Flamer: The most complex malware threat since Stuxnet and Duqu

On a par with Stuxnet and Duqu, Symantec’s Security Response team is analysing a new highly sophisticated and discreet threat: W32.Flamer. The analysis so far reveals that the malware was built with the ability to obtain information from infected systems primarily located in the Middle East. As with the previous two threats, this code was not written by a single individual but by an organised well funded group of personnel with directives. The code includes multiple references to the string ‘FLAME’ which may be indicative of either instances of attacks by various parts of the code, or the malware’s development project name.

The threat has operated discreetly for at least two years with the ability to steal documents, take screenshots of users’ desktops, spread via USB drives, disable security vendor products, and under certain conditions spread to other systems. The threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows, in order to spread across a network.

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear. However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment. Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections.

The recent Symantec’s Internet Security Threat Report 17 saw the number of targeted attacks increase dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. The report also projected that targeted attacks and APTs will continue to be a serious issue and the frequency and sophistication of these attacks will increase.

Analysis and investigation into the various components is ongoing and additional more in-depth technical details as well as attack information will be published soon.

More details can be found in the Security Response blog.