More malware targeting Iran could yet be discovered

  • Published
Screengrab of Flame
Image caption,
The sophistication of Flame helped it avoid detection by security software

Fresh analysis of the malware Flame suggests it could be part of a much wider "family".

Flame is believed to have targeted sensitive data in Iran. It has already been linked to Stuxnet, which was aimed at Iran's nuclear infrastructure.

Analysis of the server controlling the malware suggests three similar pieces of code are as yet undiscovered.

The study also suggests Flame dates back to 2006, much earlier than previously thought.

Discovered in May, Flame has already been linked to Stuxnet, a worm that attacked Iran's nuclear infrastructure, and Duqu, a data-stealing worm that also infected some of Iran's computer systems.

The new report is a joint study from security firms Symantec, Kaspersky, the Crypto Labs in Budapest and the UN's International Telecommunications Union.

They were given access to the command and control servers of Flame.

Spelling mistake

It revealed the servers were using four communications protocols, only one of which was being used by Flame.

"I can't imagine that the other three were not being used. The conclusion seems to be that there is something else out there," said Prof Alan Woodward, a visiting professor at the University of Surrey's department of computing.

Flame has been described as one of the most complex computer threats ever discovered, but the study suggests attempts to destroy all evidence of it went wrong because of a spelling mistake.

"One might imagine that this type of code had a 'kill' button but in fact they had to program it," said Prof Woodward,

"Those behind it did try and destroy it. They may have known that they were about to be rumbled, but they failed at the last minute by mistyping the name of the file," he added.

Many believe the complexity of Flame and the other pieces of related malware points to state-sponsorship, but Prof Woodward said the latest analysis showed little involvement from intelligence agents.

"They don't start from the perspective of what can I look for. It appears to be written by computer analysts not intelligence analysts," he said.