By Greg Mills

The Stuxnet Worm discovered a year ago appears to be the tip of the iceberg in the covert cyber war against Iran, as a newly discovered bit of malware called “Flame” is being uncovered. Some experts think it could be even older than the Stuxnet worm, but the new worm was so so selective, it may have not been detected until now.

The new worm is even more sophisticated than Stuxnet, which infected thousands of computers and then erased itself if it couldn’t find a specifically targeted Siemens industrial controller to take over. Flame is much more selective in choosing a host. Experts think less than 400 computers worldwide have been infected and half of them mysteriously are located in Iran. Iran seems to be very unlucky when it comes to computer malware.

Taking the key logger sort of hidden macro to new sophistication, Flame really amounts to a hidden remote terminal sort of access program. Everything that happens on the infected computer is reported back to a remote server. which is then accessed covertly to sort through a mountain of data for interesting information.

What makes the new malware interesting is both the sophistication and the extremely specific targeting of the program. The size of the program is enormous by previous standards. Flame is able to reconfigure itself to reach out and request additional capabilities from the control server if needed. It also seeks other computers and mobile devices using Wi-Fi and Bluetooth. which might be interesting to the people behind the attack.

While there are no digital finger prints discovered so far, the English used in the software is obviously from well-educated people. As with the Stuxnet Worm, for some reason Israel and the US are the prime suspects in developing and launching the new worm.  

Europe and Iran appear to be the chosen area of infection. What makes the new worm hard to discover is that when you have less than 500 infected computers worldwide, and the malware is not obvious at first glance, it escaped notice for roughly 2-5 years. Naturally, it is a Windows infection; Macs need not worry.

While Stuxnet was designed as a cyber weapon to disable and sabotage the Iranian nuclear weapons program wherever it could do so, the Flame malware appears to be more of data stealing program. However, Iran suffered a number of mysterious data losses where hard drives in important systems went “haywire” and erased themselves for no apparent reason.   

The targeting of specific computers and certain countries is certainly the hallmark of state sponsored cyber warfare. Most of the time, cyber attacks are not mentioned in the press, since you really don’t want the perpetrators to know they succeeded in disrupting your systems. Iran normally denies such problems even when the rest of the world knows they have PCs melting down left and right.  

Recently, malware experts from Russia have gotten a lot of press in finding and outing malware that has plagued Iran for years. You would think Iran would have switched to Macs a long time ago.

That is Greg’s Bite