'Flame' malware may have siblings, study finds

Flame is just one of four pieces of malware developed to spy on Middle East-based targets

A deeper look into the Flame malware, linked to the infamous Stuxnet, has revealed that it may be just one of four pieces of malware created by the same unknown development team.

Flame became public in May after Iran discovered the malware had been used to infect computers in its oil ministry. It was quickly linked with Stuxnet, which was used to disrupt Iran's uranium refinement equipment, and was suspected to have been developed by other countries, possibly the U.S. and Israel, due to its sophistication and targeting.

The latest research is the result of a combined effort by Symantec, Kaspersky Lab, the International Telecommunication Union's (ITU) IMPACT cybersecurity team, Germany's Computer Emergency Response Team for Bundesbehörden and its Federal Office for Information Security (BSI).

The study found that the command-and-control mechanisms for Flame may have been developed as far back as December 2006, making the malware much older than previously thought, according to a write-up by Kaspersky Lab. It had been circulating in the wild since around 2010, but its creation date had been unknown until now.

Among the other significant findings is that Flame's command-and-control system handled three types of malware that have not been examined by researchers and whose purpose is unknown. Other clues showed those malware types may still be under development or not yet activated.

Flame is the Swiss Army knife of spying tools: It can collect data entered into forms, collect passwords, record audio and capture screenshots. It may have played a reconnaissance role to scout out systems for later infection by Stuxnet, which disrupted industrial control systems made by Siemens and used by Iran for refining uranium.

According to the research, Flame's command-and-control system was designed to look more like a content management system (CMS). Simple commands were used such as "upload," "client," "news," "blog" and "ads" that mimic a CMS interface rather than looking like other botnet interfaces.

"We believe this was deliberately done to deceive hosting company sys-admins who might run unexpected checks," Kaspersky wrote.

Surprisingly, those who modified Flame's code left nicknames embedded in the code along with timestamps. The researchers identified four people who modified the code, though the nicknames were censored in Kaspersky's writeup. One of the coders appeared to be the team's leader, while another specialized in advanced cryptography.

Kaspersky said it had received many questions about the amount of data Flame might have taken. Although it appeared that stolen information was transferred to other servers every 30 minutes, Flame's operators for some reason became locked out of one of the drop servers used to collect their stolen data. Flame may have collected as much as 5.5GB of compressed information in just a week.

Flame's controllers made another mistake: forgetting to delete log files that showed how many victim computers were sending back information. During a one-week period between the end of March and early April, some 3,702 unique IP addresses from Iran connected to that drop server, with another 1,280 from Sudan.

"Our previous statistics did not show a large number of infections in Sudan, so this must have been a dedicated campaign targeting systems in Iran and Sudan," Kaspersky wrote.

Send news tips and comments to jeremy_kirk@idg.com

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts