Thought ‘Stuxnet’ was brilliant spyware? Meet ‘Flame’

Success has many fathers, especially in tech. Create a piece of innovative software and soon you may be fending off claims from rival coders who say they came up with it first, or from old friends who swear they gave you the idea over a beer. Bitter lawsuits ensue, musclebound twins pump their fists with rage, and so on. But there is one exception to this rule, an area of software development where success is an orphan: Malware.

Kaspersky Lab, a Russian cyber security firm, has discovered that thousands of  computers in the Middle East (mostly government machines, mostly in Iran) have been infected with a malicious piece of software they are calling Flame. Flame is insidious, destructive, and very cool. And no one will ever take credit for building it.

Similarities between Flame and the Stuxnet and DuQu viruses are leading to speculation that the programs were all created by the same people. Stuxnet, which bloodlessly set back the Iranian nuclear program by as much as a decade, is widely believed to be the product of an Israel-America cyberweaponry team-up. Of course, neither country has confirmed this.

So what does Flame do? Hey, what doesn’t it do? Flame seems to be the ultimate Spyware toolkit, an infinitely adaptable platform for surveillance and mischief that lets attackers remotely mix and match modules for different purposes. Like much spyware, Flame can log keystrokes and take screenshots. Its masters can use it to turn on an infected machine’s microphone and record whatever’s happening nearby. This feature can be triggered automatically when someone uses a sound app like Skype, or manually, say when the attacker knows that Ahmadinejad is in the room. Flame can also search a room for nearby cellphones via Bluetooth and then secretly suck contact names and phone numbers from targets’ pants. It can scan an infected computer’s local network, looking for usernames and passwords entered via other machines. Flame can delete the entire contents of a computer, and then delete itself, without leaving a trace.

Perhaps the coolest feature of Flame is that it infects with discretion. Computer viruses typically spread promiscuously, replicating themselves again and again on every machine they come into contact with.  While this distribution model is highly effective, it also quickly multiplies the likelihood of discovery. Flame only infects a new machine when it’s told to. Maybe that’s why it’s only been discovered now, after an unusually long lifespan of (it seems) five years “in the wild.” After Kaspersky Lab revealed Flame, Iran’s Computer Emergency Response Team announced that they have a detection and removal tool for Flame.

But Iran also claimed that Stuxnet barely bruised them, so who knows?

Jesse Brown is the host of TVO.org’s Search Engine podcast. He is on Twitter @jessebrown