Iran has acknowledged that Flame, what some have called the most sophisticated cyberespionage weapon yet, has infected computers across the country. "Having conducted multiple investigations during the last few months, the Maher center, the Iranian CERTCC, following the continuous research on the targeted attacks of Stuxnet and Duqu since 2010, announces the latest detection of this attack for the very first time," reads the official statement. That all sounds scary, but perhaps, like us, you're not exactly sure what it all means. Cyberwarfare, as far as wars go, is pretty abstract. Let's talk this one out.
Ok, so let's start from the beginning. What does this virus do, exactly?
Per the Iranian statement, once it has infected a computer the virus can do the following nefarious things: collect passwords; take screengrabs of important processes or active windows; record sounds happening via Skype or even around the computer; transfer any data it has to control servers; bypass anti-malware and other security software; and infect "large-scale local networks," meaning, it's far-reaching.
From most infected to least infected, it has reached Iran, parts of Israel and Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
That sounds pretty invasive. How, technically, does it work?
This very thorough explanation from the Kaspersky Lab, albeit a little technical, does a wonderful job describing how the virus does its thing. As Kaspersky explains it, the virus is a 20-megabyte "sophisticated toolkit," even more complex than previous viruses that have attacked Iran's computer system. This one shows characteristics of being a "backdoor," a "Trojan," and "wormlike," all at the same time. The backdoor, as Wired's Kim Zetter explains, allows the creators to go in and tweak the virus, adding new functionalities. A worm means the virus can travel between computers without a human doing anything, we learn from Webopedia. And, Trojan makes it look like harmless software when first installed. Once installed, here's how it works, according to the Kaspersky Lab:
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All of this data are available to the operators through the link to Flame’s command-and-control servers.
Interesting. You mentioned previous viruses. I think I've heard of these. You mean Stuxnet and Duqu, right? How is this different?
This virus is definitely related to those two, which infected Iran's nuclear computer systems in 2010 and 2011. At least the Iranian government thinks so. "It seems there is a close relation to the Stuxnet and Duqu targeted attacks," read the official statement. But this one is being talked up as bigger and scarier. "Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” Eugene Kaspersky, the CEO and a co-founder of the Kaspersky Lab, said in a statement. "The Flame malware looks to be another phase in this war, and it’s important to understand that such cyberweapons can easily be used against any country." Hacking expert Jeff Moss, however, told Reuters that everyone is overreacting. "It will take time to disassemble, but it is not the end of the Net," he said. Added Marcus Carey, a researcher at the cybersecurity firm Rapid7, "We seem to be getting to a point where every time new malware is discovered, it's branded 'the worst ever.' "
So, if these are related to Stuxnet and Duqu are they from the same source?
Kind of, but not exactly. Neither Zetter nor the Kaspersky Lab believes that the virus has the same authors. "It was obvious Duqu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities," Alexander Gostev, chief security expert at the Kaspersky Lab, told Zetter. "Everything is completely different, with the exception of two specific things." In its statement, however, the Kaspersky Lab notes, "The complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it."
Which nation-state do they think was behind it?
Israel is the obvious guess, given the country's tensions with Iran. Plus, Iran had blamed Israel and the United States for Stuxnet. The Washington Post's Ellen Nakashima believes that Israeli Vice Prime Minister Moshe Yaalon alluded to the country's involvement. "Whoever sees the Iranian threat as a significant threat—and it’s not only Israel, it’s the whole Western world, led by the United States—it’s certainly reasonable that he uses all means at his disposal, including these, to harm the Iranian nuclear system," Yaalon said, speaking on Israel's Army Radio. "Israel is blessed with being a country rich in high-tech, and from that perspective, these achievements we take pride in, both in the civilian sector and defense sector, open up very many opportunities," he added.
So, this sounds like it could be a type of warfare. Has Iran done anything about it?
The Iranian government says it has the virus under control, having developed a "removal tool," although the virus has been active since August 2010, according to the Kaspersky Lab. Consequently, a lot of damage has already been done, with the Iranian statement saying massive amounts of data have been lost. The United Nations has also issued what it calls the most serious cyberwarning it has ever put out.