Researchers at security provider Symantec have concluded a preliminary analysis of the "Flame" virus, also referred to as "Skywiper" and "W32.Flamer".
The virus is being widely compared to the infamous Stuxnet and Duqu infections, and has been detected in high concentrations in Iran, and to a lesser extent in Israel, Palestine, Sudan, Syria, and several other nations.
"The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry," Symantec states.
Stuxnet was a highly sophisticated designer-virus that infected systems which provided operations control for Iranian production networks, and was probably produced to stifle Iran's nuclear weapons program.
Flame is most likely an intelligence gathering tool most similar to the Duqu virus, which displayed many similarities to Stuxnet, though it was not designed to deliver a payload.
"While our analysis is currently ongoing, the primary functionality is to obtain information and data. Initial telemetry indicates that the targets of this threat are located primarily in Eastern Europe and the Middle East. The industry sectors or affiliations of the individuals targeted are currently unclear. However, initial evidence indicates that the victims may not all be targeted for the same reason," Symantec says.
"The code itself is complex, which hampers analysis. The overall functionality includes the ability to steal documents, take screenshots of users' desktops, spread through removable drives, and disable security products. Additionally, under certain conditions, the threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows in order to spread across a network," Symantec concluded.
The researchers indicate that Flame's design is sophisticated in nature, with elements of the code enabling functionalities beyond what would be expected after a cursory overview.
"Our analysis of the retrieved samples reveals complex code that utilizes several components. At first glance, the executable appears to be benign but further inspection reveals cleverly concealed malicious functionality," the researchers determined.
Symantec's analysis shows that aspects of the Flame may have been developed and deployed as many as five years ago, which begs the question of how and why the virus had not been identified earlier.
"Two variants of the advnetcfg.ocx file have been discovered. The first variant dates back to September 2010. The second variant appeared in February 2011. The configuration file ccalc32.sys also has two variants, both of which appear around the same time as the advnetcfg.ocx file. In addition to our initial telemetry, there are unconfirmed reports of infections dating back to 2007 as well. We expect to be able to confirm these reports in the coming days," the researchers said.
The modular nature of the Flame's design could mean that variations of the virus tailored to target other critical components of systems could already be in development.
"The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware. The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products," the researchers said.
Symantec expects to produce a comprehensive evaluation of the virus for publication soon. For a detailed analysis of some of the functionalities of Flame, refer to the following article: