World's most complex malware discovered - after two years in the wild

Posted by Emma Woollacott

Researchers have discovered what they say is the most sophisticated malware ever discovered running rampant in the Middle East.

First revealed by Kaspersky Lab, Flame is several times larger than Stuxnet, and appears to have been targeted at Iran's oil ministry and main oil export terminal.

However, there have been victims elsewhere - the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics says it's found evidence that the virus - which it calls Skywiper, has ifected machines in Hungary.

Israel is suspected to be responsible - a suspicion strengthened by comments from the country's vice premier, Moshe Yaalon.

"Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," he told Army Radio yesterday.

"Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us."

Flame is a backdoor Trojan with worm-like features that allow it to replicate in a local network and on removable media on command. Once a machine's infected, it starts sniffing network traffic, taking screenshots, intercepting the keyboard and even recording audio conversations.

It's a huge package of modules, comprising almost 20 MB in size when fully deployed.

What's most astonishing is that Kaspersky believes that the Worm.Win32.Flame virus has been out there undetected for over two years.

"Based on collateral data, we can be sure that Flame was out in the wild as early as in February to March 2010," says Kaspersky's head of global research and analysis Alexander Gostev.

"It’s possible that before then there existed earlier version, but we don’t have data to confirm this; however, the likelihood is extremely high."

One reason it wasn't discovered sooner, say researchers, is that its sheeer size - 20 times as big as Stuxnet - meant it didn't match existing profiles.