Flame malware C&C network set up as early as 2008
Cyber-espionage tool that targeted Middle East had long, continuous development cycle, say researchers
Kaspersky Lab has released more information on the Flame malware that appears to have been used to spy on end users across the Middle East.
The security company says that it has traced over 80 known domains used by Flame for command and control (C&C) servers, and that it has also been able identify what types of data it was stealing, although there is still no evidence to point to a culprit.
Security researchers from Kaspersky, GoDaddy and OpenDNS have used a technique called sinkholing, to redirect the traffic meant for Flame's servers to their own analysis server, with most Flames malicious domains being captured.
Over 80 known domains used by Flame for C&C servers have been identified, and servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.
The earliest registered domains were registered in 2008, suggesting that Flame may have been active for longer than the two years that it was originally suspected to be lose. The domains were all found to be registered to false names and addresses, with many of the addresses in Vienna.
The attackers behind Flame also appeared to have been covering their steps, as the C&C infrastructure went offline as soon as the initial security reports were announced, although researchers note that the C&C network for Flame was not as well concealed as the C&C network for Duqu.
Kaspersky researchers say they have also found PCs where there are traces of Flame, but the malware appeared to have been removed, and they also uncovered a removal tool that was sent to one of the sinkholed servers, suggesting that the attackers had a means to remove Flame from PCs that they no longer wanted to spy on.
Flame infections have been identified predominantly in the Middle East, with Iran, Israel/Palestine and Sudan the most targeted, but infections have also been detected in countries as widespread as the US, Latvia, India and Malaysia.
Researchers have also identified the specific file types that Flame targeted, mainly PDFs, Office and AutoCad drawings. The malware would search for PDF and text files and other documents and makes short text summaries and also hunts for e-mails and many different kinds of other files. Data was then encrypted and sent using using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression. Files were also split into small packets of 8192 bytes, which may have been done to counter slow and unreliable internet connections in the Middle East, researchers said.
Vitaly Kamluk, chief malware expert with Kasperky's Global Research & Analysis Team told ITP.net that Flame also appears to have been in development for a considerable amount of time. Researchers have found a number of different versions of the malware, with version numbers ranging from 2.020 to 2.243, with clear differences between versions. If the developers were following the usual naming conventions, that would indicate that the detected version of Flame is a second generation of the malware, and that there are possibly hundreds of variants, Kamluk said.
"It was a long term development, Flame has probably been developed for years, they created an initial version with basic functionality, and then they added new logic, new modules, and extended the capabilities of Flame in a non-stop development. Probably it took them years to develop this attack tool, and I believe they initiated the process somewhere in 2008," he explained.
Kamluk said that Flame was programmed to avoid detection by anti-virus software, which would be a factor in why it took so long to come to light.
"There are reasons why it was undetected. First of all, its was used against a very limited number of computers, which means that it has a very low probability of making its way to the virus labs," he said.
"It took the malware we estimate more than two years to make it to the anti-virus lab. We were wondering why that was, we have signature-independent technologies such as behaviour-based detection and heuristic engines, and the answers were in the code of Flame. Flame actually makes very light checks before making any major changes or infecting other computers or removable media. It makes light checks on the system and if it finds any known anti-virus software in the system, it will not execute any risky steps, so as not to trigger behaviour-based detection. That is why the users and systems administrators have not seen any suspicious activity going on, it was silent on those machines that had anti-virus installed."