Researchers have identified a sophisticated new computer virus 20 times the size of Stuxnet, the malicious software that disabled centrifuges in an Iranian nuclear plant. But unlike Stuxnet, the new malware appears to be used solely for espionage.
Variously dubbed Flame, Skywiper and Flamer, the new virus is the largest and possibly most complex piece of malware ever discovered, which suggests it is state-sponsored, researchers said.
It is loaded with functions, but so far none appears to be destructive, they said.
As with Stuxnet, the creator of Flame remains a mystery, though some analysts say they suspect Israel and the United States, given the virus’s sophistication, among other things.
Some researchers say that certain characteristics common to Stuxnet and Flame suggest that whoever ordered up Stuxnet is also behind Flame.
“It’s very likely it’s two teams working effectively on the same program but using two very different approaches,” said Roel Schouwenberg, a senior researcher with Kaspersky Labs, a Russian cybersecurity firm, which announced its analysis of Flame on Monday.
Still, much research remains to be done on the new virus, which has also been analyzed by CrySys, a cryptography and system security lab at the Budapest University of Technology and Economics.
Skywiper, as CrySys calls the virus, may have been active for as long as five to eight years. It uses five encryption methods, three compression techniques and at least five file formats. Its means of gathering intelligence include logging keyboard strokes, activating microphones to record conversations and taking screen shots, CrySys reported.
It is also the first identified virus that is able to use Bluetooth wireless technology to send and receive commands and data, Schouwenberg said.
One of the characteristics Stuxnet and Flame share is the ability to spread through computers that can share a printer on one network by exploiting a particular Windows vulnerability, Schouwenberg said. Flame is reminiscent of DuQu, a virus thought to be related to Stuxnet, in that its function is espionage.
“We would position Flame as a project running parallel to Stuxnet and DuQu,” Kaspersky Labs said in a blog post Monday.
Flame contains 20 megabytes of code. Though malware’s size is not per se a measure of sophistication, Schouwenberg said, in this case “its size shows that it’s taken a lot of time and work to create.”
So far Kaspersky, which has clients around the world, has identified Flame infections primarily in Iran, Israel and other Middle Eastern countries but none in Europe or North America. The infections have hit computers belonging to individuals, educational institutions and state-related organizations, Kaspersky said.
The virus’s creators seemed interested in general intelligence — e-mails, documents, even instant messages, Kaspersky said. But the lab has no evidence so far to document any data stolen.