By checking the data from its worldwide network of malware sensors, Kaspersky Lab has managed to identify current and past Flame infections in the Middle East and Africa, predominantly in countries like Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
However, antivirus vendor Symantec also identified past infections in Hungary, Austria, Russia, Hong Kong and the United Arab Emirates. The company doesn't dismiss the possibility that these infection reports originated from laptops that were temporarily taken abroad by travellers.
It's hard to tell what type of information the Flame authors are after, giving the wide variety of data that the malware can steal and send back to the command and control servers. A decision regarding which of the malware's modules and functionality to use is probably taken by the attackers for each particular target on a case-by-case basis, Kamluk said.
The targeted organizations don't seem to follow an industry-specific pattern, either. The malware has infected computers belonging to government agencies, educational institutions and commercial companies as well as computers owned by private individuals.
As with Duqu and Stuxnet, it's not clear who created Flame. However the malware's complexity and the amount of resources required to build something like it has led security researchers to believe that it was created or sponsored by a nation state.
Kaspersky's researchers didn't find any evidence that could tie the malware to a specific country or even region. However, there is some text written in English inside the code, Kamluk said.
"Examination of the code also leads Symantec to believe the malware was developed by a natively English speaking set of developers," a Symantec spokesman said via email. "No further observations have been made which could assist in locating the origin of the malware."
Researchers from the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics, which played an important role in the discovery and analysis of Duqu, have also released a report on the Flame malware, which they call "sKyWIper."
"The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," the CrySyS researchers said in their report. "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."
Sign up for MIS Asia eNewsletters.