Skip Links

Flame malware's structure among most complex ever seen, says Kaspersky Lab

More details surface about cyber-espionage Flame malware

By , Network World
June 04, 2012 10:57 AM ET

Network World - Kaspersky Lab Monday shared more details about the sophisticated cyber-espionage Flame malware widely believed to be the work of a nation-state, though the security firm isn't venturing yet to say what country that might be.

Kaspersky Lab is working with OpenDNS to investigate Flame malware tied most closely to cyber-espionage against Iran and Lebanon, and today both companies described what has been found in a week of investigation of Flame command and control (C&C) servers around the world. These servers are being "sinkholed" slowly to cut off ties between the C&C server and Windows-based computers infected with Flame malware, which spies on computer use and can upload content back to Flame's C&C operators.

BACKGROUND: Flame Malware: All You Need to Know

ANALYSIS: Iran's discovery of Flame malware turning into political hot potato

The Flame cyber-espionage botnet has one of the most elaborate and carefully constructed C&C structures ever identified, according to Roel Schouwenberg, senior research at Kaspersky Lab, who joined with Dan Hubbard, CTO at OpenDNS, to discuss the latest discoveries made since a week ago, when Kaspersky's announcement about the malware apparently caused Flame's C&C operators to suddenly drop offline.

However, Flame appears to be updating itself to possibly reconstitute its capabilities, Schouwenberg warns.

"Flame's goal is cyber-espionage," says Schouwenberg, noting it's "hiding in plain sight," and "there may be a cyber-sabotage component to it."

Flame can send up stolen information in 80 kilobyte chunks, and Flame's operators want to steal PDF files, Office documents and AutoCad files, such as mechanical and building designs. He notes, "Whitelisting technologies would have definitely blocked Flame." Whitelisting prevents unauthorized applications from running on computers. Flame is Windows-based and there doesn't seem to be a Linux component for Flame, Schouwenberg says.

"The Flame command control is unlike anything we've ever seen before," Schouwenberg says. Flame has had more than 80 domains registered for servers that have been identified in far-flung places, from India to Belgium to the Netherlands to Switzerland. The Flame C&C servers do not appear to be based on hacked servers, and domain registrations use fake names that appear to be registered carefully by hand to hotels, shops and doctors' offices, for example, with most of the phony domain registrations registered under fake names for Germany and Austria, but there's no known reason why. These domains and locations associated with Flame registrations are not historically connected with "bad actors and bad neighborhoods," Hubbard points out.

The researchers acknowledge there is still a lot they don't know about Flame because they think they still need to find additional Flame modules to get a bigger picture of what's going on. There's also evidence Flame is updating itself to find alternate C&C paths and has a sophisticated backup operation. So far, there are 196 known victims of Flame in Iran, 54 in Palestine, 48 in Israel, 33 in Sudan, 31 in Syria, and others elsewhere, including 10 in the U.S. The numbers haven't changed a lot from a week ago, Kaspersky says. About 45 of the victims in Iran have had Flame sinkholed to protect against it, as well as 21 in Lebanon and eight in the U.S., among a few others.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News