Flame virus 'much bigger than Stuxnet'

A Russian computer firm has discovered a new computer virus with unprecedented destructive potential that chiefly targets Iran and could be used as a "cyberweapon" by the West and Israel. Kaspersky Lab, one of the world's biggest producers of anti-virus software, said its experts discovered the virus -- known as Flame -- during an investigation prompted by the International Telecommunication Union (ITU). Iran appears to have been the main target of the attack and the announcement comes just a month after the Islamic Republic said it halted the spread of a data-deleting virus targeting computer servers in its oil sector. Kaspersky said the virus was several times larger than the Stuxnet worm that was discovered in 2010 and targeted the Iranian nuclear programme, reportedly at the behest of Western or Israeli security agencies. It said the main task of Flame is cyber espionage, meaning it steals information from infected machines including documents, screenshots and even audio recordings. It then sends the data to servers all over the world. Flame is "actively being used as a cyberweapon attacking entities in several countries," Kaspersky said in a statement late on Monday. Flame is "one of the most advanced and complete attack-toolkits ever discovered." "The complexity and functionality of the newly discovered malicious programme exceed those of all other cyber menaces known to date," it added. The origin of the Stuxnet worm has never been made clear but suspicion has fallen on the United States and Israel which both accuse Iran of seeking to build an atomic weapon. The chief security expert at Kaspersky, Alexander Gostev, said that Iran was the country by far the worst affected by Flame followed by Israel/Palestinian Territories, Sudan, Syria and Lebanon. "The geography of the targets and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it," he said in an analysis article. He said that the aim of the virus was clearly to "collect information" on the operations of states in the Middle East such as Iran, Lebanon and Syria. However, like Stuxnet and another previous superworm Duqu, "its authors remain unknown", he said. "Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists," he added. Without giving any indication that Israeli spy agency Mossad could be involved in Flame, Israel's Strategic Affairs Minister Moshe Yaalon said such cyberweapons were an important part of the arsenal of Iran's enemies. "For anyone who sees the Iranian threat as significant, it is reasonable that he would take different steps, including these, in order to hobble it," he told army radio. "Israel is blessed with being a country which is technologically rich, and these tools open up all sorts of possibilities for us." Iran swiftly claimed to have come up with an anti-virus programme against Flame. "Tools to recognise and clean this malware have been developed," Maher, a computer emergency response team coordination centre in Iran's telecommunications ministry, said on its website. Iran in April said it had set up a crisis committee to combat a mystery cyber attack which hit computers including ones running its main oil export terminal on Kharg Island in the Gulf. Kaspersky's Gostev said it was alarming that the cyber attack was now in its active phase. "Its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals." According to Laurent Heslault, security chief of the Symantec firm which makes Norton computer protection software, it is likely that Flame was being used for "highly targeted" attacks. "The computers affected can be counted by the dozen, maybe hundreds, but no more than that," he added. "Given its sophistication is clearly sponsored by someone with means. "Is it a state? Is is the military? Is it paramilitary? It's hard to say," he added. Flame had been "in the wild" for more than two years, since March 2010, Kaspersky said. It gave no clues over which party could have been behind the attack.