Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Flame Analysis Uncovers Unknown Malware, Traces Espionage Tool Back to 2006

Flame Cyber Espionage Tool

The ongoing investigation into the Flame malware has traced the development of the Flame platform back in 2006.

Flame Cyber Espionage Tool

The ongoing investigation into the Flame malware has traced the development of the Flame platform back in 2006.

According to research by Kaspersky Lab, Symantec, CERT-Bund/BSI and the International Telecommunication Union’s Impact Alliance, the development of Flame’s command and control (C&C) platform began as early as December 2006. This is much earlier than researchers initially thought; the first reports placed Flame’s development in 2010. Later, it was discovered that some domains used by Flame were registered in 2008. An analysis of the malware’s C&C servers however revealed that developers had left internal timestamps and their nicknames in scripts.

“From this, we can conclude that the first C&C files were created on 03 December 2006, which means that the Flame platform is much older than we originally estimated,” according to Kaspersky Lab. “There were four people responsible for this C&C development. It is obvious to us that one of them…was more experienced than the others. He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms.”

The analysis also revealed unidentified pieces of malware that were being managed by the servers as well.

“Command-and-control happens through a Web application called Newsforyou,” according to Symantec’s Security Response team. “The application processes the W32.Flamer client interactions and provides a simple control panel. The control panel allows the attackers to upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data. This application does not appear to be exclusively used by Flamer. It contains functionality that allows it to communicate with computers compromised with multiple malware identifiers using different protocols.”

Several threats supported by this framework are still unknown, Symantec said, speculating that they are most likely unknown variants of Flame or totally distinct malware. There is no sign the Flame servers were used to control Stuxnet or Gauss.

“The servers were set up to record minimal amounts of information in case of discovery,” according to Symantec. “The systems were configured to disable any unnecessary logging events and entries in the database were deleted at regular intervals. Existing log files were securely deleted from the server on a regular basis. These steps were taken in order to hamper any investigation should the server be acquired by third parties.”

Flame, which has been called a cyber-espionage tool by researchers, was discovered in May during an investigation initiated by the International Communciation Union. Since then, reports have surfaced linking it to the infamous Stuxnet malware uncovered in 2010.

“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers,” Alexander Gostve, chief security expert at Kaspersky Lab, said in a statement. “Flame’s creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale.”

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...