Flame worm - Iran claims to discover new Stuxnet-like malware

Filed Under: Featured, Malware

Iran flag in flames. Image courtesy of ShutterstockThe Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted malware attack attacking the country, which has been dubbed Flame (also known as Flamer or Skywiper).

In a statement, researchers say that they believe the malware is "a close relation" to Stuxnet, and claim that Flame is not detected by any of 43 anti-virus products it tested against, but that detection was issued to select Iranian organisations and companies at the beginning of May.

MAHER also says that it has produced a removal tool for the malware. Whether this is built into the recently announced "Iran's self-built anti-virus" is unclear.

According to the advisory, the Flamer malware can spread (like Stuxnet) via USB sticks and networks.

In addition the malware (which can infect PCs running Windows XP, Vista and Windows 7) is said to be capable of scooping up passwords, take screenshots, and steal data.

Unfortunately, SophosLabs cannot tell you anything about the Flame malware. At the time of writing we don't know if have a sample in our malware collection.

We're hoping that MAHER might publish an MD5 checksum, for instance, which would quickly help us ascertain more easily if this is a sample of some malware that we've seen before. Of course, our labs would also be happy to receive a sample of the malware itself if anyone in Iran would like to share it with us.

The discovery of Flame follows other alleged cyberwarfare attacks on Iran, including Stuxnet, Duqu and mysterious Stars virus.

Of course, identifying the malware is only part of the story. Because what will be particularly interesting will be to determine if we can tell who wrote the Flame malware, and why.

Further reading: Flame malware - more details of targeted cyber attack in Middle East

Iran flag in flames image courtesy of Shutterstock.

, , , , , , , ,

You might like

10 Responses to Flame worm - Iran claims to discover new Stuxnet-like malware

  1. B_H · 879 days ago

    We have great MALWARE analyst and Rev eng guys in IRAN , and why they should share sample with you guys !? I want remind you in last attack doqu , EU and US didnt share anything with IRAN they said we had NDA , that's unpatched MS and this is 0day and blah blah blah , ... but I know in next days the files should be published because tons of computers using cracked or original AV product here , and automatic submit sample section is enabled too by default . I think Iranian guys should working on Blocking modules using in AV products to submit information and files form IRANIAN GREAT FIREWALL . This is cyber attack , but the funny part is IRAN should share information with EAST and they didnt share anything .

    • Trolololol · 879 days ago

      Evidently Iran has expert malware analysts, this was highlighted when they discovered the Stuxnet virus destroying the centrifuges at the "ultra high security facility" at Natanz, oh wait, nevermind

      • B_H · 879 days ago

        Destroying !? all of the time the security incident happen for any place , from NSA to top security company ... But the short time for response is important , and you should heard from news agencies Natanz centrifuges working fine :) and 25-26 may .... why powerful countries were in baghdad to talk to IR GOV !? maybe for destroyed high facility by stuxnet :) never mind . I am talking about cyber security and all of us should help to make internet more safer ... this is about why Symantec share code with crysys to analyze , and didnt say anything ?! the problem of them is they think they are in war ! but we are not in war . when Iranian national Cert published first document , symantec and crysys , also published powefull data and material , they didnt add the signature to their AV database , do you know what's mean !? it's mean your country , your computer , your family systemes could be infected too , and what's privacy !? oh yeah nevernind .

        • ohnous · 877 days ago

          You think this Malware if available, can not detect with IDS or IPS used in companies?
          Malware and Network Forensics is GOOD SOLUTION for this matter!!!
          MAHER says ability to remove this malware but when you run removal tool write by MAHER, if you system infected! you must send it to them!!! http://www.certcc.ir/index.php?name=news&file...

  2. jeff · 878 days ago

    I wonder if the "Flame" references are due to the use of the Pyro F.L.A.M.E. ( Foreign Location Automatic Module Exposer) object.
    (http://packages.python.org/Pyro4/flame.html) Note there are .NET versions of the client also.

  3. David Heath · 878 days ago

    Is this the same as the 'FLAME' malware reported by the BBC earlier today?
    http://www.bbc.com/news/technology-18238326

  4. jeff · 878 days ago

    I wonder if the "Flame" references are due to the use of the Pyro F.L.A.M.E. ( Foreign Location Automatic Module Exposer) object.
    ( http://packages.python.org/Pyro4/flame.html)

  5. Ohnous · 878 days ago

    Hi all,
    This Malware is not a real like WIPER Malware!!!
    This is a joke.
    I analysis WIPER sample and this Malware detect by Sophos and this is a backdoor in port 8000, Can not wipe any information.
    Iranian government says Wiper Malware can boot PC remotely and clients must delete Diskpart.exe Windows application....
    All of them kidding

  6. MarkW · 878 days ago

    I find it hard to believe that none of the large AV vendors or security experts were not aware of the existence of such a highly sophisticated worm which has supposedly been active since late 2010, especially given the links between AV vendors and law enforcement.

    When did the UN's ITU report this and why has it been kept secret for so long?

  7. Unkown · 876 days ago

    "Webroot said its automatic virus-scanning engines detected Flame in December 2007, but that it did not pay much attention because the code was not particularly menacing.

    That is partly because it was easy to discover and remove, said Webroot Vice President Joe Jaroch"

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.