Researchers Find Clues in Malware

Security experts have only begun examining the thousands of lines of code that make up Flame, an extensive, data-mining computer virus that has been designed to steal information from computers across the Middle East, but already digital clues point to its creators and capabilities.

Researchers at Kaspersky Lab, which first reported the virus Monday, believe Flame was written by a different group of programmers from those who had created other malwaredirected at computers in the Middle East, particularly those in Iran. But Flame appears to be part of the state-sponsored campaign that spied on and eventually set back Iran’s nuclear program in 2010, when a digital attack destroyed roughly a fifth of Iran’s nuclear centrifuges.

“We believe Flame was written by a different team of programmers but commissioned by the same larger entity,” Roel Schouwenberg, a security researcher at Kaspersky Labs, said in an interview Wednesday. But he would not say which governments he was speaking of.

Flame, these researchers say, shares several notable features with two other major programs that targeted Iran in recent years. The first virus, Duqu, was a reconnaissance tool that researchers say was used to copy blueprints of Iran’s nuclear program. The second, Stuxnet, was designed to attack industrial control systems and specifically calibrated to spin Iranian centrifuges out of control.

Because Stuxnet and Duqu were written on the same platform and share many of the same fingerprints in their source code, researchers believe both were developed by the same group of programmers. Those developers have never been identified, but researchers have cited intriguing bits of digital evidence that point to a joint American-Israeli effort to undermine Iran’s efforts to build a nuclear bomb.

For example, researchers at Kaspersky Lab tracked the working hours of Duqu’s operators and found they coincided with Jerusalem local time. They also noted that Duqu’s programmers were not active between sundown on Fridays and sundown on Saturdays, a time that coincides with the Sabbath when observant Jews typically refrain from secular work.

Intelligence and military experts have said that Stuxnet was first tested at Dimona, an Israeli complex widely believed to be the headquarters of Israel’s atomic weapons program.

According to researchers at Kaspersky Lab, which is based in Moscow, Flame may have preceded or been designed at the same time as Duqu and Stuxnet. Security researchers at Webroot, an antivirus maker, first encountered a sample of Flame malware in December 2007. Researchers believe Duqu may have been created in August 2007. The first variant of Stuxnet did not appear on computers until June 2009.

Like Duqu, Flame is a reconnaissance tool. It can grab images of users’ computer screens, record e-mails and instant-messaging chats, turn on microphones remotely, and monitor keystrokes and network traffic. Even if an infected device is not connected to the Internet, Flame is capable of spreading to other devices by looking for Bluetooth-enabled devices nearby or Internet-connected devices in a local network, according to researchers at Kaspersky Lab.

Flame also shares a quirkier trait with Duqu: an affection for American movie characters. Flame’s command for communicating with Bluetooth-enabled devices is “Beetlejuice.” An e-mail that infected an unnamed company with Duqu last year was sent by a “Mr. Jason B.” — which researchers believe is a reference to Jason Bourne of the Robert Ludlum spy tales.

It will take more time for computer security researchers around the world to discover more. Flame contains 20 times more code than Stuxnet and is much more widespread than Duqu. Researchers at Kaspersky Lab said they have detected Flame on hundreds of computers and predict that the total number of infections could be more than a thousand.

Unlike Duqu and Stuxnet, security researchers say, Flame is remarkable in that it has been able to evade discovery for five years — which was impressive given its size. Most malware is a couple hundred kilobytes in size. Flame is 20 megabytes. “It was hiding in plain sight,” said Mr. Schouwenberg. “It was designed in such a way that it was nearly impossible to track down.”

Researchers noted that Flame spreads through more conservative means. Researchers say that while Stuxnet had the ability to replicate autonomously, Flame can spread from machine to machine only when prompted by the attacker.

Iran confirmed Tuesday that computers belonging to several high-ranking officials appear to have been penetrated by Flame.

Researchers are still trying to figure out whether the virus has Stuxnet-like sabotage capabilities.

Already, some evidence suggests Flame may be capable of wiping out a computer’s hard drive. Researchers at Symantec, an American security firm that has also studied the virus, said Flame references a specific file previously associated with a separate virus, called Wiper, which Iranian officials said had erased data on hard drives inside its oil ministry last month. Researchers are trying to learn whether Wiper was not a virus but one of Flame’s command modules.

“This is the third such virus we’ve seen in the past three years,” Vikram Thakur, a Symantec researcher, said in an interview Tuesday. “It’s larger than all of them. The question we should be asking now is: How many more such campaigns are going on that we don’t know about?”