Flame Malware Investigation: More Evidence Of Espionage Weapon

By Ken Presti
September 17, 2012 4:14 PM ET

Page 2 of 2

The servers also leverage the Web application called Newsforyou, which processed the Flame client interactions and provided a basic level of control to facilitate the theft of data. It is also believed that this application was used to support malware other than Flame. Although the exact identities of these other threats have not yet been established, Kaspersky reports that traces of three yet undiscovered malicious programs were found. At least one of them is believed to be still operating in the wild.

"This command-and-control server was not written to be used once," said Symantec’s Haley. "It's a platform that is clearly intended to be used over and over again. There are at least four pieces of malware that have been used with this command-and-control server. So, it is inevitable that there are other ones out there now, and there will be others out there in the future."

The application also went to great lengths to delete its own data and cover its own tracks in the event of discovery. Only one log file was apparently overlooked, and that one included the aliases of the four operators, who appeared to have compartmentalized roles in order to further enhance the project's security. Experts say this added precaution further supports the premise that this is the work of a well-funded and highly organized group.

"These people went to great lengths to cover their tracks, to encrypt data and to delete data off the server on a regular basis," added Haley. "So, this is a high-end spying effort that includes compartmentalization and cutouts, because they were trying to hide what they were doing. The server itself was disguised as a content management platform. So, we are really in a world of high-end spies that have just moved into cyberspace."

The servers were able to receive data from infected machines using four different protocols. One protocol, known as "Red Protocol," had not yet been implemented at the time that Flame was discovered during an investigation launched by the International Communication Union.

The complexity of the code pointed researchers in the general direction of the Stuxnet cyber weapon, but there are currently no indications that the same command-and-control servers were used to support Stuxnet.

All servers were running the 64-bit version of the Debian operating system and virtualized through the use of OpenVZ containers, according to Kaspersky. Much of the code was written in the PHP programming language.

PUBLISHED SEPT. 17, 2012

<< Previous | 1 | 2

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows