A new computer virus that appears to have been deployed five years ago was recently discovered in Iran and cyber security experts suggest it could have been built by the same entities that ordered the 2010 Stuxnet attack, according to Reuters.
The presence of the virus -- dubbed "Flame" -- was announced by the Russian-based Kaspersky Labs on Monday. Reuters reports the security software firm has not said whether the cyber weapon was deployed with a specific mission like that of the Stuxnet worm, which is suspected to have been launched to help take down Iran's nuclear infrastructure.
Comparing Flame to Stuxnet, Reuters reports experts finding the virus has 20 times more code. Compared to most computer viruses that steal financial information, Flame has 100 times more code. Kaspersky Labs found it exploits a vulnerability in Windows, like Stuxnet. BBC reports that this newly discovered virus is being called "one of the most complex threats ever discovered." Here's a few more on the details being reported about the virus from Reuters:
Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats.
Kaspersky Lab said Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and that both viruses employ a similar way of spreading.
That means the teams that built Stuxnet and Duqu might have had access to the same technology as the team that built Flame, [Kapersky Lab senior researcher Roel] Schouwenberg said.
Wired reports Chief Security Expert at Kaspersky Alexander Gostev saying it could take 10 years to completely understand how Flame works. While Stuxnet was 500 kilobytes, Flame is 20 megabytes. Here's more from Wired on the virus:
“It was obvious DuQu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities,” Gostev said. “Everything is completely different, with the exception of two specific things.”
One of these is an interesting export function in both Stuxnet and Flame, which may turn out to link the two pieces of malware upon further analysis, Gostev said. The export function allows the malware to be executed on the system.
Also, like Stuxnet, Flame has the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also uses the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. This suggests that the authors of Flame may have had access to the same menu of exploits that the creators of Stuxnet used.
Aside from the discovery alone, Reuters reports this find further proves that countries are using cyberwarfare to protect or promote their own security:
"This is one of many, many campaigns that happen all the time and never make it into the public domain," said Alexander Klimburg, a cyber security expert at the Austrian Institute for International Affairs.
A cyber security agency in Iran said on its website on Monday that Flame bore a "close relation" to Stuxnet, the notorious computer worm that attacked that country's nuclear program in 2010 and is the first publicly known example of a cyber weapon.
It is speculated that this virus could be related to a more recent attack on computer systems controlling Iran's oil in Tehran. The late April cyber attack resulted in a complete disconnect of the main export terminal, although it was quickly restored.
According to Reuters the virus is "poised to go down in history as the third major cyber weapon uncovered after Stuxnet and its data-stealing cousin Duqu." Reuters reports Hungarian researcher Boldizsar Bencsath as saying it is unnerving for the present and future given this virus, which could have been active five to eight years ago, is only just being discovered:
"The scary thing for me is: if this is what they were capable of five years ago, I can only think what they are developing now," Mohan Koo, managing director of British-based Dtex Systems cyber security company.
In addition to being found in systems in Iran, Reuters reports the virus has also been seen in Israel, Palestinian territories, Sudan and Syria. It is estimated that more than 1,000 machines are infected with Flame.
So far, neither Kaspersky Labs nor any U.S. entities have commented on who may have designed the virus.
Read more details on the virus in Wired's report here.