Flame malware used open source software

The controversial Flame malware that infected computers in Iran may have used open source software to hide its own code in "plain sight", a new analysis has found.

The code was included in four strains of the malware, identified by antivirus vendors Kaspersky Labs and Symantec from a forensic analysis of two captured Command and Control (C&C) servers.

The analysis was conducted in conjunction with the United Nations' cyber security arm, ITU-IMPACT, and the German Government's CERT-BUND/BSI organisation this year.

The security organisations found the C&C servers were based on the Debian Linux distribution, with other open source services running on top such as Apache, MySQL and the PHP scripting language, as well as Python and bash shell scripts.

NSS Labs research director, Randy Abrams, told TechNewsWorld that the use of open source software could serve to help hide code in "plain sight".

Open source code "hampers the ability to attribute the style of coding to a programmer or group," whereas custom code is far easier to identify algorithmically, Abrams claimed.

The principal security response manager at Symantec concurred with Abrams, saying that while one reason for using open source software is lack of expertise in creating what is required from scratch, "another reason for using open source software is indeed evasion".

At least four programmers were believed to have worked on the malware since December 2006, with the most recent changes being made in May this year. 

According to Kaspersky, the malware code is still being developed with a new "Red Protocol"  that had not yet been fully implemented.

Programmers working on the Flame malware tried to make it appear as a legal content management system and used strong public key cryptography to make sure only they could read the stolen data.

"These features are not normally found in malware created by everyday cyber-criminals, reaffirming our initial conclusions that Flame is a nation-state sponsored attack," Kaspersky Labs said.

Analysing the acquired servers used to manage the malware showed it was just one of four separate strains of malware, named SP, SPE, FL, and IP.

Of these, SPE exists and is "in the wild" meaning it is currently being actively distributed around the world.

Symantec said the acquired servers were running a web-based control panel application called Newsforyou. This allowed attackers to upload code packages for delivery to compromised computers and download stolen client data.

One server set up in March this year received almost 6GB of data from compromised computers in just a week, Symantec's analysis showed.

Use of the Newsforyou framework, which assigned different administrative roles to the attackers, "suggests that this is the work of a well-funded and organised group," the security vendor claimed.

Kaspersky Lab researcher Alexander Gostev went further in a statement to PC Mag, saying "this is certainly an example of cyber espionage conducted on a massive scale".