LONDON — Iran and other Middle East countries have been hit with a cunning computer virus that can eavesdrop on computer users and their co-workers and filch information from nearby cell phones, cybersecurity experts said Tuesday. Suspicion immediately fell on Israel as the culprit.
The Russian Internet security firm Kaspersky Lab ZAO said the “Flame” virus is unprecedented in size and complexity, with researcher Roel Schouwenberg marveling at its versatility.
“It can be used to spy on everything that a user is doing,” he said.
Computers in Iran appear to have been particularly affected, and Kaspersky’s conclusion that the virus was crafted at the behest of a national government fueled speculation it could be part of an Israeli-backed campaign of electronic sabotage against the Jewish state’s archenemy.
The virus can activate a computer’s audio systems to listen in on Skype calls or office chatter. It can also take screenshots, log keystrokes and, in one of its more novel functions, steal data from Bluetooth-enabled cell phones.
Schouwenberg said there was evidence to suggest that the people behind Flame also helped craft Stuxnet, a virus that is believed to have attacked nuclear centrifuges in Iran in 2010. Many suspect Stuxnet was the work of Israeli intelligence.
Tehran has not said whether it lost any data to Flame, but a unit of the Iranian communications and information technology ministry said it has produced an antivirus capable of identifying and removing Flame from its computers.
Israel’s vice premier did little to deflect suspicion about the country’s possible involvement in the attack.
“Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it,” Moshe Yaalon told Army Radio when asked about Flame. “Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us.”
Researchers not involved in Flame’s discovery were more skeptical of its sophistication than Kaspersky, with Richard Bejtlich of Virginiabased Mandiant saying the virus appeared similar to spyware used by the Germangovernment to monitor criminal suspects.
Colorado-based Webroot said the virus wasn’t as complex or as stealthy as Stuxnet and was “a relatively easy threat to identify.”
Flame is unusually large. Malicious programs collected by the British security firm Sophos averaged about 340 kilobytes in 2010, the same year that Kaspersky believes Flame first started spreading. Flame is 20 megabytes - nearly 60 times that figure.
Alan Woodward, a professor of computing at the University of Surrey in England, said functions can be added or subtracted to the virus depending on what kind of espionage is desired, not unlikethe way apps can be downloaded to a smart phone.
He was particularly struck by Flame’s ability to turn an infected computer into a kind of “industrial vacuum cleaner,” copying data from vulnerable cell phones or other Bluetooth wireless devices left near it.
“I don’t believe I’ve seen it before,” he said.
Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, said he believes four countries, in no particular order, have the know-how to develop so sophisticated a weapon: Israel, the United States, China and Russia.
“It was 20 times more sophisticated than Stuxnet,” with thousands of lines of code that took a large team, ample funding and months, if not years, to develop, he said. “It’s a live program that communicates back to its master. It asks, ‘Where should I go? What should I do now?’ It’s really almost like a science fiction movie.”
It’s not clear exactly what the virus was targeting. Kaspersky said it detected the program in hundreds of computers, mainly in Iran but also in Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
The company would not give details on the victims except to say that they “range from individuals to certain state-related organizations or educational institutions.”
Schouwenberg said stolen data were being sent to some 80 different servers, something that would give the virus’ controllers time to adjust their tactics if they were discovered.
As for Flame’s purpose, “maybe it’s just espionage,” he said. “Maybe it’s also sabotage.” Information for this article was contributed by Diaa Hadid and Lolita C. Baldor of The Associated Press.
Front Section, Pages 5 on 05/30/2012