Flame-related malware detected in the wild

By on
Flame-related malware detected in the wild

Flame claims 10,000 victims.

One of three newly detected strains of malware linked to the authors of Flame was found in the wild.

Recent findings also date the development of Flame's command-and-control platform as far back as December 2006.

Flame, which has targeted victims primarily in Iran, is thought to be the creation of a nation-state due to the resources needed for the large-scale, sophisticated attacks.

Malicious capabilities of Flame, believed to be related to Stuxnet and Duqu, include screenshot-capturing and keystroke-logging features, as well the ability to engage microphones to record victims' conversations.

The malware is also designed to uninstall itself from computers after stealing information.

Researchers at Kaspersky Labs and Symantec have both published reports on the new Flame developments.

In a Symantec blog post, it was revealed that one Flame server, set up in March, had collected nearly 6 GB from infected computers in a week's time.

Symantec principal security response manager Vikram Thakur told SC the data-stealing feat put Flame in a league of its own.

“[This] is significantly larger than any data-stealing software we've come across, as far as impact on a daily or even yearly basis,” said Thakur. “No other malware extricates this amount of information. We don't see this happening.”

Kaspersky's blog post highlighted the massive amount of files stolen from more than 5000 machines, bringing the estimated count of Flame victims to more than 10,000.

Researchers were able to measure the amount of stolen files due to a mistake by the attackers, in which they left behind files that would have normally been deleted.

“On one of the servers, the attackers forgot to delete the HTTP logs,” said the blog post. "This allowed us to get an idea of how many victims connected to the server."

The information gathered during the week between 25 March and 2 April  showed that of the 5377 unique IPs that connected to the server, the majority of machines, nearly 4000, were in Iran.

Still, researchers saw that a significant number of machines, 1280, were detected in Sudan.

“Our previous statistics did not show a large number of infections in Sudan, so this must have been a dedicated campaign targeting systems in Iran and Sudan,” Kaspersky researchers concluded in the post.

Attackers developed a web application, called “Newsforyou,” that was disguised to go undetected and which was used to communicate with infected machines.  

“The application is designed to resemble a simple news [or] blog application,” said Symantec's analysis of the Flame command-and-control server. “This approach may serve to disguise the true nature of the application from any automation or casual inspection.”

The three strains of malware were named, “IP,” “SP” and “SPE,” with the latter being the name of the Flame-related malware currently in the wild. It is yet to be discovered what the malware is capable of doing to infected machines.

“Based on the code from the server, we know Flame was a project from a list of at least four,” said Kaspersky's blog post. The purpose and nature of the other three malicious programs remain unknown.

Thakur said the success of the campaign can mainly be attributed to its targeted nature.

“This was not extremely widespread,” Thakur said of attackers. "It was very specific to a few locations across the globe, which kept them going."

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?