Mystery virus sought to steal ‘designs from Iran’: Russian firm


A mystery computer virus discovered last month and deployed in a massive cyberattack chiefly against Iran sought to steal designs and PDF files from its victims, a Russian firm said.

Kaspersky Lab, one of the world’s biggest producers of anti-virus software, announced last month the discovery of the Flame virus, which it described as the biggest and most sophisticated malware ever seen.

In the latest update on Kaspersky’s analysis of the virus, released late Monday, the firm’s chief security expert, Alexander Gostev, said the malware’s creators had focused on file formats such as PDF and AutoCAD, a software for computer design and drawing.

“The attackers seem to have a high interest in AutoCAD drawings,” Gostev said in a statement.

The malware also “goes through PDF and text files and other documents and makes short text summaries,” he added.

“It also hunts for e-mails and many different kinds of other ‘interesting’ (high-value) files that are specified in the malware configuration.”

He confirmed that Iran was by far the biggest target with a count of 185 infections, followed by 95 in Israel and the Palestinian Territories, 32 in Sudan and 29 in Syria.

The discovery of Flame immediately sparked speculation that it had been created by U.S. and Israeli security services to steal information about Iran’s controversial nuclear drive.

Intriguingly, Kaspersky said that hours after the existence of the virus was first announced on May 28, “The Flame command-and-control infrastructure, which had been operating for years, went dark.”

It gave no further information over the possible perpetrators of the mystery attack, though it identified about 80 domains that appear to belong to the Flame infrastructure, in locations from Hong Kong to Switzerland.

Kaspersky said it had used a procedure known as sinkholing -- which allows Internet security experts to gain control of a malicious server -- to analyze the operation.

During the sinkholing it found that on three computers in Lebanon, Iraq and Iran the Flame versions changed, suggesting Flame upgraded itself in the process.

The New York Times reported last week that President Barack Obama has accelerated cyberattacks on Iran’s nuclear program in an operation codenamed “Olympic Games” that uses a malicious code developed with Israel.

Flame exploits Windows bug

Meanwhile, Microsoft Corp warned that a bug in Windows allowed PCs across the Middle East to become infected with Flame and released a software fix to fight the espionage tool that surfaced last week.

Security experts said they were both surprised and impressed by the approach that the attackers had used, which was to disguise Flame as a legitimate program built by Microsoft.

Experts described the method as “elegant” and they believed it had likely been used to deliver other cyber weapons yet to be identified.

“It would be logical to assume that they would have used it somewhere else at the same time,” Mikko Hypponen, chief research officer for security software maker F-Secure, said.

If other types of cyber weapons were indeed delivered to victim PCs using the same approach as Flame, then they will likely be exposed very quickly now that Microsoft has identified the problem, said Adam Meyers, director of intelligence for security firm CrowdStrike.

Cyber weapons that bear the fake Microsoft code will either stop working or lose some of their camouflage, said Ryan Smith, chief research scientist with security firm Accuvant.

A spokeswoman for Microsoft declined to comment on whether other viruses had exploited the same flaw in Windows or if the company’s security team was looking for similar bugs in the operating system.

News of the Flame virus, which surfaced a week ago, generated headlines around the world as researchers said that technical evidence suggests it was built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010. Researchers are still gathering information about the virus.

Microsoft’s warning is available at http://blogs.technet.com/b/msrc/