'Flame' Malware Is Spying On Middle East Computer Users, Researchers Say

For at least the past two years, a large, complex piece of malicious software has infected hundreds of computers across the Middle East, stealing victims' data and spying on their online activities, security researchers have discovered.

The malware, dubbed "Flame" or "Flamer" because the words appear in its code, is unique in its size and the ways it can siphon victims' personal data. It can monitor computer users by taking screenshots of their e-mail or Instant Messenger conversations. It can record their audio conversations from an internal microphone or through Skype. And it can use Bluetooth technology to steal data on devices located near the infected computer, Alexander Gostev, a researcher at the Russian security firm Kaspersky Lab, said in a blog post on Monday.

Gostev said in his post that the malware was designed to "systematically collect information on the operations of certain nation states in the Middle East." Thus far, the most frequent victims of the malware have been located in Iran, but there have also been victims in Lebanon, Sudan, Syria, Egypt and the United Arab Emirates.

Gostev added that Flame's creators appear to be looking for any kind of intelligence -- emails, documents, messages and discussions inside sensitive locations. The creators remain unknown, but the malware appears to be part of a government-led espionage campaign, experts say.

"Flame can easily be described as one of the most complex threats ever discovered," Gostev said. "It's big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

The malware can also hide inside seemingly harmless programs and can create "backdoors" that enable hackers to re-enter the infected computer network at any time, Gostev said. So far, the spread of the Flame malware has been relatively small -- less than 400 infections have been reported, about half of them coming from Iran, according to Kaspersky Lab.

Researchers say there does not appear to be any pattern to the organizations targeted. The malware infected computers belonging to government agencies, private companies, educational institutions and specific individuals. Many victims appear to have been targeted for their personal activities, rather than where they worked, according to researchers at the security firm Symantec.

The malware sends the stolen data to "command and control" servers being controlled by hackers in perhaps dozens of countries, researchers say. It can run on Microsoft Winds XP, Windows Vista and Windows 7 systems, the security firm McAfee says.

According to Iran’s Computer Emergency Response Team, antivirus software cannot detect the the Flame malware on a victim's computer. The agency said Monday it had created a tool to detect the malware and is sending out another tool to remove it from infected computers.

Experts say Flame is similar to Stuxnet and Duqu -- two well-known malicious computer programs -- because all three were based in the Middle East and targeted specific software vulnerabilities.

Stuxnet is a complex computer worm that damaged Iran's nuclear centrifuges in 2009 and 2010 by causing them to spin out of control. Experts deem it to be the most sophisticated cyberweapon ever created. The creators of Stuxnet remain unknown, though many have speculated it was designed by Israel and the United States.

Duqu, which is believed to have been written by the same authors, was designed to spy on users in Middle Eastern countries by logging their keystrokes and stealing their computer files. It was intended to lay the groundwork for a cyberattack against an industrial control system, according to Symantec.

But Flame also differs from Stuxnet and Duqu in many ways, experts say. For one, its code is about 20 times larger than Stuxnet and is more complex than Duqu. Despite its massive size -- 20 megabytes of code -- Flame went undetected for more than two years, dating back to at least February 2010. The security firm CrySyS Lab, based in Hungary, said the malware may date as far back as 2007 on computers in Europe.

Jeffrey Carr, author of "Inside Cyber Warfare," called the findings "a significant discovery" but said Flame should not be considered a "cyberweapon" like Stuxnet.

"It's a massive tool for stealing data; one that's much more complex than Zeus, SpyEye or other trojans," he said in an email, alluding to previous discoveries of malicious software used to spy on computer users.

Researchers at Kaspersky Lab said it found the Flame malware after the U.N.’s International Telecommunication Union asked the company to investigate reports that a mysterious computer virus was responsible for massive data losses on some Iranian computer systems.

Due to the sheer size of Flame's malicious code, Gostev said it will likely take a year to fully understand how the malware works.

Mikko H. Hypponen, who works for the computer security company F-Secure, based in Finland, said the most troubling part is that Flame had been spreading undetected for years.

"Stuxnet, Duqu and Flame are all examples of cases where we -- the antivirus industry -- have failed," Hyponnen said in a blog post. "All of these cases were spreading undetected for extended periods of time."