Russian security firm spots cyber supervirus that tops Stuxnet

A computer virus designed to scoop up secret information like an "industrial vacuum cleaner" is infecting computers in Iran and elsewhere in the Middle East, according to the Russian Internet security firm Kaspersky Labs.

The new supervirus, which Kaspersky discovered and named "Flame," is one of the most complex items of malicious software ever conceived – many times more sophisticated than the notorious Stuxnet worm – and could well be a purposeful "cyberweapon" directed against Iran, the firm said in a statement late yesterday.

Flame is "actively being used as a cyberweapon attacking entities in several countries," Kaspersky said in a statement. It is "one of the most advanced and complete attack-toolkits ever discovered.… The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date."

According to Kaspersky, the majority of infected computers are in Iran, followed by the Palestinian territories, Lebanon, Saudi Arabia, and Egypt. It said the virus has probably been active for at least two years, but has not been detected until now due to its "extreme complexity."

"Over recent years the danger of military operations in Cyberspace has been one of the most serious issues of information safety," Yevgeny Kaspersky, the firm's director, is quoted as saying in the statement. "Stuxnet and Duqu were parts of one circuit of cyber attacks; their application raised concerns of a potential unleashing of global cyber war. Harmful Flame, most likely, is next stage of that war. It is important to understand, that this cyberweapon can be easily turned against any state."

The firm said it found the virus accidentally, after it was hired by the United Nations International Telecommunications Agency to trace the source of unexplained glitches and deletions of sensitive information in the agency's Middle East operations. A spokesman for Kaspersky told journalists yesterday that the virus's creator "remains unknown"; but it is probably a government, not only because of its huge size and complexity, but also because it does not appear to be designed to steal bank account information or perform the sorts of tasks usually set by private criminal hackers.

Stuxnet, which reportedly wreaked havoc on Iran's nuclear program, was designed to disrupt and destroy sensitive industrial systems. The new virus, which Kaspersky admits it does not yet fully understand, appears to evade detection, bury itself deeply, and continue siphoning off vital data for years.

Iran's official Maher Labs, a division of Iran's telecommunications ministry, said on its website today that "tools to recognize and clean this malware have been developed and, as of today, they will be available for those [Iranian] organizations and companies who want it."

Among the key characteristics of the virus, Maher said, are "distribution via removable medias and local networks, network sniffing, detecting network resources and collecting lists of vulnerable passwords, scanning the disk of infected system looking for specific extensions and contents, creating series of user’s screen captures when some specific processes or windows are active, transferring saved data to control servers, and bypassing tens of known antiviruses, anti malware and other security software."

The virus can infect computers running any Windows-based operating system, it said.

"We can clean this virus now, but we are still analyzing and discovering what it's capable of," says Vitaly Kamluk, chief malware expert at Kaspersky. "It took years to detect and understand Duqu and Stuxnet. These were highly profesional tools that evaded us for a long time. Flame is the newest, but there's no doubt that worse things may be out there. You can count on it."