The use of multiple encryption techniques, four different protocols and a systematic deletion of sensitive data has emerged as the latest evidence that the Flame malware is a weapon in a high-stakes game of spy vs. spy.
Images from two command-and-control servers supporting W32.Flamer have been accessed and investigated through a joint industry effort that included representatives from Kaspersky Lab, the ITU’s IMPACT Alliance, CERT-Bund/BSI and Symantec.
The investigators now believe that the command-and-control system to support this highly sophisticated and weaponized software has been in development since December 2006 by a group of at least four different individuals who were highly skilled, well funded and very likely to be working in the service of nation-states pursuing targets in the Middle East.
[Related: How To Guard Against Virus Attacks]
"We don't have any definitive proof of which group it might be," said Kevin Haley, a director at Symantec Security Response. "But the kind of sophistication in the kind of resources, and the fact that this is narrowly targeted tends to indicate that this is being used for espionage, which suggests that there is a nation-state involved."
The investigators further believe that the same C&C servers were also used in malware attacks that did not involve Flame and that multiple encryption techniques were in use. It has also become clear that the group took a very systematic approach to removing information from the servers in the event that their own security might be breached.
"While the authors went to great lengths to remove things from the server on a scheduled basis, we actually found a log file of work done on the machine," explained Haley. "We see entries as far back as 2006, and we see four different names being used."
The names are actually aliases, according to the report. D***, H*****, O******, and R*** apparently worked on the code at various times and under various capacities, going back for the last six years.
One of the servers under scrutiny was set up on March 25, 2012, while the other was set up on May 18, 2012. In each case, the servers began pinging Flame-infected computers only a few hours after being set up. Within a few weeks, they had established control of what is characterized as "a few hundred computers." Symantec reports that the March server collected almost 6 GB of data from compromised computers in approximately one week, whereas the May server received just 75 MB of data and was apparently used solely to distribute one command module to the compromised computers.
NEXT: Covering Their TracksThe servers also leverage the Web application called Newsforyou, which processed the Flame client interactions and provided a basic level of control to facilitate the theft of data. It is also believed that this application was used to support malware other than Flame. Although the exact identities of these other threats have not yet been established, Kaspersky reports that traces of three yet undiscovered malicious programs were found. At least one of them is believed to be still operating in the wild.
"This command-and-control server was not written to be used once," said Symantec’s Haley. "It's a platform that is clearly intended to be used over and over again. There are at least four pieces of malware that have been used with this command-and-control server. So, it is inevitable that there are other ones out there now, and there will be others out there in the future."
The application also went to great lengths to delete its own data and cover its own tracks in the event of discovery. Only one log file was apparently overlooked, and that one included the aliases of the four operators, who appeared to have compartmentalized roles in order to further enhance the project's security. Experts say this added precaution further supports the premise that this is the work of a well-funded and highly organized group.
"These people went to great lengths to cover their tracks, to encrypt data and to delete data off the server on a regular basis," added Haley. "So, this is a high-end spying effort that includes compartmentalization and cutouts, because they were trying to hide what they were doing. The server itself was disguised as a content management platform. So, we are really in a world of high-end spies that have just moved into cyberspace."
The servers were able to receive data from infected machines using four different protocols. One protocol, known as "Red Protocol," had not yet been implemented at the time that Flame was discovered during an investigation launched by the International Communication Union.
The complexity of the code pointed researchers in the general direction of the Stuxnet cyber weapon, but there are currently no indications that the same command-and-control servers were used to support Stuxnet.
All servers were running the 64-bit version of the Debian operating system and virtualized through the use of OpenVZ containers, according to Kaspersky. Much of the code was written in the PHP programming language.
PUBLISHED SEPT. 17, 2012