Some interesting reading this morning on a new "state sponsored" software virus called Flame. At present this virus appears to be targeted at Middle Eastern countries (there have been other countries with infections - the US is not reportedly one of them).
The interesting components are this latest malware tool are:
- It's huge, almost 20 MB when it's entire payload is present. The payload is modular, allowing for different capabilities on each infected device.
- It will transfer data files to the tool's owner, but this tool has the ability to create its own content.
- If a microphone is present on an infected device, it surrepitiously records conversations and sends them to the tool's owner.
- It takes screenshots of what is being done on the computer (the number of screenshots increase if an "interesting" application is being run on the computer) and sends them to the tool's owner.
- If a device has bluetooth enabled, Flame discovers other bluethooth devices in the area of the infected device and catalogs them.
- The spread of the virus seems to be controlled by the owner of the tool, also the modules downloaded to the infected computer are controlled by the owners as well.
- Antivirus companies claim that it could take years to determine all of the "features" of this virus.
- This virus is totally different than Stuxnet and Duqu. It is written in a different language, for the most part is spread using a more selective method, and according to the articles was probably written by a different group.
- This virus can spread to a totally up to date Windows 7 computer, so it may be using an unknown day zero exploit.
- The virus may be as old as Stuxnet, but is only being discovered now.
The sources for the items listed above come from links in this article found on the ComputerWorld site
IMO the best information, a link to which can be found in the article above, about this threat comes from the Kaspersky organization which can be found here.
A note about the "state sponsor" of this virus. According to Kaspersky there are three types of virus writers: hacktivists, thieves, and state sponsors. Since Flame doesn't seem to fit the MO of the first two groups, they assigned it to state sponsors.
10:44 AM PT: Update 12:43 CDT. According to this article: http://www.independent.co.uk/...
"A sophisticated virus might have between 20-50 defences already built in to counter security software. Cyber security researchers have [said that] Flame has an astonishing 346 separate defences."
11:36 AM PT: Update at 1:34 PM CDT. According to this article:
http://www.slashgear.com/...
"One of the most advanced elements popping up in the software is Flame’s ability to copy data from nearby Bluetooth-enabled smartphones.
...
An infected user’s computer will not necessarily show outward signs that it is copying data from nearby cellphones and smartphones, but it will then move that data to the web where Flame’s creators can harvest it."