PHOTO - Alexander Gostev, chief security officer, Kaspersky Lab.
New research by Russian security solutions firm Kaspersky Lab has identified three new Flame-related malicious programmes with at least one 'still in the wild.' The research was conducted in partnership with International Telecommunication Union's cyber security executing arm IMPACT, which is headquartered in Malaysia, as well as CERT-Bund/BSI and Symantec.
Analysis of a number of Command and Control (C&C) servers used by Flame's creators points to a sophisticated nation-state sponsored Flame cyber-espionage campaign that dates back to 2006, said Kaspersky Lab chief security expert Alexander Gostev, speaking on 18 September 2012.
"It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers," said Gostev. "Flame's creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep."
"Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale," he said.
Gostev said that other main findings include:
- The C&C servers were disguised to look like a common Content Management System, to hide the true nature of the project from hosting providers or random investigations.
- The servers were able to receive data from infected machines using four different protocols; only one of them servicing computers attacked with Flame.
- The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created; their nature is currently unknown.
- One of these Flame-related unknown malicious objects is currently operating in the wild.
- There were signs that the C&C platform was still under development; one communication scheme named 'Red Protocol' is mentioned but not yet implemented.
Nation-state sponsored cyber operation
"There is no sign that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss," said Gostev, adding that the Flame cyber-espionage campaign was originally discovered in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union.
At that time, ITU-IMPACT issued an alert to its 144 member nations together with remediation and cleaning advice.
The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation, he said.
Originally it was estimated that Flame started operations in 2010, but the first analysis of its Command and Control infrastructure (covered by at least 80 known domains names) shifted this date two years earlier.
Sophisticated encryption methods were used to extract data from infected machines. The analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame. It means that at least three other types of malware used these Command and Control servers. There is enough evidence to prove that at least one Flame-related malware is operating in the wild. These unknown malicious programmes are yet to be discovered, said Gostev.
Detailed analysis of the contents of Flame's command and control servers is published at Securelist.com.
Sign up for MIS Asia eNewsletters.