New Investigation Points to Three New Flame-Related Malicious Programs: At Least One Still in the Wild
by Kaspersky Lab in partnership with ITU’s IMPACT, CERT-Bund/BSI and Symantec
reveals Flame platform dates back to 2006 and is still being developed
Woburn, MA – September 17, 2012 - Kaspersky Lab announces the results of
new research related to the discovery of the sophisticated nation-state sponsored
Flame cyber-espionage campaign. During the research, conducted by Kaspersky
Lab in partnership with International Telecommunication Union’s cybersecurity
executing arm - IMPACT , CERT-Bund/BSI and Symantec, a number of Command and Control (C&C) servers used by
Flame’s creators were analyzed in detail. The analysis revealed new,
groundbreaking facts about Flame. Particularly, traces of three yet
undiscovered malicious programs were found, and it was discovered that the
development of the Flame platform dates back to 2006.
The development of Flame’s Command and Control platform started as
early as December 2006.
The C&C servers were disguised to look like a common Content
Management System, to hide the true nature of the project from hosting
providers or random investigations.
The servers were able to receive data from infected machines using
four different protocols; only one of them servicing computers attacked
The existence of three additional protocols not used by Flame
provides proof that at least three other Flame-related malicious programs
were created; their nature is currently unknown.
One of these Flame-related unknown malicious objects is currently
operating in the wild.
There were signs that the C&C platform was still under
development; one communication scheme named “Red Protocol” is mentioned
but not yet implemented.
There is no sign that the Flame C&Cs were used to control other
known malware such as Stuxnet or Gauss.
cyber-espionage campaign wasoriginallydiscovered in May 2012 by Kaspersky Lab during an investigation initiated by the International
Communication Union. Following this discovery, ITU-IMPACT acted swiftly to issue an alert to
its 144 member nations accompanied with the appropriate remediation and
cleaning procedures. The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another
example of a sophisticated nation-state sponsored cyber operation. Originally
it was estimated that Flame started operations in 2010, but the first analysis of its Command and Control infrastructure (covered by at least 80 known
domains names) shifted this date two years earlier.
The findings in
this particular investigation are based on the analysis of the content
retrieved from several C&C servers used by Flame. This information was
recovered despite the fact that Flame’s control infrastructure went offline
immediately after Kaspersky Lab disclosed the existence of malware. All servers
were running the 64-bit version of the Debian operating system, virtualized using OpenVZ containers. Most of the servers’ code was written in the PHP
programming language. Flame’s creators used certain measures to make the
C&C server look like an ordinary Content Management System, in order to
avoid attention from the hosting provider.
encryption methods were utilized so that no one, but the attackers, could
obtain the data uploaded from infected machines. The analysis of the scripts
used to handle data transmissions to the victims revealed four communication
protocols, and only one of them was compatible with Flame. It means that at least three other types of malware used these Command
and Control servers. There is enough evidence to prove that at least one
Flame-related malware is operating in the wild. These unknown malicious
programs are yet to be discovered.
result of the analysis is that the development of the Flame C&C platform
started as early as December 2006. There are signs that the platform is still
in the process of development, since a new, yet not implemented protocol called
the “Red Protocol” was found on the servers. The latest modification of the
servers’ code was made on May 18, 2012 by one of the programmers.
“It was problematic
for us to estimate the amount of data stolen by Flame, even after the analysis
of its Command and Control servers. Flame’s creators are good at covering their
tracks. But one mistake of the attackers helped us to discover more data that
one server was intended to keep. Based on this we can see that more than five
gigabytes of data was uploaded to this particular server a week, from more than
5,000 infected machines. This is certainly an example of cyber espionage
conducted on a massive scale,” commented Alexander Gostev, Chief Security
Expert, Kaspersky Lab.
of the contents of Flame’s command and control servers is published at Securelist.com.
Kaspersky Lab is the world’s largest privately held vendor of endpoint
protection solutions. The company is ranked among the world’s top four vendors
of security solutions for endpoint users*. Throughout its 15-year history
Kaspersky Lab has remained an innovator in IT security and provides effective
digital security solutions for consumers, SMBs and Enterprises. The company
in almost 200 countries and territories across the globe, providing protection
for over 300 million users worldwide. Learn more at www.kaspersky.com.
*The company was rated
fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2010.
The rating was published in the IDC report Worldwide IT Security Products
2011-2015 Forecast and 2010 Vendor Shares – December 2011. The report ranked
software vendors according to earnings from sales of endpoint security
solutions in 2010.