A Complete Guide to Flame, the Malicious Computer Virus Ravaging Iran

Iran has acknowledged that Flame, what some have called the most sophisticated cyber espionage weapon yet, has infected computers across the country.

This article is from the archive of our partner .

Iran has acknowledged that Flame, what some have called the most sophisticated cyber espionage weapon yet, has infected computers across the country. "Having conducted multiple investigations during the last few months, the Maher center, the Iranian CERTCC, following the continuous research on the targeted attacks of Stuxnet and Duqu since 2010, announces the latest detection of this attack for the very first time," reads the official statement. That all sounds scary, but perhaps, like us, you're not exactly sure what it all means. Cyber-warfare, as far as wars go, is pretty abstract. Let's talk this one out.

Ok, so let's start from the beginning. What does this virus do exactly?

Per the Iranian statement, once it has infected a computer the virus can do the following nefarious things: collect passwords, take screengrabs of important processes or active windows, record sounds happening via Skype or even around the computer, transfer any data it has to control servers, bypass anti malware and other security software, and infect "large scale local networks," meaning, it's far reaching.

How far reaching, exactly? 

From most infected to least infected, it has reached Iran, parts of Israel and Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

That sounds pretty invasive. How, technically, does it work?

This very thorough explanation from the Kaspersky Lab, albeit a little technical, does a wonderful job describing how the virus does its thing. As Kaspersky explains it, the virus is a 20 megabyte "sophisticated toolkit," even more complex than previous viruses that have attacked Iranian computer system. This one shows characterstics of being a "backdoor," a "Trojan," and "worm-like," all at the same time. The backdoor, as Wired's Kim Zetter explains, allows the creators to go in and tweak the virus, adding new functionalities. A worm means the virus can travel between computers without a human doing anything, we learn from webopedia. And, Trojan makes it look like harmless software when first installed. Once installed, here's how it works, according to Kaspersky Lab:

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.

Interesting. You mentioned previous viruses. I think I've heard of these. You mean Stuxnet and Duqu, right? How is this different? 

This virus is definitely related to those two,which infected Iranian nuclear computer systems in 2010 and 2011. At least the Iranian government thinks so. "It seems there is a close relation to the Stuxnet and Duqu targeted attacks," read the official statement. But this one is being talked up as bigger and scarier. "Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. "The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country." Hacking expert Jeff Moss, however, told Reuters that everyone is overreacting. "It will take time to dissassemble, but it is not the end of the Net," he said. "We seem to be getting to a point where every time new malware is discovered it's branded 'the worst ever,'" added Marcus Carey, a researcher at with cyber security firm Rapid7.

So, if these are related to Stuxnet and Duqu are they from the same source, then?

Kind of, but not exactly. Neither Zetter nor the Kaspersky Lab believe the virus has the same authors. "It was obvious DuQu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities," Alexander Gostev, chief security expert at Kaspersky Lab told Zetter. "Everything is completely different, with the exception of two specific things." Though, the Kaspersky Lab in its write-up says "the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."

Which nation-state do they think was behind it, then? 

Israel is the obvious guess, with the country's tension with Iran. Plus, Iran had blamed Israel and the United States for Stuxnet. The Washington Post's Ellen Nakashima believes Israeli Vice Prime Minister Moshe Yaalon alluded to the country's involvement. "Whoever sees the Iranian threat as a significant threat — and it’s not only Israel, it’s the whole Western world, led by the United States — it’s certainly reasonable that he uses all means at his disposal, including these, to harm the Iranian nuclear system," Yaalon said speaking on Israel's Army Radio. "Israel is blessed with being a country rich in high-tech, and from that perspective, these achievements we take pride in, both in the civilian sector and defense sector, open up very many opportunities," he added.

So, this sounds like it could be a type of warfare. Has Iran done anything about it? 

The U.N has also issued what it calls the most serious cyber warning it has ever put out. And, the Iranian government says it has it under control, having developed a "removal tool." Though, the virus has been active since August 2010, says Kaspersky Lab. Plus lots of damage has already been done, with the Iranian statement saying massive amounts of data have been lost already.

This article is from the archive of our partner The Wire.