For one, it isn't targeted; it has been found in several countries. Two, it isn't sneaky; it's massive for a virus, the code is unobfuscated, and so forth, as described in the article I linked.
My guess would be its origin was as a fun project for a kiddy hacker*. The suspected means of distribution, phishing emails or infected websites, fully explains its geographical distribution: all of the known computers infected with the virus are in countries in which Arabic is a commonly spoken language.
*In this case, kiddy hacker doesn't necessarily mean young, but merely someone unaffiliated with official government cyberwarfare units and whose motivation is just for kicks.
And yet, Kapersky said that they think only four nations even had or have the capability to develop this. The
pdf analysis of it from the Budapest University of Technology and Economics says (What they call "sKyWIper" is the same as the Flame virus):
The results of our technical analysis support the hypotheses that sKyWIper was developed
by a government agency of a nation state with significant budget and effort, and it may be
related to cyber warfare activities.
sKyWIper is certainly the most sophisticated malware we encountered during our practice;
arguably, it is the most complex malware ever found.
And yet, it isn't obfuscated. It has characteristics that point heavily to government involvement, and it has characteristics that would make no sense as a government project.
From an
AP article:
“The benefit they get out of this size of file is that it looks normal,” says Mikko Hyppönen, chief research officer with security specialists F-Secure. “Flame looks like your average application, not the encrypted, hidden malware we’re used to seeing. It’s big, it has libraries and it’s hiding in plain sight. It might seem odd, but it worked, it went undetected for years. You can’t argue with that.”
I'll post more, but I'm inclined to believe Kaspersky.
---
Edit: And here's that "more":
"Iran: 'Flame' virus fight began with oil attack"The Russian Internet security firm Kaspersky Lab ZAO said the Flame virus has struck Iran the hardest, but has been detected in the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
It also has been found in Israel — leading some Israeli security officials to suggest the virus could be traced to the U.S. or other Western nations.
"Flame: Trying to Unravel the Mystery of 'Sophisticated' Spying Malware"It's able to look for specific data types. It's able to look for new systems that are vulnerable within organizations' networks. It's able to exfiltrate that data in a number of different ways. And, again, it's fairly large, so that's a little bit unusual. It's pretty big for one of these very sophisticated pieces of malware these days.
But, again, it looks to have a lot of capabilities.
"Iran admits Flame caused substantial damage"The virus also damaged centrifuges operating at its uranium enrichment facility at Nantaz as reports said that even computers of highranking officials had been penetrated.
"Flame a glimpse into the Bermuda triangle of malware"“The fact is that penetration testers have been using tools that heavily leverage the Lua programming language for the last couple of years,” says Carey.
Examples include network scanner, Nmap, the Wireshark packet analyser, and the Snort intrusion detection system.
I encourage you to find other articles as well; most of these were published in the past couple hours. It's not like there's a dearth of opinions on it, but they all tend to make me think it was a country, or at the behest of a country.
Author
Topic: Flame Virus targets Iran, other Middle Eastern nations (Read 14572 times)