Iran Claims Flame Caused ‘Massive’ Data Loss

An Iranian cyber security official has claimed the Flame worm caused the country “massive” data loss.

Since the emergence of Flame, which some believe to be the most sophisticated piece of malware ever created, Iran has been considered the number one target. Kaspersky figures from earlier this week showed there were 189 infections in Iran, almost 100 more than the second-most targeted area, Israel/Palestine.

Kamran Napelian, an official with Iran’s Computer Emergency Response Team (MAHER), told the New York Times that Flame had caused substantial data loss, saying he guessed the worm had been active in the country for six months.

UN warning

The UN is also expected to issue its most serious warning yet on a cyber threat. The UN’s Geneva-based International Telecommunications Union (ITU) is to alert member nations that Flame is a dangerous espionage tool that could be used to hit critical infrastructure, according to Reuters.

“This is the most serious [cyber] warning we have ever put out,” said Marco Obiso, cyber security coordinator for the ITU.

Flame has worm capabilities, as it is able to replicate on both local networks and on removable devices like USBs, if it is commanded to do so. It can also look at network traffic, take screenshots when “interesting” applications like instant messaging apps are running, record audio conversations from an infected PC’s microphone and do some keylogging. Further functionality can be added via plug-ins whenever the attackers want.

It also has Bluetooth capabilities, as it is able to pick up on signals as well as turn the infected system’s Bluetooth on. Information is relayed back to the attackers’ command and control servers over a covert SSL channel. These C&C servers are scattered across the world.

Security companies are moving to offer protection, after MAHER warned none of the 43 anti-virus solutions it tested Flame on could protect against it. MAHER itself has already produced a removal tool, whilst major firms like Kaspersky and Trend Micro have issued similar protections.

Yesterday, chief research officer at F-Secure, Mikko Hypponen, told TechWeekEurope Flame marked another “failure” for the security industry, as it had failed to pick up on a significant piece of malware for a significant period of time, just as it had done with other cyber “super-weapons” like Stuxnet and Duqu.

“If we missed it for two years, maybe five years, not just us but the whole goddamn industry, what else could we characterise that as other than a failure?” Hypponen said.

The industry will have to wait a long time to discover more about Flame as well. It is a sizeable piece of malware at 20MB once all modules are deployed.

Kaspersky has been ploughing on with its research uncovering a number of the modules used to steal data. There remain some interesting ones left, which the Russian security firm is still attempting to figure out, including ones called Bunny, Dbquery, Driller, Headache and Gadget.

Are you a security pro? Try our quiz!