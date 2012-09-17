* Symantec, Kaspersky release reports on Flame surveillance
tool
* Researchers uncover evidence of three new viruses
* New viruses controlled with same software as Flame
By Jim Finkle
BOSTON, Sept 17 Researchers have found evidence
suggesting that the United States may have developed three
previously unknown computer viruses for use in espionage
operations or cyber warfare.
The findings are likely to bolster a growing view that the
U.S. government is using cyber technology more widely than
previously believed to further its interests in the Middle East.
The United States has already been linked to the Stuxnet Trojan
that attacked Iran's nuclear program in 2010 and the
sophisticated Flame cyber surveillance tool that was uncovered
in May.
Anti-virus software makers Symantec Corp of the
United States and Kaspersky Lab of Russia disclosed on Monday
that they have found evidence that Flame's operators may have
also worked with three other viruses that have yet to be
discovered.
The two security firms, which conducted their analyses
separately, declined to comment on who was behind Flame. But
current and former Western national security officials have told
Reuters that the United States played a role in creating Flame.
The Washington Post has reported that Israel was also involved.
Current and former U.S. government sources also told Reuters
that the United States was behind Stuxnet.
Kaspersky and Symantec linked Stuxnet to Flame in June, saying
that part of the Flame program is nearly identical to code found
in a 2009 version of Stuxnet.
For now, the two firms know very little about the newly
identified viruses, except that one of them is currently
deployed in the Middle East. They are not sure what the
malicious software was designed to do. "It could be anything,"
said Costin Raiu, director of Kaspersky Lab's Global Research
and Analysis Team.
NEWSFORYOU
Kaspersky and Symantec released their findings in reports
describing analysis of "command and control" servers used to
communicate with and control computers infected with Flame.
Researchers from both firms said the Flame operation was
managed using a piece of software named "Newsforyou" that was
built by a team of four software developers starting in 2006.
It was designed to look like a common program for managing
content on websites, which was likely done in a bid to disguise
its real purpose from hosting providers or investigators so that
the operation would not be compromised, Kaspersky said in its
report.
Newsforyou handled four types of malicious software: Flame
and programs code-named SP, SPE and IP, according to both firms.
Neither firm has obtained samples of the other three pieces of
malware.
Kaspersky Lab said it believes that SP, SPE and IP were
espionage or sabotage tools separate from Flame. Symantec said
it was not sure if they were simply variations of Flame or
completely different pieces of software.
"We know that it is definitely out there. We just can't
figure out a way to actually get our hands on it. We are
trying," Symantec researcher Vikram Thakur said in an interview.
About a dozen computers in Iran and Lebanon that are
infected with one of the newly identified pieces of malware are
trying to communicate with command and control servers,
according to Kaspersky Lab.
The researchers found a large cache of data on one of the
command and control servers, but cannot analyze it because it is
encrypted using a password that they said would be virtually
impossible to crack.
They believe that it was encrypted so heavily because the
people coordinating the attack did not want the workers using
the Newsforyou program to be able to read potentially sensitive
information.
"This approach to uploading packages and downloading data
fits the profile of military and/or intelligence operations,"
Symantec said in its report.