Symantec has discovered Regin, one of the most sophisticated pieces of malicious software ever seen.
The leading computer security company says Regin was probably created by a government and has been used for six years against a range of targets around the world.
Once installed on a computer, Regin can do things like capture screenshots, steal passwords or recover deleted files.
Experts say computers in Russia, Saudi Arabia and Ireland have been hit most.
It has been used to spy on government organizations, businesses and private individuals, they say.
Researchers say the sophistication of the software indicates that it is a cyber-espionage tool developed by a nation state.
They also said it likely took months, if not years, to develop and its creators have gone to great lengths to cover its tracks.
Sian John, a security strategist at Symantec, said: “It looks like it comes from a Western organization. It’s the level of skill and expertise, the length of time over which it was developed.”
Symantec has drawn parallels with Stuxnet, a computer worm thought to have been developed by the US and Israel to target Iran’s nuclear program.
That was designed to damage equipment, whereas Regin’s purpose appears to be to collect information.
Flame malware’s makers have sent a “suicide” command that removes it from some infected computers.
Security firm Symantec caught the command using booby-trapped computers set up to watch Flame’s actions.
Flame came to light after the UN’s telecoms body asked for help with identifying a virus found stealing data from many PCs in the Middle East.
New analysis of Flame reveals how sophisticated the program is and gives hints about who created it.
Like many other security firms Symantec has kept an eye on Flame using so-called “honeypot” computers that report what happens when they are infected with a malicious program.
Described as a very sophisticated cyber-attack, Flame targeted countries such as Iran and Israel and sought to steal large amounts of sensitive data.
Flame malware’s makers have sent a "suicide" command that removes it from some infected computers
Earlier this week Symantec noticed that some Flame command and control (C&C) computers sent an urgent command to the infected PCs they were overseeing.
Flame’s creators do not have access to all their C&C computers as security firms have won control of some of them.
The “suicide” command was “designed to completely remove Flame from the compromised computer”, said Symantec.
The command located every Flame file sitting on a PC, removed it and then overwrote memory locations with gibberish to thwart forensic examination.
“It tries to leave no traces of the infection behind,” wrote the firm on its blog.
Analysis of the clean-up routine suggested it was written in early May, said Symantec.
At the same time, analysis of the inner workings of Flame reveal just how sophisticated it is.
According to cryptographic experts, Flame is the first malicious program to use an obscure cryptographic technique known as “prefix collision attack”. This allowed the virus to fake digital credentials that had helped it to spread.
The exact method of carrying out such an attack was only demonstrated in 2008 and the creators of Flame came up with their own variant.
“The design of this new variant required world-class cryptanalysis,” said cryptoexpert Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam in a statement.
The finding gives support to claims that Flame must have been built by a nation state rather than cybercriminals. It is not clear yet which nation created the program.
