Cyber spying: three other malware programs linked to Flame

September 18th, 2012 - 04:11 pm ET by J. G.

Additional information has come out about Flame: the platform that was first seen in 2006 whose development is still ongoing.

Virus FlammeThe Flame malware was discovered in May this year, detected in different regions around the world but primarily in the Middle East and Iran. This cyber spy has been secretly working for years in the shadows. Since being discovered, it has been strongly suspected of being developed by the United States and Israel to spy on Iran’s nuclear program.

Flame continues to open up some of its secrets. In a report developed by Kaspersky Lab, Symantec, the CERT-Bund/BSI and International Telecommunications Union, the analysis of control servers used by Flame’s creators demonstrates that this platform was first developed in December 2006.

It was during this period that Flame was conceived by a group of at least four developers. Over the next six years, this group had access to servers to communicate with Flame on compromised Windows computers so as to launch a range of different attacks.

To avoid being detected, numerous encryption methods were used, with Flame also regularly deleted from infected machines.

According to the investigation, the control servers operated a virtual 64 bit version of Debian installed in OpenVZ containers. The server’s code was written in PHP and numerous elements made the servers look like a simple content management system (CMS). This meant that the host never paid much attention to it.

The servers were capable of receiving the infected machines data via four different protocols. In reality, only one was used by Flame, which means that the existence of the other three was linked to Flame malware.

Going by the code name SPE, one of these malware programs is currently in circulation according to Kaspersky Lab. The security company adds "there are signs indicating that the control platform is still actively being developed". They also make reference to the Red Protocol communication method, which hasn’t yet been activated.

"There is no doubt that this is an example of cyber spying being conducted on a large scale", states Alexander Gostev, Chief security expert at Kaspersky Lab.

Post a comment
Previous news Next news
Internet Explorer: 0-day vulnerability Internet Explorer: corrected in a few days