The UN's International Telecommunications Union and Kaspersky Labs revealed today that it has discovered Flame, a new trojan rivaling Stuxnet. Codenamed "Worm.Win32.Flame," the malware is currently being researched and it is described as "one of the most complex threats ever discovered." It is believed to be active across thousands of computers in the Middle East, primarily in Iran and Israel, as well as on some machines in North Africa.
Researchers believe that the trojan's primary function is cyberespionage: once Flame infects a computer, it is equipped to record audio from connected or built-in microphones, monitor nearby Bluetooth devices, take screenshots, and save data from documents and emails. All of this data, apparently stolen as part of a targeted attack, is constantly sent up to command and control servers.
Flame "has no major similarities with Stuxnet" or its malware family member Duqu, and is believed to be created and controlled by a separate group. The newly-discovered worm does share some aspects with Stuxnet and Duqu, however. Most disappointingly, Flame takes advantage of the same printer spooling hole and autorun.inf infection methods exploited by Stuxnet. According to Kaspersky Lab's reports, it's believed that Flame achieves its initial infection from users who are victims of phishing attacks, and then once it has made it onto a computer it can be spread over local area networks or via USB flash drives with other machines. The bad news is that it's confirmed that the worm has spread over local area networks to fully-patched Windows 7 systems, but the good news is that you shouldn't have to worry about Flame breaking into your PC in its current form. As a cyberespionage tool, the trojan has been seen targeting some individuals, but also education and government organizations mainly in the Middle East. Additionally, the research says that the worm surveys a system and will then uninstall itself from machines it thinks are not interesting.
Why is Flame considered to be such a complex threat, then? Well, the malware itself can be up to as large as 20MB — about twenty times larger than Stuxnet. This size is part of what makes Flame unique. According to Kaspersky, most malware is as simple and small as possible, as that makes it easiest to hide the malicious code and get it onto unsuspecting machines. In this case, however, Flame's size made it hard to detect since no one was looking for it. Part of the reason why Flame is so large is because it has optional plug-ins that can be added after a machine is infected to try and get specific data. Different machines have different assortments of plug-ins on them; that 20MB maximum size includes all 20 different plug-ins that have been discovered. Unfortunately, that massive size is going to make it difficult for researchers to get their hands around Flame: Kaspersky says that since it took "several months" to understand Stuxet's 500KB of code, it's expected that Flame may require a year's worth of effort.