Skip to main content

Kaspersky uncovers new details of Flame malware

Almost four months after Kaspersky Lab uncovered the massively distributed Flame malware strain, the researchers have released new information about the security threat, which reportedly dates back to 2006.

Kaspersky, in conjunction with the International Telecommunication Union's IMPACT Alliance, CERT-Bund/BSI, and Symantec, studied a number of Command and Control (C&C) servers used by Flame's creators, leading to the discovery of three malicious programmes still running wild.

Analysis of the scripts used to handle data uploaded from infected machines revealed four communication protocols, Kaspersky Lab said, and only one was compatible with Flame. That means that at least three other types of malware are being run by the same C&C servers and at least one Flame-related virus is still operating.

In May, Kaspersky reported that Flame "might be the most sophisticated cyber weapon yet unleashed," explaining that once deployed, the malware can sniff network traffic, take screenshots, record audio conversations, intercept keystrokes, and manage other tricks that can compromise PC security and users' private data.

Researchers said it was problematic to estimate the amount of data stolen by Flame, even after analysis of its C&C servers. Flame's creators have been clever at covering their tracks, Kaspersky Lab researcher Alexander Gostev explained.

But a mistake that locked the attackers out of the server and left behind a collection of files helped the researchers discover more than 5GB of data uploaded from more than 5,000 infected machines to one particular server in a week.

"This is certainly an example of cyber espionage conducted on a massive scale," Gostev said in a statement.

The lab also uncovered details clarifying that development of the Flame C&C platform began as early as December 2006 and may not be finished yet. According to the lab, there are signs that the platform is still in the process of development. The unimplemented "Red Protocol" was recently found on the servers, which were last modified in May.

In late May, Flame reportedly wreaked havoc on Iran, causing at least 189 infections. Isreael/Palestine was also hit hard with 98, followed by Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), and Egypt (5).

US and Israeli officials in June were linked to both Flame and the 2010 Stuxnet worm, which was intended to thwart Iran's development of nuclear weapons.

Image credit: Flame Painter