The ongoing investigation into the Flame malware has traced the development of the Flame platform back in 2006.
According to research by Kaspersky Lab, Symantec, CERT-Bund/BSI and the International Telecommunication Union’s Impact Alliance, the development of Flame’s command and control (C&C) platform began as early as December 2006. This is much earlier than researchers initially thought; the first reports placed Flame’s development in 2010. Later, it was discovered that some domains used by Flame were registered in 2008. An analysis of the malware’s C&C servers however revealed that developers had left internal timestamps and their nicknames in scripts.
“From this, we can conclude that the first C&C files were created on 03 December 2006, which means that the Flame platform is much older than we originally estimated,” according to Kaspersky Lab. “There were four people responsible for this C&C development. It is obvious to us that one of them…was more experienced than the others. He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms.”
The analysis also revealed unidentified pieces of malware that were being managed by the servers as well.
“Command-and-control happens through a Web application called Newsforyou,” according to Symantec’s Security Response team. “The application processes the W32.Flamer client interactions and provides a simple control panel. The control panel allows the attackers to upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data. This application does not appear to be exclusively used by Flamer. It contains functionality that allows it to communicate with computers compromised with multiple malware identifiers using different protocols.”
Several threats supported by this framework are still unknown, Symantec said, speculating that they are most likely unknown variants of Flame or totally distinct malware. There is no sign the Flame servers were used to control Stuxnet or Gauss.
“The servers were set up to record minimal amounts of information in case of discovery,” according to Symantec. “The systems were configured to disable any unnecessary logging events and entries in the database were deleted at regular intervals. Existing log files were securely deleted from the server on a regular basis. These steps were taken in order to hamper any investigation should the server be acquired by third parties.”
Flame, which has been called a cyber-espionage tool by researchers, was discovered in May during an investigation initiated by the International Communciation Union. Since then, reports have surfaced linking it to the infamous Stuxnet malware uncovered in 2010.
“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers,” Alexander Gostve, chief security expert at Kaspersky Lab, said in a statement. “Flame’s creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale.”