'Flamer' Malware is Espionage At Its Best

There may be many reasons (none of them legitimate) why people create software that steals information from other people's computers.

But then, there is an occasional outbreak of malicious software that attacks seemingly at random. At least, Symantec's Security Response team hasn't found any particular patterns in a new threat known as W32.Flamer. Thus far, the team can only report that the new malware is very sophisticated and discreet, and that it's the result of efforts put together by a well organized group.

Russian security experts from the Kaspersky Labs have gone a step further: they suspect that a government entity is behind the threat. Considering both founders of the lab, Eugene Kaspersky and his ex-wife Natalia, used to work as computer security experts for the feared Soviet intelligence agency, KGB, they ought to know.

According to some reports, the Flamer has been hiding in thousands of computers in the Middle East for at least five years. Others put its age at two years. In any case, the Kasperskys say this kind of malware is proof some governments would not hesitate joining the shady world of cyber-crime.

Features known thus far:

• The Flamers can adjust any computer's settings.
• It can activate microphones attached to PCs and record any conversation within the microphone's hearing distance.
• It can eavesdrop on chat conversation, IM (Instant Messaging) in particular.
• And it can create screenshots without the computer's owner being aware someone's abusing her/his machine from a distance.

Kaspersky experts say it seems the idea is not as much to harm a computer that has been attacked as it is to use it as a tool for information gathering.

The government of Iran has immediately announced it fears recent leaks of its sensitive nuclear program have been caused by the Flamer. No documentation has been offered to support this claim.

Symantec experts are adding that Flamer can spread via USB drives, disable security vendor products, and under certain conditions spread to other systems. The threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows, in order to spread across a network.

According to Kaspersky's people, Flamer uses about 20 times as much code as the Stuxnet, a virus that caused the Iranian nuclear program's centrifuges to malfunction.

Symantec reports that its initial telemetry tests indicate that the targets of this threat have been located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear. However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment. Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections.

Symantec's Internet Security Threat Report saw the number of targeted attacks increase dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. The report also projected that targeted attacks and APTs will continue to be a serious issue and the frequency and sophistication of these attacks will increase.

What does all this have to do with North American computers? Everything: with the world getting smaller by the minute, North American computers – especially those that belong to people with any dealings in the Middle East – are getting more and more vulnerable. Besides, while the original assault can discriminate by picking just those computers with a Middle East connection, subsequent attacks may include computers that could have come in contact with the attacked units by a perfect accident.



Liked this article? Don't miss another one. Follow us on Twitter or Facebook.