WarSclerotic

Last week, Russian security firm, Kaspersky Lab reported that a new malware, identified as Flame was responsible behind a recent spate in data and information theft stretching back to 2010, dubbing the malware the “most complex threat ever detected.” It was noted that Flame had been responsible for infections at nearly every strata, from personal and business system to academic and even governmental ones, targeting the infrastructure of mostly Middle Eastern countries such as Israel and Iran.

Delving further into the infection, Kaspersky has revealed that Flame had performed a very targeted attack against Iran, seeking highly sensitive technical information from a ‘huge majority of targets.’ According to Kaspersky, Flame had a “high interest in AutoCad drawings, in addition to PDF and text files.” Professor Alan Woodward of the University of Surrey, speaking to the BBC, further added, “They were looking for the designs of mechanical and electrical equipment. This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market. However, Iran isn’t likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market.”

Initial analysis of the malware had revealed that it had been operating since 2010 but now, Kaspersky Lab is saying that Flame may have been in operation much earlier, possibly since 2008. This assumption was founded on the basis of evidence of more than 80 domain names that had been registered to distribute the malware, with some of the domains registered since 2008.

Kaspersky has revealed that in studying the spread of Flame’s infection they had resorted to a method known as ‘Sinkholing’, which Vitaly Kamluk, a senior researcher at the firm described as “Sinkholing is a procedure when we discover a malicious server – whether it is an IP address or domain name – which we can take over with the help of the authorities or the [domain] registrar. We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them.”

Since announcing the Flame infection, the malware has apparently stopped working but the source of the infection is still unknown. Kaspersky has said that the malware’s command and control centres or C&Cs were constantly changing, being hosted in a variety of locations such as Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK.

Kaspersky has also drawn similarities between Flame and other malwares such as Stuxnet and Duqu, likening them to ‘high-profile cyber-espionage attacks’, with Kamluk adding, “The geographical spread is very similar,” he said. “It might be different attackers; however the interests are all the same here.”

Last week, Russian security firm, Kaspersky Lab reported that a new malware, identified as Flame was responsible behind a recent spate in data and information theft stretching back to 2010, dubbing the malware the “most complex threat ever detected.” It was noted that Flame had been responsible for infections at nearly every strata, from personal and business system to academic and even governmental ones, targeting the infrastructure of mostly Middle Eastern countries such as Israel and Iran.

Delving further into the infection, Kaspersky has revealed that Flame had performed a very targeted attack against Iran, seeking highly sensitive technical information from a ‘huge majority of targets.’ According to Kaspersky, Flame had a “high interest in AutoCad drawings, in addition to PDF and text files.” Professor Alan Woodward of the University of Surrey, speaking to the BBC, further added, “They were looking for the designs of mechanical and electrical equipment. This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market. However, Iran isn’t likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market.”

Initial analysis of the malware had revealed that it had been operating since 2010 but now, Kaspersky Lab is saying that Flame may have been in operation much earlier, possibly since 2008. This assumption was founded on the basis of evidence of more than 80 domain names that had been registered to distribute the malware, with some of the domains registered since 2008.

Kaspersky has revealed that in studying the spread of Flame’s infection they had resorted to a method known as ‘Sinkholing’, which Vitaly Kamluk, a senior researcher at the firm described as “Sinkholing is a procedure when we discover a malicious server – whether it is an IP address or domain name – which we can take over with the help of the authorities or the [domain] registrar. We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them.”

Since announcing the Flame infection, the malware has apparently stopped working but the source of the infection is still unknown. Kaspersky has said that the malware’s command and control centres or C&Cs were constantly changing, being hosted in a variety of locations such as Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK.

Kaspersky has also drawn similarities between Flame and other malwares such as Stuxnet and Duqu, likening them to ‘high-profile cyber-espionage attacks’, with Kamluk adding, “The geographical spread is very similar,” he said. “It might be different attackers; however the interests are all the same here.”