Flame is the latest
high-profile virus to penetrate Iran's computer defenses in the past two years, boosting speculation that Israeli programmers could have struck again. Officials said Iranian experts had quickly detected and defeated the Stuxnet-like Flame virus, and that the oil industry was the only governmental body seriously affected.
Kaspersky recently revealed its research into Flame, which was first detected back in 2010. According to Kamlyuk, Kaspersky Labs came across Flame completely by accident. Kaspersky had been asked by the UN's International Telecommunications Union to investigate a totally different infection that was frying hard drives throughout the Middle East. That's how Flame was uncovered, and it turned out to be substantially more interesting than what they were actually searching for.
Kamlyuk has reiterated that Flame is terribly complex for a piece of malware. The 20MB package is still being analyzed, but has been slow to reveal its secrets. The Stuxnet attack that damaged Iranian nuclear facilities last year was barebones by comparison, weighing in at just a few hundred kilobytes.
Flame's level of sophistication leads Kaspersky to assume it was built by government scientists, but no one knows which government. Flame gathers a huge amount of data from infected systems, but it has been hard to sort out where it is all going. Dozens of control servers have been located, but the domains associated with them are registered with fake identities.
Fire steals hard drive contents, screenshots, and keystrokes. It can also use the system microphone and Bluetooth radio to suck in more data. Kamlyuk says the large volume of data being stolen is probably the limiting factor for Flame. To save on bandwidth, Flame may delete itself from systems that have been fully exploited. This is part of what made the infection hard to detect.