1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Computer virus Flame

May 30, 2012

A highly complex computer virus that affects computers in the Middle East is reminiscent of Stuxnet. Still, whether Flame is a cyber intelligence weapon is an open question.

https://p.dw.com/p/154Yp
A screenshot showing what the computer virus Flame looks like
Image: picture-alliance/dpa/Kaspersky.com

Politicians and diplomats are still trying to keep Iran from building nuclear weapons. The Israeli government has even threatened Iran with a preemptive military strike should the need arise. For now, full-on war has been averted. But a real war is being waged in the digital world. Cyber war may be different from traditional war, but it can be just as serious and have similar effects. In 2010, computer virus Stuxnet may have been targeting Iranian uranium enrichment facilities.

No one knows who is responsible for programming this highly complex software and putting it into circulation, but most experts suspect an interested country's secret service. The people responsible for temporarily disconnecting the Iranian oil ministry and the major oil terminals in the Persian Gulf from the Internet also remain unknown. The virus spread to computers and deleted data from hard disks.

Sophisticated spyware

But another new malware was discovered on one of these computers, said Vitaly Kamluk, chief malware expert at IT security company Kaspersky, which the International Telecommunications Union asked to analyze the recent attacks. The aim of the newly discovered virus was not to destroy data but collect it, he added.

Flame records keystrokes, makes screenshots, searches for devices connected to the computer via Bluetooth and spreads in a network if a remote computer (from the Internet) gives the command. The remote control computer regularly gathers data from the computers that are being spied on. From it, the virus can also be shut down.

"When it initially infects (computers), it checks for any antivirus software installed, if it is installed, then it changes logic, and it will not execute any suspicious operations that can trigger antivirus (…) detection engines to show a message to the end user," Kamluk said.

The second reason is simply the very limited spread of the virus, he noted. Preliminary figures from Kaspersky show that 189 computers were infected in Iran, 100 in Israel and the Palestinian territories, and 30 in Sudan and Syria. These figures are extremely low when compared to other viruses. Usually, international anti-virus labs like Kaspersky are only aware of a new malware when more computers have been affected.

The deliberate restraint of Flame suggests a very well thought-out plan, said Mark Felegyhati of the Laboratory of Cryptography and Systems Security at the Budapest University of Technology and Economics.

"I don't want to go into speculations on who wrote such software; the only thing that seems to be plausible that this is not written by script kiddies," Felegyhati.

Programmers unknown

Felegyhati believes that Flame could have been developed by a country that would like to use the virus for a specific purpose.

Flame could have been developed at the same time as Stuxnet, in preparation for new attacks by the same organization, Felegyhati said, adding that this was still speculation. But it is unlikely that the people behind the latest virus will be discovered in the near future.

"There are more than dozens of servers that are located in many different countries, particularly far from each other," Kamluk said. "There is no way to bind it to a specific geographical area or organization."

Author: Michael Gessat / cc
Editor: Simon Bone