack was a well-funded adversary, usually industry code for a national cyber program.

It is clear, however, that the program is quite large, using a number of modules and a variety of encryption -- all signs that it was likely worked on by a team. In addition, the program does collect a lot of functionality together in a single place, also not often seen outside of a few popular malware tools, such as the Zeus crimeware program. Flame, for example, can grab information from a variety of devices, such as the keyboard, monitor screen, built-in microphone, storage devices, Wi-Fi, Bluetooth, and USB, as well as tap into system processes and spread over the network, according to the CrySyS report.

Flame-infected systems have appeared in Hungary, Iran, Lebanon, and the Palestinian West Bank, with additional reports in Austria, Russia, Hong Kong, and the United Arab Emirates, according to Symantec.

This story, "Flamer starts a flame war over origin," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2012 IDG Communications, Inc.

How to choose a low-code development platform