Most devious malware yet: Meet 'Flame,' The Massive Spy Malware (amazing story)

Map showing the number and geographical location of Flame infections detected by Kaspersky Lab on customer machines. Courtesy of Kaspersky

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based antivirus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size — the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”

Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.

Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.

“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time period when Stuxnet and DuQu are believed to have been created.

Gostev says that because of its size and complexity, complete analysis of the code may take years.

“It took us half a year to analyze Stuxnet,” he said. “This is 20 times more complicated. It will take us 10 years to fully understand everything.”

Kaspersky discovered the malware about two weeks ago after the United Nations’ International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems. The malware was named alternatively in news articles as “Wiper” and “Viper,” a discrepancy that may be due to a translation mixup.

Kaspersky researchers searched through their reporting archive, which contains suspicious filenames sent automatically from customer machines so the names can be checked against whitelists of known malware, and found an MD5 hash and filename that appeared to have been deployed only on machines in Iran and other Middle East countries. As the researchers dug further, they found other components infecting machines in the region, which they pieced together as parts of Flame.

Kaspersky, however, is currently treating Flame as if it is not connected to Wiper/Viper, and believes it is a separate infection entirely. The researchers dubbed the toolkit “Flame” after the name of a module inside it.

Flame is named after one of the main modules inside the toolkit. Courtesy of Kaspersky

Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

Flame does contain a module named Viper, adding more confusion to the Wiper/Viper issue, but this component is used to transfer stolen data from infected machines to command-and-control servers. News reports out of Iran indicated the Wiper/Viper program that infected the oil ministry was designed to delete large swaths of data from infected systems.

Kaspersky’s researchers examined a system that was destroyed by Wiper/Viper and found no traces of that malware on it, preventing them from comparing it to the Flame files. The disk destroyed by Wiper/Viper was filled primarily with random trash, and almost nothing could be recovered from it, Gostev said. “We did not see any sign of Flame on that disk.”

Because Flame is so big, it gets loaded to a system in pieces. The machine first gets hit with a 6-megabyte component, which contains about half a dozen other compressed modules inside. The main component extracts, decompresses and decrypts these modules and writes them to various locations on disk. The number of modules in an infection depends on what the attackers want to do on a particular machine.

Once the modules are unpacked and loaded, the malware connects to one of about 80 command-and-control domains to deliver information about the infected machine to the attackers and await further instruction from them. The malware contains a hardcoded list of about five domains, but also has an updatable list, to which the attackers can add new domains if these others have been taken down or abandoned.

While the malware awaits further instruction, the various modules in it might take screenshots and sniff the network. The screenshot module grabs desktop images every 15 seconds when a high-value communication application is being used, such as instant messaging or Outlook, and once every 60 seconds when other applications are being used.

Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet.

Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009. It is widely believed to have been designed to sabotage centrifuges used in Iran’s uranium enrichment program. DuQu was an espionage tool discovered on machines in Iran, Sudan, and elsewhere in 2011 that was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques.

But Flame doesn’t resemble either of these in framework, design or functionality.

Researchers aren't certain how Flame infects its initial target before spreading to other machines, but this graph suggests possible infection vectors. Courtesy of Kaspersky

Stuxnet and DuQu were made of compact and efficient code that was pared down to its essentials. Flame is 20 megabytes in size, compared to Stuxnet’s 500 kilobytes, and contains a lot of components that are not used by the code by default, but appear to be there to provide the attackers with options to turn on post-installation.

“It was obvious DuQu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities,” Gostev said. “Everything is completely different, with the exception of two specific things.”

One of these is an interesting export function in both Stuxnet and Flame, which may turn out to link the two pieces of malware upon further analysis, Gostev said. The export function allows the malware to be executed on the system.

Also, like Stuxnet, Flame has the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also uses the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. This suggests that the authors of Flame may have had access to the same menu of exploits that the creators of Stuxnet used.

Unlike Stuxnet, however, Flame does not replicate automatically. The spreading mechanisms are turned off by default and must be switched on by the attackers before the malware will spread. Once it infects a USB stick inserted into an infected machine, the USB exploit is disabled immediately.

This is likely intended to control the spread of the malware and lessen the likelihood that it will be detected. This may be the attackers’ response to the out-of-control spreading that occurred with Stuxnet and accelerated the discovery of that malware.

It’s possible the exploits were enabled in early versions of the malware to allow the malware to spread automatically, but were then disabled after Stuxnet went public in July 2010 and after the .lnk and print spooler vulnerabilities were patched. Flame was launched prior to Stuxnet’s discovery, and Microsoft patched the .lnk and print spooler vulnerabilities in August and September 2010. Any malware attempting to use the vulnerabilities now would be detected if the infected machines were running updated versions of antivirus programs. Flame, in fact, checks for the presence of updated versions of these programs on a machine and, based on what it finds, determines if the environment is conducive for using the exploits to spread.

The researchers say they don’t know yet how an initial infection of Flame occurs on a machine before it starts spreading. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.

The earliest sign of Flame that Kaspersky found on customer systems is a filename belonging to Flame that popped up on a customer’s machine in Lebanon on Aug. 23, 2010. An internet search on the file’s name showed that security firm Webroot had reported the same filename appearing on a computer in Iran on Mar. 1, 2010. But online searches for the names of other unique files found in Flame show that it may have been in the wild even earlier than this. At least one component of Flame appears to have popped up on machines in Europe on Dec. 5, 2007 and in Dubai on Apr. 28, 2008.

Kaspersky estimates that Flame has infected about 1,000 machines. The researchers arrived at this figure by calculating the number of its own customers who have been infected and extrapolating that to estimate the number of infected machines belonging to customers of other antivirus firms.

All of the infections of Kaspersky customers appear to have been targeted and show no indication that a specific industry, such as the energy industry, or specific systems, such as industrial control systems, were singled out. Instead, the researchers believe Flame was designed to be an all-purpose tool that so far has infected a wide variety of victims. Among those hit have been individuals, private companies, educational institutions and government-run organizations.

Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.

Researchers say the compilation date of modules in Flame appear to have been manipulated by the attackers, perhaps in an attempt to thwart researchers from determining when they were created.

“Whoever created it was careful to mess up the compilation dates in every single module,” Gostev said. “The modules appear to have been compiled in 1994 and 1995, but they’re using code that was only released in 2010.”

The malware has no kill date, though the operators have the ability to send a kill module to it if needed. The kill module, named browse32, searches for every trace of the malware on the system, including stored files full of screenshots and data stolen by the malware, and eliminates them, picking up any breadcrumbs that might be left behind.

“When the kill module is activated, there’s nothing left whatsoever,” Gostev said.

UPDATE 9 a.m. PDT: Iran’s Computer Emergency Response Team announced on Monday that it had developed a detector to uncover what it calls the “Flamer” malware on infected machines and delivered it to select organizations at the beginning of May. It has also developed a removal tool for the malware. Kaspersky believes the “Flamer” malware is the same as the Flame malware its researchers analyzed.

A Picture Book Without Pictures: “Photographs Not Taken“ Considers the Untaken Photo

They have the power to steal your breath, provoke tears. They might overwhelm and inspire you, bring you to your knees, even.

But they won’t. These moments passed into oblivion, unfixed by the camera — snapshots that went unsnapped. Now, they’re in a book: a photography book without pictures.

The collection, “Photographs Not Taken,” edited by Will Steacy, features the testimonies of 60 photographers who recount the moments that slipped from their photographic grip, either because they couldn’t take the picture, or wouldn’t.

The notion of photographer as globe-trotting adventurer, at the scene of historic events recording every important moment, is reassessed in this collection. If anything, these photographers lament that their task prevents them from fully engaging with the present. As Lyle Rexer wrote in his introduction, it’s a dilemma of to be or to shoot.

For some, to take a photograph is to remove oneself from the moment. Jim Goldberg recalls using the camera as a mask, something to hide behind while his wife was in labor. At the moment of his daughter’s birth, however, he tossed it aside. “When Ruby’s head crowned,” he wrote, “there was no way in hell I would use a camera and miss those incredible moments.”

For Elinor Carucci, becoming a mother meant declaring war on the photographer in her. “I had to choose between photographing and mothering,” she said. “And when I did choose photography, every photograph became a second of guilt” — a second she didn’t spend fully immersed as a mother.

“Even if it was just for 1/125th of a second, I wasn’t available in that 1/125th of a second.”

For others, the untaken picture is a moment that they couldn’t bring themselves to steal. Erika Larsen wrote of working on a project about the family of a girl, Julie, who committed suicide at age 17. Going into Julie’s room with the girl’s father, Ms. Larsen had a heart-wrenching shot in front of her, but she hesitated. “I could see the image, but I could only hear his sobs and feel my own falling down my face,” she wrote. “I held my 4×5 at my chest, ready to shoot, but not able to. I put down the camera; the moment was his.”

It’s an interesting collection, as these photographers reveal quarrels with the ethics or morality of taking a picture. Tim Hetherington examined the differing gut reactions that stirred him after taking a graphic photo of a dead Liberian rebel and a dead American soldier in Afghanistan. One photo was important to include in a book, but the other gave him pause.

“My hesitation troubled me,” he wrote. “Was I sensitive this time because the soldier wasn’t a nameless African? Perhaps I had changed and realized that there should be limits on what is released into the public? I certainly wouldn’t have been in that questioning position if I’d never taken the photograph in the first place, but I did.”

It’s not all heady internal debates or moral decisions not to shoot; occasionally, the moment simply slips away. The collection is a reminder of the limits of photography as a document of experience. “Sometimes, you just get an instinct when to put the camera down and be fully present,” Nadav Kander writes.

Sometimes, experience is all you’re going to get out of that moment.

Follow @PeterMoskowitz and @nytimesphoto on Twitter. Follow Lens on Facebook.

What Happens When Toddlers Zone Out With an iPad

By BEN WORTHEN

More than half of the young children in the U.S. now have access to an iPad, iPhone or similar touch-screen device. For parents, their children's love of these devices raises a lot of questions.

Kids for years have sat too close to the television for too long or played hours of Madden on family room game players. But pediatric neuroscientists and researchers who have studied the effects of screen-time on children suggest the iPad is a different beast.

IPads can be wonderful, but are they wonderful for toddlers? Ben Worthen on Lunch Break explains why pediatric neuroscientists and researchers suggest that the iPad differs from TV and video games. Photo: Darcy Padilla for The Wall Street Journal.

A young child will look away from a TV screen 150 times an hour, says Daniel Anderson, a professor emeritus of psychology at the University of Massachusetts. His studies over the past 30 years also showed children have trouble knowing where on a TV screen to look.

A well-designed iPad app is more engaging because often the place on the screen that a child touches is the same as where the action happens.

Many researchers hope this will help children learn. One study using an iPod Touch and sponsored by the Joan Ganz Cooney Center at Sesame Workshop found children 4- to 7-years-old improved on a vocabulary test after using an educational app called "Martha Speaks." The 13 5-year-olds tested averaged a 27% gain. A study using a different educational app had a similar result, with 3-year-olds exhibiting a 17% gain.

Darcy Padilla for The Wall Street Journal.

Julia Campins's son, age 2, uses his iPad in their San Francisco home.

In many ways, the average toddler using an iPad is a guinea pig. While the iPad went on sale two years ago, rigorous, scientific studies of how such a device affects the development of young children typically take three to five years.

There is "little research on the impact of technology like this on kids," says Dimitri Christakis, director of the Center for Child Health, Behavior and Development at Seattle Children's Hospital.

The iPad and similar devices allow children to interact with technology at a younger age than ever before. Tiny fingers not yet old enough to manipulate a mouse or operate a videogame console can navigate a tablet touch screen.

"Unfortunately a lot of the real-life experimentation is going to be done by parents who now have young kids," says Glenda Revelle, associate professor of human development and family sciences at the University of Arkansas.

Darcy Padilla for The Wall Street Journal.

He plays with a music and animal iPad app,. The family rule: If he whines, the iPad, which his grandfather gave him, is taken away.

Some parents readily share a tablet with their children, citing the many apps marketed as educational tools. Some do not. Still other families turn to it as a tool of last resort to entertain and appease children on plane and car trips.

In the list of parental worries about tablet use: that it will make kids more sedentary and less sociable. There's also the mystery of just what is happening in a child's brain while using the device.

The brain develops quickest during the first few years of a child's life. At birth, the human brain has formed about 2,500 synapses—the connections that allow the brain to pass along signals—per brain cell. That number grows to about 15,000 per brain cell by age 3. In later years, the number decreases.

The more television children watch during these formative years, Dr. Christakis says, the more likely they are to develop attention problems later on. The study was based on observation, not lab research, he says. Other studies haven't found a correlation. While he hasn't studied tablets and young children, he suspects the effect could be similar—or perhaps more significant. "One of the strengths of the iPad"—it is interactive—"may be the weakness," Dr. Christakis says.

Thirty-nine percent of children ages 2- to 4-years-old and 52% of kids ages 5 to 8 have used an iPad, iPhone or similar touch-screen device to play games, watch videos or use other apps, according to a survey last year by Common Sense Media, a San Francisco-based nonprofit group. Apple AAPL +5.83% has sold more than 65 million iPads, and analysts predict that consumers will buy about 120 million tablets from Apple and other manufacturers this year.

Julia Campins's 2-year-old son received an iPad in December from his grandfather. Mostly he uses it for Dr. Seuss books in which the app reads the story, and games about animals.

Ms. Campins, who lives in San Francisco, says it keeps her son calm and entertained on flights. At home, Ms. Campins, a 31-year-old lawyer, and her husband, Nick Campins, only give him the iPad when they need to get things done around the house.

The family rule: If her son whines, the iPad goes away. "When we feel ourselves using it too much, or whenever he starts whining for it, we take that as a sign and cut back."

I first let my son use a borrowed iPad on a cross-country flight when he was 2½ years old. He had cried for four straight hours on a previous trip, and I hoped the iPad would keep him entertained. He understood how to use it instantly and for five hours played kids' games, used a drawing app and watched episodes of "Curious George."

About a year later, my wife and I bought an iPad, loaded it with word and puzzle games and let our son use it on a more regular basis. His knowledge of words seemed to pick up immediately. We also noticed things that worried us. He would go into a trance-like state when he used the iPad. He wouldn't respond when we called his name.

"He's concentrating," says Sandra Calvert, a professor at Georgetown University. It's physiologically the same thing he does while deeply immersed in, say, Legos. Psychologists call it "flow experience."

There is a subtle difference: The child decides when a building is finished; an app determines when the task is completed correctly. Researchers say it's unclear whether this difference has any impact on a child.

Soon, getting our son to put down the iPad became a nightly battle. "It gives him a dopamine squirt," says Michael Rich, director of the Center on Media and Child Health at Children's Hospital in Boston, referring to the brain chemical often associated with pleasure.

Many apps for kids are designed to stimulate dopamine releases—hence encouraging a child to keep playing—by offering rewards or exciting visuals at unpredictable times.

My wife and I stopped letting our son use the iPad. Now he rarely asks for it. He is 4 and his friends aren't talking about cool iPad games, so he doesn't feel he's missing out.

The experts interviewed were mixed on whether we did the right thing. About half say they would have taken away the iPad if their kid exhibited similar behavior—asking for it constantly, whining. The rest say we overreacted.

Write to Ben Worthen at ben.worthen@wsj.com

A version of this article appeared May 22, 2012, on page D1 in the U.S. edition of The Wall Street Journal, with the headline: What Happens When Toddlers Zone Out With an iPad.

U.S. Airlines Collected $3.36 Billion in Baggage Fees in 2011

Baerbel Schmidt / Getty Images
Baerbel Schmidt / Getty Images

Airline passengers in the U.S. collectively paid $3.36 billion in fees for carry-on and checked bags last year. The figure actually represents a decrease from 2010, when we dropped $3.4 billion on baggage fees. Chances are, you paid more out of pocket to fly last year anyway.

Upon the release of the latest numbers from the Bureau of Transportation Statistics, the Associated Press reports that “U.S. airlines’ revenue from bag fees fell last year for the first time since they started collecting them.” U.S. airlines collected $792 million in baggage fees in the fourth quarter of 2011, bringing the yearlong total to $3.6 billion.

In 2010, domestic carriers raked in $3.4 billion in baggage fees, the all-time high, up from $2.7 billion in 2009, and just $1.15 billion in 2008, the year that baggage fees more or less became standard.

(MORE: 10 Indie-Seeming Brands That Aren’t)

The assumption has been that baggage fee revenues would increase for, well, forever, so even as $3.36 billion is an astronomical figure, it’s being welcomed as a sign that fees are being reined in—or at least that travelers are getting smarter about bypassing them. In either case: Hooray!

But while baggage revenues are down a smidge, many travelers are well aware that airlines are increasingly likely to be charging for a lot more than luggage lately. The AP notes:

Bag fees and reservation change fees are the only ancillary fees paid by passengers that are reported to BTS as separate items. Other fees, such as revenue from seat assignments and on-board sales of food, drinks, pillows, blankets and entertainment are not identified separately.

Spirit Airlines, which was the first domestic carrier to start charging for carry-ons, has been at the forefront of hiking all sorts of “ancillary fees.” At last check, the average passenger was handing over an extra $103.36 per round trip above and beyond the cost of airfare to the carrier.

(MORE: Airlines’ Same Old Story: More Fees, Higher Fares, Fewer Perks, Tougher Restrictions)

Apparently, many airlines have been following Spirit’s lead. In the third quarter of 2011, for instance, the industry collected $2.38 billion overall in ancillary fees—baggage, as well as reservation changes, food and beverages, standby fees, seat assignment charges, and more. That’s 10.7% more than the total from the third quarter of 2010 ($2.15 billion).

The price of airfare has risen alongside increased fees. Flight prices in the fourth quarter of 2011 were 10% higher than the same period in the previous year. This spring, it’s been more of the same, with fare hikes on international and domestic flights alike.

(MORE: 4 Cool New Booking Sites to Help Save on Hotels)

So while we may have paid slightly less in baggage fees in 2011, the extra we had to fork over in airfares and other fees was likely to more than make up the difference.

Brad Tuttle is a reporter at TIME. Find him on Twitter at @bradrtuttle. You can also continue the discussion on TIME’s Facebook page and on Twitter at @TIME.