A new and fast spreading malware tipped to already dwarf the notorious Stuxnet has been identified, codenamed Flame and believed to be state-run cyberespionage affecting PCs in Iran and nearby countries. Spotted by Kaspersky Lab, “Worm.Win32.Flame” blends features from backdoor, trojan and worm malware, and once surreptitiously loaded onto a target machine can monitor network traffic, local use, grab screenshots and record audio, sending all that data back to its home servers. Believed to be active from at least March 2010, Flame is tipped to be 20x more prevalent than Stuxnet.
Iran is the most common place Kaspersky have discovered Flame, but it’s also been discovered in Israel, Palestine, the Sudan, Syria, Lebanon, Saudi Arabia and Egypt; there are “probably thousands of victims worldwide” the researchers estimate. Interestingly, there’s a broad spread of targeted computers, across academia, private companies, specific individuals and others; the operators appear to be cleaning up after themselves, too, only leaving Flame active on the most interesting machines, and deleting it from those with little worth.
Once loaded, Flame has the ability to be updated with new functionality in the form of add-on packages, of which around twenty have been currently identified. The exact purposes of those modules is still being investigated.