A Eurasianet partner post from RFE/RL
Someone is infecting Iran's computers with what experts call "the most powerful virus to date." Here are four things to know about the virus, dubbed Flame.
What is Flame and What Does It Do?
Flame is a computer virus that Tehran says is infecting its computers and which independent experts say is the most powerful virus yet seen. The virus appears to be a major escalation in the cyberwar that some governments concerned by Iran's nuclear program are suspected of waging against Tehran to sabotage its progress.
The virus infects computers in order to spy on users, steal classified information, and cause the mass deletion of data. It does this by sniffing network traffic, taking screenshots, recording audio conversations, and intercepting keyboard activity. The data it collects is relayed back to the virus's creators.
Just which computers Flame is targeting in Iran and what damage it has done so far is unknown. Iranian experts discovered the virus on computers in the Iranian Oil Ministry and National Oil Company in recent months and it only became publicly known this week after Tehran asked a UN agency to help investigate.
The agency asked a private Russian antivirus software company, Kaspersky Lab in Moscow, to look into the virus and the laboratory publicly described it as "one of the most complex threats ever discovered."
Flame may also be one of the sneakiest bits of malware – or malevolent software -- ever found.
"Its job seems to be to spy on computers, which is not super new, we have seen this with other malware, but what is so interesting is that it has been doing this for about two years now and no-one discovered that until now," say Magnus Kalkuhl of Kaspersky Lab.
What's New About Flame?
Flame comprehensively does with one virus what cyberwarriors have previously had to deploy many separate viruses to do. That completeness means it can deliver to operators a more integrated picture than ever before of what a computer is being used for.
Boldizsar Bencsath, a computer expert at Budapest University's Laboratory of Cryptography and Systems Security, has been analyzing the virus after some users also found Flame watching their computers in Hungary.
According to him, the individual things Flame does are not unique or unknown. But what is unique is putting all those functions in a single, enormously large software package.
"Generally speaking, [Flame's] functionality is similar to other malware components that for example, record keyboard activities," he says. "The unusual thing is that it is complex, highly complex. That means that there are lots of different functionality modules in the code and therefore the code is enormously large."
The Kaspersky Lab says the Flame software package totals almost 20 Mb in size when fully deployed. That is astonishingly big compared to most viruses, which usually depend on small amounts of software to make them easy to hide.
Who Developed Flame and Why?
It is too early to know. But the complexity of the software package indicates it was developed over a period of years and specifically by a government for espionage purposes, not by a criminal group or hackers.
Iran said on May 28 that Flame shows a "close relationship" to Stuxnet, a virus that attacked Iran's nuclear program in 2010 and which Tehran has previously accused Israel and the United States of deploying.
But the Kaspersky Lab, which calls Flame "20 times more complicated than Stuxnet, says there is no information in the virus' code that can tie Flame to any specific nation state.
Could Flame Attack My Home Computer?
It's been reported that Flame has infected computers in Iran and the Kaspersky Lab has also detected it on the computers of some of its customers in Middle Eastern countries -- Israel, the Palestinian territories, Egypt, Sudan, and Syria.
It also has been found on some computers in Hungary, presumably with connections to the Middle East.
But all indications are that the infections are targeted attacks for a specific purpose.
"This is a targeted attack, says Bencsath. "This tool is used for targeted attacks; that means that normal home computers most likely are not at any risk."