This is accomplished with a versatile Web application called Newsforyou supported by a MySQL database that could be used as a component for other attacks.
Researchers also discovered a set of commands the server could execute including one that wipes log files in an effort to minimize forensic evidence should the server be compromised. It also cleaned out files of stolen data in order to keep disk space free.
"The Newsforyou application is written in PHP and contains the primary command-and-control functionality split into two parts," the report says, "the main module and the control panel." The main module includes sending encryption packages to infected clients, uploading data from infected clients, and archiving when unloading files.
The application resembles a news or blog application, perhaps in an effort to avoid detection by automated or causal inspection, the researchers say.
PHP source code for Newsforyou included notes that identified four authors - D***, H*****, O****** and R*** - who had varying degrees of involvement. D*** and H***** edited the most files and so had the most input. "O****** and R*** were tasked with database and cleanup operations and could easily have had little or no understanding of the inner workings of the application," the report says. ". It is likely D*** and O****** knew each other, as they both worked on the same files and during a similar time period in December 2006."
Newsforyou employed both public key and symmetric key encryption depending on the type of data being encrypted. News files intended for clients were encrypted with symmetric keys while stolen data was encrypted using public/private key pairs.
Despite Flame being exposed in May, the evidence left behind in compromised command and control servers indicates the overall spying project it was part of is still alive. "There is little doubt that the larger project involving cyber-espionage tools, such as Flamer, will continue to evolve and retrieve information from the designated targets," the report says.
Sign up for MIS Asia eNewsletters.