A Russian security firm says it has uncovered a computer worm 20 times more intricate than the Stuxnet worm; it says the worm is mainly concentrated in Iranian computers and has been there at least two and possibly five years stealing information.
The worm is not designed to disable nuclear centrifuges like the Stuxnet. Instead, it is planted to steal information. It can even turn on a computer’s microphone and record conversations in the room.
If this spyware has been operating inside Iran’s nuclear program for years, the volume of information the operator would have gained would likely be massive.
Named Flame, the new worm is the most complex piece of malicious software discovered to date, according to Kaspersky Lab security senior researcher Roel Schouwenberg, whose company discovered the virus.
Schouwenberg said he did not know who built Flame. But he warned there are probably other cases of malware no one is aware of.
“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about,” Schouwen-berg said in an interview with Reuters.
He said the complexity and the fact that it wasn’t intended to steal financial data suggested it was the product of a government lab. Suspicions immediately settled on the United States and Israel, though experts said other states were capable of such work.
Iran’s computer emergency response team was generally dismissive, saying it had already designed software to detect and remove Flame and distributed that software in May.
Researchers at Kaspersky said they were only starting to understand how Flame works because it is so complex.
The Lab’s research shows the largest number of infected machines is in Iran, followed by the Israel/Palestine region, then Sudan and Syria.
The virus contains about 20 times as much code as Stuxnet, which attacked the Iranian uranium enrichment plant at Natanz in 2010, causing centrifuges to fail. Flame has about 100 times as much code as a typical worm designed to steal financial information, Schouwenberg said.
Flame can gather data files, remotely change settings on computers, log keyboard strokes, turn on PC microphones to record conversations, take screen shots and log instant messaging chats. Schouwenberg said the stolen data was being sent to more than 80 servers.
He said there was evidence to suggest the code was commissioned by the same nation or nations behind Stuxnet and Duqu, which were built on a common platform.
Both Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and employ a similar way of spreading. That means the teams that built Stuxnet and Duqu might have had access to the same technology as the team that built Flame, he said.
A Hungarian firm said it had evidence Flame had been around for eight years.
Schouwenberg said he believed the attack was highly targeted, aimed mainly at businesses and academic institutions. He estimated that no more than 5,000 personal computers around the world have been infected, including a handful in North America.
Mohan Koo, director of the British Dtex Systems cyber security firm, said of those who developed Flame, “The scary thing for me is: if this is what they were capable of five years ago, I can only think what they are developing now.”
Alexander Klimburg, who handles cyber security issues at the Austrian Institute for International Affairs, said, “If a government initiated the attack, it might not care that the attack was discovered. The psychological effect of the penetration could be nearly as profitable as the intelligence gathered.”
Kaspersky Lab discovered Flame while investigating reports that a virus dubbed Wiper was attacking computers in Iran.
The International Telecommunications Union, a UN agen-cy, asked Kaspersky Lab to investigate those reports. Schou-wenberg said his team discovered Flame while doing that work for the UN, but failed to turn up anything that resembled Wiper.