The shadowy hackers behind the military-grade Stuxnet worm and Duqu Trojan may have struck again, this time with a very sophisticated information-stealing malware toolkit alternately called Flame, Flamer or Skywiper.
However, this new bug may date back as 2007, making it older than Stuxnet, and possibly indicating that there are other unknown pieces of malware yet to be discovered.
Flame/Skywiper has been infecting computers around the Middle East and Eastern Europe for the past few months, according to the Hungarian security firm CrySyS.
"Skywiper is certainly the most sophisticated malware we encountered during our practice," CrySyS analysts said in the introduction to an extensive technical report on the malware released today (May 28). "Arguably, it is the most complex malware ever found."
The Russian security firm Kaspersky Lab said Flame/Skywiper has apparently been deleting information from computers in the Middle East, but that its main goal is to collect information and send it across the Internet to command-and-control servers located in several different countries.
The main center of infection is the same as for Duqu and Stuxnet: the Islamic Republic of Iran. It was Iran's government computer emergency response team, MAHER, which broke the news of Flame/Skywiper in a blog posting earlier today.
"This malware is a platform which is capable of receiving and installing various modules for different goals," said the MAHER posting in what appeared to be hastily translated English. "At the time of writing, none of the 43 tested [anti-virus programs] could detect any of the malicious components."
(Many of the top anti-virus software makers, including McAfee, Symantec, Sophos and Kaspersky, today updated their virus definitions to include Flame/Skywiper.)
"The geography of the targets ... and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it," Kaspersky Lab analyst Alexander Gostev said in a blog posting today.
"This code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives," wrote an unnamed security analyst on Symantec's Security Response blog. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry."
Who's to blame?
Like Duqu and Stuxnet, Flame/Skywiper is extremely sophisticated; Gostev said that it "might be the most sophisticated cyber weapon yet unleashed. ... It pretty much redefines the notion of cyberwar and cyberespionage."
That indicates that this new bug wasn't crafted by Russian cyberthieves, who make their malware only as complex as it needs to be to avoid common detection methods.
It's possible it could have been made by Chinese military hackers, but their standard mode of operation is to combine advanced malware with mundane social-engineering attacks such as phishing emails.
The authors of Duqu and Stuxnet, two weaponized pieces of malware that share a remarkable amount of code, are unknown, but the general consensus that the United States and Israel created both bugs.
Stuxnet targeted Iran's nuclear program, specifically the uranium-refinement facility at Natanz, which fell behind in production about the time Stuxnet was discovered. Duqu's aims and methods are less specific, but it was clearly created by the same team behind Stuxnet.
A New York Times article in January 2011 established strong circumstantial evidence that the U.S. and Israel were behind Stuxnet, but the wider world may never know for certain.
Flamer/Skywiper is more general-purpose than either Duqu or Stuxnet, being essentially very sophisticated, multipurpose spyware. It has about 20 different plug-ins that enable it to be configured for specific targets, which results in an already detectable number of variants of different sizes.
"Flame appears to be a project that ran in parallel with Stuxnet/Duqu," wrote Gostev. "There are, however, some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project."
"We cannot exclude the possibility that the attackers hired multiple independent development teams for the same purpose, and Skywiper and Duqu are two independent implementations developed for the same requirement specifications," wrote the CrySys analysts.
How it works
Gostev said Flamer/Skywiper is "a complete attack toolkit designed for general cyber-espionage purposes," at once "a backdoor, a Trojan and ... has worm-like features."
Its original vector of infection is unclear, but once installed on a Windows XP, Vista or 7 machine, it sniffs network traffic (including Bluetooth and Wi-Fi activity), logs keystrokes, takes screenshots and records audio through a computer's built-in microphone.
"Information gathering from a large network of infected computers was never crafted as carefully as in Skywiper," said the CrySys report. "The malware is most likely capable to use all of the computer's functionalities for its goals."
It avoids detection by posing as commons Windows files, such as the ".ocx" files used for Microsoft's ActiveX software.
Flame/Skywiper is also remarkably big — a whopping 20 megabytes, depending on configuration. Most pieces of malware are well under one megabyte.
Gostev said it size is due partly because Flame/Skywiper contains multiple libraries of data and a few databases, as well as the optional plug-ins.
"It will probably take [a] year to fully understand the 20 megabytes of code of Flame," Gostev wrote.
Like Duqu, Flame/Skywiper was created using a programming language not commonly used by malware creators. In Duqu's case, it was Objective C, now mainly used to create software for Apple hardware. In the case of the new malware, it's a Brazilian programming language called Lua, most often used to create video games such as "Angry Birds."
Like Duqu, it may date back to 2007; CrySyS's analysts searched through their records and found that some of Flamer/Skywiper's components were logged back then, but not linked to any malware until now.
Kaspersky's analysts date the new bug to February or March of 2010, a few months before Stuxnet was first discovered, but note that many false file-creation dates, such as 1992 and 1995, are embedded in the code to throw researchers off the trail.
"Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide," Gostev said. "The targets are also of a much wider scope, including academia, private companies, specific individuals and so on."
Only the tip of the iceberg?
The muddled timeline, the relatively ancient age of some of its components and the variability of its configuration indicates that Flame/Skywiper has been infecting computers for years, and that other highly sophisticated pieces of malware may yet remain to be discovered.
"Stuxnet, Duqu and Flame are all examples of cases where we — the anti-virus industry — have failed," wrote F-Secure analyst Mikko Hypponen in a blog posting today. "All of these cases were spreading undetected for extended periods of time."
"If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don't know about," Kaspersky Lab security analyst Roel Schouwenberg told London's Daily Telegraph.