Kaspersky Lab and several partners have determined that the malware Flame has been developed since 2006, and there are other variants of the Trojan. The new insights could be gained through the forensic analysis of two command and control servers. In the investigations, the UN organization ITU, the German Federal Office for Information Security (BSI) and the security firm Symantec involved.
Content stored on the servers could be secured, although the control infrastructure of Flame offline immediately after discovery of the spy-malware went. There were even signs that the platform was still in development. At first glance, the server seemed a Content Management System (CMS) to provide – which apparently served as camouflage to hide the real purpose before hosting providers or random tests.
Been during the code of Flame first dated in 2010, was the development began in reality probably already in December 2006. The server could receive the data infected machines with four different protocols, and only one of which occurred in the challenged with Flame computers used. From the presence of other protocols include the security researchers that at least three related with Flame malicious programs were created. Your application is still unknown, but one of these variants is currently “in the wild” be on the road.
Farms were the control server with 64-bit versions of Debian Linux. The server code was written mostly in the PHP scripting language. The authors of malware ensured with complex encryption methods to ensure that only they were able to access data that was uploaded from infected computers to servers. Flame reached the target computer as manipulated update for Microsoft Windows.
“It was difficult even for the analysis of its command and control server for us, the quantity of stolen data from Flame to appreciate,” said Alexander Gostev of Kaspersky anti-virus specialist.“The authors of Flame are good at covering their tracks.” The attacker would still have made a mistake by security researchers gained more insight. “We can see, therefore, that a specific server in a week than 5 GB of data has been uploaded, derived from more than 5000 infected machines. This is certainly an example of cyber espionage on a massive scale. “
According to the Washington Post after the malware Flame put the U.S. and Israel. The reported the newspaper in June and relied on official government sources. Flame should therefore collect information that can be used for a larger-scale cyber attack against Iran. The goal is to prevent the Islamic Republic of working to build a nuclear weapon.
The malware Flame will have a large scale infiltrated Iranian computer networks and a significant amount of information returned. It also parts had been used by Stuxnet. Flame and therefore Stuxnet belonged to a larger and still ongoing attack.