Thought ‘Stuxnet’ was brilliant spyware? Meet ‘Flame’

It can read keystrokes and take screen-grabs, detect cellphones and even record conversations


Photograph: Kaspersky Lab

Success has many fathers, especially in tech. Create a piece of innovative software and soon you may be fending off claims from rival coders who say they came up with it first, or from old friends who swear they gave you the idea over a beer. Bitter lawsuits ensue, musclebound twins pump their fists with rage, and so on. But there is one exception to this rule, an area of software development where success is an orphan: Malware.

Kaspersky Lab, a Russian cyber security firm, has discovered that thousands of  computers in the Middle East (mostly government machines, mostly in Iran) have been infected with a malicious piece of software they are calling FlameFlame is insidious, destructive, and very cool. And no one will ever take credit for building it.

Similarities between Flame and the Stuxnet and DuQu viruses are leading to speculation that the programs were all created by the same people. Stuxnet, which bloodlessly set back the Iranian nuclear program by as much as a decade, is widely believed to be the product of an Israel-America cyberweaponry team-up. Of course, neither country has confirmed this.

So what does Flame do? Hey, what doesn’t it do? Flame seems to be the ultimate Spyware toolkit, an infinitely adaptable platform for surveillance and mischief that lets attackers remotely mix and match modules for different purposes. Like much spyware, Flame can log keystrokes and take screenshots. Its masters can use it to turn on an infected machine’s microphone and record whatever’s happening nearby. This feature can be triggered automatically when someone uses a sound app like Skype, or manually, say when the attacker knows that Ahmadinejad is in the room. Flame can also search a room for nearby cellphones via Bluetooth and then secretly suck contact names and phone numbers from targets’ pants. It can scan an infected computer’s local network, looking for usernames and passwords entered via other machines. Flame can delete the entire contents of a computer, and then delete itself, without leaving a trace.

Perhaps the coolest feature of Flame is that it infects with discretion. Computer viruses typically spread promiscuously, replicating themselves again and again on every machine they come into contact with.  While this distribution model is highly effective, it also quickly multiplies the likelihood of discovery. Flame only infects a new machine when it’s told to. Maybe that’s why it’s only been discovered now, after an unusually long lifespan of (it seems) five years “in the wild.” After Kaspersky Lab revealed Flame, Iran’s Computer Emergency Response Team announced that they have a detection and removal tool for Flame.

But Iran also claimed that Stuxnet barely bruised them, so who knows?

Jesse Brown is the host of TVO.org’s Search Engine podcast. He is on Twitter @jessebrown


Thought ‘Stuxnet’ was brilliant spyware? Meet ‘Flame’

  1. Cyberwarfare has been underway for a long time now. Our own DND was raided years ago much to the astonishment of Stockwell Day.

    Meantime we diddle around with WWII stuff like the F-35, even though the Brits have told us the plans for it were stolen from them some time ago….and indeed Chinese counterfit parts for it have shown up at Lockheed.

    If the Israelis have indeed been this foolish, then they shouldn’t be surprised when the same thing is done to them.

  2. Fascinating story – what the Americans/Israelis are doing to stop Iran from developing bomb. Nuclear scientists also regularly blown up by US/Is presumably.

    Iranians are also probably the most conspiracy theory minded people in the world. I bet the mad mullahs know who is behind the attacks but they will also be suspecting one another of being in the employ of the UK Queen or some such.

Sign in to comment.