This week a “new” malware has been uncovered (taking a look at our Collective Intelligence database, I can confirm that some of the files involved in this attack date back at least to April 2011.) that could be related to cyber-espionage (detected as W32/Flamer.A.worm). It has been infecting computers in middle-east countries (Iran, Israel, Syria, etc.) and its purpose is to steal information.

Iranian CERT has published information about this threat here and our colleagues from Kaspersky have been investigating it for some time and have published a nice Questions and Answers article here.

Usually targeted attacks are performed using Trojans, but this time you can see we are talking about a worm. Worms self-replicate, so at a certain point the owner / creator of the worm cannot control where it is spreading and who it is infecting to, and when you have some specific target(s) you want to be under the radar to avoid being discovered. How has Flame solved this issue? Even though it is a worm, its spreading mechanisms are disabled. It looks like whoever is behind can activate that feature when needed, a smart move when you want to go unnoticed.

What can Flame steal? Is it looking for the most hidden secrets that no other malware is capable to find? The answer is no, we have not found yet any feature not seen before in other malware samples. But it has a number of different stealing ways that are present all together, and has a number of different plugins that give Flame the capability to know everything about his target, even turning on the microphone and record whatever conversation is taking place.

I would like to quote this question and answer from the article our friends from Kaspersky have published:

Is this a nation-state sponsored attack or is it being carried out by another group such as cyber criminals or hacktivisits?
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.

First thing I want to say is that I do agree that this looks like a nation-state sponsored attack. However the explanation given is not good at all: as it is not stealing money from bank accounts and it is not a hack tool, it has to be a nation-state attack. Sure. Following this reasoning, “I love you” was also a nation-state sponsored attack.

Flame is designed to steal information in many different ways, it is controlled by a “mastermind” from a number of Command & Control servers and it has been developed and managed in a completely different way we are used to see in cybercriminals. It can spread but only when the people behind it want, and it has been seen only in a small number of countries in a region with a lot of political and economical interests.