The malware was named alternatively in news articles as "Wiper" and "Viper," a discrepancy that may be due to a translation mixup. Kaspersky researchers searched through their reporting archive, which contains suspicious filenames sent automatically from customer machines so the names can be checked against whitelists of known malware, and found an MD5 hash and filename that appeared to have been deployed only on machines in Iran and other Middle East countries. As the researchers dug further, they found other components infecting machines in the region, which they pieced together as parts of Flame.
The researchers dubbed the toolkit "Flame" after the name of a module inside it. Among Flame's many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer's near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers' command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic on an infected machine's local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network. Because Flame is so big, it gets loaded to a system in pieces.
The machine first gets hit with a 6-megabyte component, which contains about half a dozen other compressed modules inside. The main component extracts, decompresses and decrypts these modules and writes them to various locations on disk. The number of modules in an infection depends on what the attackers want to do on a particular machine. Once the modules are unpacked and loaded, the malware connects to one of about 80 command-and-control domains to deliver information about the infected machine to the attackers and await further instruction from them.
The malware contains a hardcoded list of about five domains, but also has an updatable list, to which the attackers can add new domains if these others have been taken down or abandoned. While the malware awaits further instruction, the various modules in it might take screenshots and sniff the network.
The screenshot module grabs desktop images every 15 seconds when a high-value communication application is being used, such as instant messaging or Outlook, and once every 60 seconds when other applications are being used.
Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet. Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June It is widely believed to have been designed to sabotage centrifuges used in Iran's uranium enrichment program. A top Israeli minister yesterday fed speculation that the Jewish state could be responsible for a powerful new virus said to have been used in a fresh attack on computers in Iran and elsewhere in the Middle East.
Click HERE to view graphic. The discovery of the unprecedented complex data-stealing "Flame" virus was disclosed by a Russian-based digital security firm Kaspersky Lab. Its experts reported on Monday that it had been applied most actively in Iran, but also in Israel and the occupied Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. Moshe Yaalon, Israel's Vice Prime Minister and Strategic Affairs Minister, told the country's Army Radio: "Anyone who sees the Iranian threat as a significant threat — it's reasonable [to assume] that he will take various steps, including these, to harm it.
Mr Yaalon, a former military Chief of Staff, added: "Israel was blessed as being a country rich with high-tech. These tools that we take pride in open up all kinds of opportunities for us. He stopped short of directly claiming responsibility, but Israel has long been in the forefront of opposition to Iran's nuclear programme, currently the subject of difficult negotiations between Tehran and six world powers. Although many viruses can already steal large amounts of data, few have been as comprehensive as Flame, or steal in so many different ways.
The security industry is still in the early stages of examining what exactly Flame can do, but examples already given include hijacking a computer's microphone to record conversations, taking screen shots during chats through instant messenger and even stealing data from devices that are attached to an infected computer through a Bluetooth connection.
The Flame virus is believed to the third and, at least in information gathering, most effective cyber attack on Iranian computer systems in recent years. Tehran admitted the best known of these, Stuxnet, had damaged centrifuges at its uranium enrichment plant in Natanz in Share Twit Share Email. Home Technology Internet. A new cyberespionage tool linked to the Flame virus has been infecting computers in Lebanon, Iran and elsewhere, security researchers said.
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission.
The content is provided for information purposes only. Strong evidence shows Sixth Mass Extinction of global biodiversity in progress 13 minutes ago. Aug 01, What do they mean when they say something is so many light years away Aug 01, Is the concept of "wave function collapse" obsolete? Graduate Quantum as an Undergrad Aug 01, PF5 Problems and Errors Aug 01, Related Stories. Flame cyber virus linked to more malware: report Sep 17, Jun 11, Jun 19, Malware hunter Kaspersky warns of cyber war dangers Jun 06, Don't have an account?
Join the conversation, you are commenting as Logout. Best Shopping Deals. In the know quiz.
0コメント