This brings the total number of known computer worms sent into Iran to eight—and hints there may be many more spy worms penetrating Iran. Clearly, the famous Stuxnet spy worm was not the sole effort to penetrate Iran, as once thought.
This new information was contained in a report released last week by an international team of researchers led by Symantec of Mountain View, California, and Kaspersky Lab of Moscow.
Stuxnet was the first such worm to be uncovered. Subsequently investigators found Flame, Duqu and Gauss.
Work on Flame, which infected mainly computers in Iran, began at least as early as December 2006, the new report said. It went undiscovered for more than five years, much longer than previously thought.
“For us to know that a malware campaign lasted this long and was flying under the radar for everyone in the community, it’s a little concerning,” Symantec Security Response researcher Vikram Thakur told Wired News.
The new information is based on access to Flame’s command-and-control servers. Command-and-control (C&C) servers are the invisible puppet masters behind computers that are silently infected. They rarely infect machines directly, but instead receive stolen information from the infected machines.
Neither company would reveal how it got access to two Flame C&C servers, but Security News Daily said it was likely the machines were seized by police in a European country, probably Germany, which participated in the Symantec/Kaspersky investigation.
Flame was discovered in late May in computers in Iran’s Oil Ministry. Subsequent analysis indicated that Flame had been created as a precursor to Stuxnet, the American-made computer worm that attacked the uranium enrichment plant at Natanz in 2010.
Flame also used an extremely complex mathematical method to present itself as Microsoft Windows Update software. As a result, Microsoft has had to revamp its procedures for pushing out software updates.
Last week’s report says traffic logs from one server indicated the number of infected machines, once thought to be under 1,000, was much higher.
“During a period of just one week (25 March – 2 April), 5,377 unique IPs [Internet Protocols or computer addresses] were seen connecting to the server, the vast majority in Iran: 3,702,” said the blog posting written by Kas-persky’s Global Research and Analysis Team.
“If just one server handled 5,000+ victims during a one-week period and given several servers were available, we can estimate the total number of victims for Flame is probably higher than previously estimated, exceeding 10,000.”
The Flame C&C code was disguised to look like the content-management system of a news website. Updates to the infected machines were packaged as “news” or “ads” and the entire piece of software referred to itself as “Newsforyou.”
Most intriguing were the hints that Flame has siblings yet to be found. The C&C servers were coded to handle four different streams of data coming from five different kinds of client software: “FL,” “IP,” “SP,” “SPE” and a fifth called “RED” that had yet to be developed.
Symantec and Kaspersky agreed that “FL” was Flame, but did not recognize the signatures of the others. They ruled out Duqu, Gauss or Stuxnet as matches.
However, a server set up months ago to capture traffic going from the infected machines to C&C servers detected traffic coming from the “SPE” malware.
“We can confirm the malware known as ‘SPE’ exists and is currently in-the-wild,” wrote Kas-persky Lab. “There are no hits from either the mysterious SP or IP malware.”
In addition to Kaspersky and Symantec, the research was carried out by the United Nations’ International Telecommunications Union International Multilateral Partnership Against Cyber Threats (ITU-IMPACT) and Germany’s Computer Emergency Response Team-Bundesamt f¸r Sicherheit in der Informationstechnik (CERTBund-BSI).
