SAN FRANCISCO — The Flame computer virus that smoldered undetected for years in Middle Eastern energy facilities confirmed fears that the world has entered a new age of cyber espionage and sabotage.
Internet defenders on Wednesday were tearing into freshly exposed Flame malware (malicious software) that could be adapted to spread to critical infrastructures in countries around the world.
While the components and tactics of Flame were considered old school, the gigantic virus's interchangeable software modules and targeted nature were evidence that malware is a potent weapon in the Internet era.
"We are seeing much more specific types of malware and attacks," said McAfee Labs director of security research David Marcus.
"When you talk about a situation where the attacker knows the victim and tailors the malware for the environment it jumps out," he said. "That speaks to good reconnaissance and an attacker who knows what they are doing."
Gathering intelligence on targets and then crafting viruses to exploit specific networks as well as the habits of people using them is "certainly in vogue" and is an attack style heralded by the Stuxnet malware, Marcus said.
Stuxnet, which was detected in July 2010, targeted computer control systems made by German industrial giant Siemens and commonly used to manage water supplies, oil rigs, power plants and other critical infrastructure.
Most Stuxnet infections were discovered in Iran, giving rise to speculation it was intended to sabotage nuclear facilities there, especially the Russian-built atomic power plant in the southern city of Bushehr.
Suspicion fell on Israel and the United States, which have accused Iran of seeking to develop a weapons capability under the cover of a civilian nuclear drive. Tehran denies the charges.
"Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide," said Eugene Kaspersky, founder of Kaspersky Lab, which uncovered Flame.
"The Flame malware looks to be another phase in this war, and it's important to understand that such cyber weapons can easily be used against any country."
Flame malware was larger than Stuxnet and protected by multiple layers of encryption.
It appears to have been "in the wild" for two years or longer and prime targets so far have been energy facilities in the Middle East.
High concentrations of compromised computers were found in the Palestinian West Bank, Hungary, Iran, and Lebanon. Additional infections have been reported in Austria, Russia, Hong Kong, and the United Arab Emirates.
Compromised computers included many being used from home connections, according to security researchers who were looking into whether reports of infections in some places resulted from workers using laptops while traveling.
While Stuxnet was crafted to do real-world damage to machinery, Flame was designed to suck information from computer networks and relay what it learned back to those controlling the virus.
Flame can record keystrokes, capture screen images, and eavesdrop using microphones built into computers.
In an intriguing twist, the malware can also use Bluetooth capabilities in machines to connect with smartphones or tablets, mining contact lists or other information, according to security researchers.
"There is lot of intelligence gathering and espionage-like behavior from the malware," Marcus said. "You can turn that to target any industry you want.
"It looks like the infection spread is specific to Middle East, but malware is indiscriminate in a lot of things so it can jump," he continued.
Marcus advised companies to not only keep network software up to date but to ratchet up security settings because threats such as Flame are carefully crafted to "fly under the radar."
For example, Flame reportedly sneaked back out to the Internet by activating a seemingly innocuous Internet Explorer online browsing session.
Geographically targeted cyber espionage and even modular components in viruses have been around for years, Rik Ferguson of security firm Trend Micro said in his blog at countermeasures.trendmicro.eu.
Flame stands out for being a malware behemoth of nearly 20 megabytes and for its use of Bluetooth capabilities, according to Ferguson, who branded the malware a tool, not a weapon.
"You can't get around the fact that the thing is gigantic," Marcus said. "Someone went to a lot of trouble to really confound researchers. We are going to be ripping this sucker apart for a long time to figure everything it was doing."
-AFP
Iran admits ‘Flame’ virus caused substantial damage
Iran has admitted that a data-mining virus dubbed ‘Flame’ had caused substantial damage and massive amounts of data had been lost in what may be most destructive cyber attack on the nation.
The virus also damaged centrifuges operating at its uranium enrichment facility at Nantaz as reports said that even computers of high-ranking officials had been penetrated.
Tehran’s reaction came a day after Russia-based Internet security company Kaspersky Lab uncovered the virus ‘Flame’ which it said attacked computers in Iran and elsewhere in Middle East and may have been designed to collect and delete sensitive information.
Iran’s MAHER Center, which is part of the Islamic Republic’s Communication ministry, said that the virus “has caused substantial damage” and that “massive amounts of data have been lost,” Ynetnews reported.
Iranian authorities admitted that the malicious software ‘Flame’ has attacked its computer and systems and instructed to run an urgent inspection of all cyber systems in the country.
New York Times said the computers of high-ranking Iranian officials appear to have been penetrated in what it said may be the most destructive cyber-attack on Iran since the notorious Stuxnet virus, an Iranian cyber-defence organisation had confirmed.
In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Center warned that the virus was dangerous.
An expert at the organisation said that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment programme.
In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.
‘Flame’, which experts say could be as much as five years old, was discovered by Iranian computer experts.
Kaspersky Lab, a Russian producer of antivirus software, said in a statement that “the complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date.”
The virus bears special encryption hallmarks that an Iranian cyber-defence official said have strong similarities to previous Israeli malware.
“Its encryption has a special pattern which you only see coming from Israel,” said Kamran Napelian, an official with Iran’s Computer Emergency Response Team.
“Unfortunately, they are very powerful in the field of IT”.
But Iran’s telecommunications ministry also claimed that it had developed software to clean this malware.
Israel avoids comments on such matters, its involvement was hinted at by top officials there.
“Anyone who sees the Iranian threat as a significant threat — it’s reasonable that he will take various steps, including these, to harm it,” said the vice prime minister and strategic affairs minister, Moshe Yaalon, in a widely quoted interview with Israel’s Army Radio yesterday.
Mr. Napelian said that ‘Flame’ seemed designed to mine data from personal computers and that it was distributed through USB sticks rather than the Internet, meaning that a USB has to be inserted manually into at least one computer in a network.
“This virus copies what you enter on your keyboard; it monitors what you see on your computer screen,” Mr. Napelian said.
That includes collecting passwords, recording sounds if the computer is connected to a microphone, scanning disks for specific files and monitoring Skype.
“Those controlling the virus can direct it from a distance,” he said.
“Flame is no ordinary product. This was designed to monitor selected computers.”
Mr. Napelian guessed the virus had been active for the past six months and was responsible for a “massive” data loss. Iran says it has developed antivirus software to combat ‘Flame’, something that international antivirus companies have yet to do, since they have just become aware of its existence.
“One of the most alarming facts is that the ‘Flame’ cyber-attack campaign is currently in its active phase, and its operator is consistently surveiling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” Alexander Gostev, chief security expert at Kaspersky Lab, said on the company’s Web site.
-The Hindu
No comments:
Post a Comment