Kaspersky Lab Experts Provide In-Depth Analysis of Flame’s C&C Infrastructure
Woburn, MA - June 4, 2012 - On May 28, 2012 Kaspersky Lab announced the discovery of a highly
sophisticated malicious program, known as Flame, which was actively being
used as a cyber weapon targeting entities in several countries. Flame was
discovered by Kaspersky Lab’s experts during an investigation prompted by the International
Telecommunication Union (ITU), and the analysis of
the malicious program revealed it was the largest and most complex attack
toolkit to date.
Kaspersky Lab’s analysis of the malware revealed that
it was currently being used for cyber-espionage and it would infect computers
to steal data and sensitive information. The stolen data was then sent to one
of Flame’s command & control (C&C) servers.
Kaspersky Lab has been closely monitoring Flame’s C&C
infrastructure and published a detailed
research post today about
In collaboration with GoDaddy and OpenDNS, Kaspersky
Lab succeeded in sinkholing most of the malicious domains used by Flame’s
C&C infrastructure. The following details summarize the results of the
The Flame C&C
infrastructure, which had been operating for years, went offline immediately
after Kaspersky Lab disclosed the discovery of the malware’s existence last
there are more than 80 known domains used by Flame for C&C servers and its
related domains, which have been registered between 2008 and 2012.
past 4 years, servers hosting the Flame C&C infrastructure moved between
multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia,
Latvia, the United Kingdom and Switzerland.
C&C domains were registered with an impressive list of fake identities and
with a variety of registrars, going back as far as 2008.
Kaspersky Lab’s sinkhole, infected users were registered in multiple regions
including the Middle East, Europe, North America and Asia-Pacific.
The Flame attackers
seem to have a high interest in PDF, Office and AutoCad drawings.
uploaded to the Flame C&C is encrypted using relatively simple algorithms.
Stolen documents are compressed using open source Zlib and modified PPDM
Windows 7 64
bit, which we previously recommended as a good solution against infections with
other malware, seems to be effective against Flame.
Kaspersky Lab would like
to thank William MacArthur and GoDaddy Network Abuse Department for their fast
reaction and exceptional support of this investigation. In addition, Kaspersky
Lab would also like to thank the OpenDNS Security Research Team, who also
offered invaluable assistance during the course of this investigation.
During the past week,
Kaspersky Lab contacted CERT’s in multiple countries to inform them about the
Flame C&C domain information and IP addresses of the malicious servers.
Kaspersky Lab would like to thank all who participated for their support of
If you are a GovCERT
institution and would like to receive more information about the C2 domains,
please contact us at: “firstname.lastname@example.org”.
To read the full analysis
of Flame’s C&C infrastructure and all its technical details, please visit: Securelist.
About Kaspersky Lab Kaspersky Lab is the world's largest privately-held Internet Security
company, providing comprehensive protection against all forms of IT
threats such as viruses, spyware, hackers and spam. The company's
products provide in-depth computer defense for more than 300 million
systems around the globe, including home and mobile users, small and
medium sized businesses and large enterprises. Kaspersky technology is
also incorporated inside the products and services of nearly 100 of
industry leading IT, networking, communications and applications