| Super Computer Virus hits the Middle East May 31st 2012, 08:22 Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers | Threat Level | Wired.com Quote:
A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.
The malware, discovered by Russia-based antivirus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.
Dubbed "Flame" by Kaspersky, the malicious code dwarfs Stuxnet in size — the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran's nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.
| It's designed to spy on its hosts, taking screenshots, searching for documents, and eavesdropping on network traffic and keystrokes and voice conversations. It's also designed to send to certain addresses what it has discovered, and unlike Stuxnet, its masters must command it to spread. That has made it more difficult to discover. Quote:
The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
| Talk about supersophisticated software. It looks as if its designers had made it easy to reconfigure for a variety of espionage and sabotage tasks. By comparison, Stuxnet is only 500 kilobytes in size. Stuxnet was designed for industrial sabotage, like spinning up Iran's uranium-enrichment centrifuges. Duqu, another predecessor, was signed to grab documents about Iran's nuclear efforts. Quote:
Because Flame is so big, it gets loaded to a system in pieces. The machine first gets hit with a 6-megabyte component, which contains about half a dozen other compressed modules inside. The main component extracts, decompresses and decrypts these modules and writes them to various locations on disk. The number of modules in an infection depends on what the attackers want to do on a particular machine.
Once the modules are unpacked and loaded, the malware connects to one of about 80 command-and-control domains to deliver information about the infected machine to the attackers and await further instruction from them. The malware contains a hardcoded list of about five domains, but also has an updatable list, to which the attackers can add new domains if these others have been taken down or abandoned.
| Where are these contact addresses? Researchers Link Flame Virus to Stuxnet and Duqu - NYTimes.com Who is responsible? Quote:
For example, researchers at Kaspersky Lab tracked the working hours of Duqu's operators and found they coincided with Jerusalem local time. They also noted that Duqu's programmers were not active between sundown on Fridays and sundown on Saturdays, a time that coincides with the Sabbath when observant Jews typically refrain from secular work.
| Seems like a job for a Shabbos Goy and people in different time zones. The places with the most Flame infections also suggests Israel: countries hostile to Israel like Iran, and countries that host militias and terrorists who are willing to attack Israel. Quote:
Flame also shares a quirkier trait with Duqu: an affection for American movie characters. Flame's command for communicating with Bluetooth-enabled devices is "Beetlejuice." An e-mail that infected an unnamed company with Duqu last year was sent by a "Mr. Jason B." — which researchers believe is a reference to Jason Bourne of the Robert Ludlum spy tales.
| Iran Confirms Attack by a Virus That Steals Data - NYTimes.com Quote:
The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notorious Stuxnet virus, an Iranian cyberdefense organization confirmed on Tuesday.
In a message posted on its Web site, Iran's Computer Emergency Response Team Coordination Center warned that the virus was dangerous. An expert at the organization said in a telephone interview that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran's nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.
| However, Iran claims to have beaten 'Flame' computer virus - Telegraph | |
No comments:
Post a Comment
Note: only a member of this blog may post a comment.