Earlier this year, the Iranian nuclear program was attacked by a powerful and targeted form of cyber weaponry known as the Stuxnet Trojan. Then in May, a cyber-surveillance tool called Flame was uncovered and was later called “the most sophisticated cyber weapon yet unleashed” by researchers at Kaspersky Labs. It was later discovered that US military and intelligence agencies – including the CIA and NSA – had worked together with the Israeli military to craft this malicious software in an attempt to impede Iran’s nuclear plans.
Today, Reuters reports that researchers have discovered three more computer viruses in the wild which were developed by the US military possibly for purposes of espionage and cyber warfare.
These new findings are another indication that the US government plans to continue its pursuit of cyber warfare as an extension of national security, particularly where matters in the Middle East are concerned.
Researchers from both Symantec Corp and Kaspersky Labs have say that they’ve found evidence indicating that those behind the Flame project have also collaborated on at least three other pieces of malware which, though identified, have not yet been classified.
These researchers found this information as the result of intensive forensic investigation of the control servers used in Flame. These servers were hidden to appear as publishing platforms for a service called “Newsforyou.” Later, the servers were programmed to erase any digital footprint that it may have left behind, making tracing this tool extremely difficult.
According to the Kaspersky Labs blog post, the creators of this malware designed the UI to look as bland and boring as possible, so as to make it appear “generic and unpretentious.”
“The C&C developers didn’t use professional terms such as bot, botnet, infection, malware-command or anything related in their control panel,” writes GReAT, a Kaspersky Lab expert on the SecureList blog. “Instead they used common words like data, upload, download, client, news, blog, ads, backup etc. We believe this was deliberately done to deceive hosting company sys-admins who might run unexpected checks.”
According to the research, the Newsforyou servers were used to deliver 4 different types of malware: Flame as well as three programs labeled SP, SPE and IP. Neither Kaspersky nor Symantec has been able to find samples of either of the three other cases of malware.
In fact, the two firms seem to disagree on what these three pieces of malware could be. Kaspersky believes SP, SPE and IP are espionage tools that are totally separate of Flame. Symantec, on the other hand, isn’t yet sure if these are completely separate pieces of software or simply variations on Flame.
“We know that it is definitely out there. We just can’t figure out a way to actually get our hands on it. We are trying,” said Vikram Thakur, a researcher for Symantec, in an interview with Reuters.
The researchers were able to discover this new malware when about a dozen infected computers from Iran and Lebanon attempted to contact one of the command and control servers being watched by Kaspersky Labs.
Though one of the computers uploaded a large file of data to the servers, the team at Kaspersky was unable to access it as it is locked down behind a password that appears to be virtually uncrackable.