The Middle East fights the Flame, but virus spreads anyway

Flame virus has infected more than 1,000 Windows-powered computers across the Middle East, according to reports.

|
Vahid Salemi/AP/File
This file photo shows the Maroun Petrochemical plant in southwestern Iran. In September 2011 engineers took the plant -- and Iran's oil ministry -- offline in response to a computer virus. Flame, a new virus, doesn't seem to be targeting any specific industry, but it is mining data from infected computers in Iran and other parts of the Middle East.

Iranian IT workers just can't catch a break.

Two years ago there was Stuxnet, a virus that targeted Iranian uranium-enrichment infrastructure. Now Flame, a mutating piece of malware, is continuing to spread, infecting more than 1,000 Windows-powered computers across the Middle East. It's centered on Iran, but has also spread to Israel and Palestine, Saudi Arabia, Syria, and even Sudan.

Although Flame was first discovered about two weeks ago, it's still not clear who is behind the software. Last week the New York Times quoted an Iranian cyberdefense official who said the virus's encryption looked like Israel's handiwork. Kaspersky Lab, a Russian antivirus company, said Flame might have been created by the same contractors who were responsible for Stuxnet, working with a different team of programmers. Flame is a targeted virus, just as Stuxnet was, but while the latter was aimed at industrial control systems, Flame doesn't appear to be targeting any particular industry or system -- just Windows PCs in the Middle East.

Flame makes use of what are called "zero-day" vulnerabilities: flaws in software (in this case, the Windows 7 operating system) that no one else knew about. One of the ways Flame spreads is by faking the Windows Update dialog: it tricks the user into downloading an "update," when really they're receiving malware from another infected machine. This vulnerability allows Flame to infect even computers with recent Windows security patches. On Monday Microsoft announced that it had fixed the fake-update bug, and told users that the update would protect from further infection.

Flame is a huge virus -- 20 megabytes of various modules, databases, and varying levels of encryption. It's 40 times larger than Stuxnet, and it's been operating for at least two years without having been detected. So far researchers have a pretty good idea of what it's designed to do -- steal and transmit information from infected machines -- but because it contains so much code, it will take years to fully analyze. So far we know it can activate a computer's built-in microphone to record Skype conversations, siphon contact information from an address book, and transmit screenshots of user activity.

Here's the funny thing, though: many of Flame's modules aren't turned on by default -- they appear to be included in the program to give attackers more options after it's is installed. For example, in addition to the bogus update dialog, the virus has the capability to spread itself through infected USB drives or through a shared printer. But computers with up-to-date antivirus software would be able to detect and prevent this tactic, so Flame first checks to see whether it's running on a patched system, and won't attempt to spread through these methods if it is. Researchers think this low-profile design is what has allowed the virus to operate quietly since 2010.

In spite of its fairly conventional data-theft tactics, the consensus is that it's the work of a nation-state rather than just a group of programmers -- Finnish security firm F-Secure said that it was "most likely launched by a Western intelligence agency." So it may be another indication of the role that cyberwarfare will play in future conflicts.

For more tech news, follow us on Twitter @venturenaut.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to The Middle East fights the Flame, but virus spreads anyway
Read this article in
https://www.csmonitor.com/Technology/Horizons/2012/0606/The-Middle-East-fights-the-Flame-but-virus-spreads-anyway
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe