Skip to Main Content

Flame Malware Details Surface, Point to More Viruses

The Flame malware discovered in May may be older than researchers previously thought and could still be operating in the wild.

By PCMag Staff
September 17, 2012

Almost four months after Kaspersky Lab uncovered the massively distributed Flame malware strain, the researchers have released new information about the security threat, which reportedly dates back to 2006.

Kaspersky, in conjunction with the International Telecommunication Union's IMPACT Alliance, CERT-Bund/BSI, and Symantec, studied a number of Command and Control (C&C) servers used by Flame's creators, leading to the discovery of three malicious programs still running wild.

Analysis of the scripts used to handle data uploaded from infected machines revealed four communication protocols, Kaspersky Lab said, and only one was compatible with Flame. That means that at least three other types of malware are being run by the same C&C servers and at least one Flame-related virus is still operating.

In May, Kaspersky that Flame "might be the most sophisticated cyber weapon yet unleashed," explaining that once deployed, the malware can sniff network traffic, take screenshots, record audio conversations, intercept a keystrokes, and manage other tricks that can compromise PC security and users' private data.

Researchers said said it was problematic to estimate the amount of data stolen by Flame, even after analysis of its C&C servers. Flame's creators have been clever at covering their tracks, Kaspersky Lab researcher Alexander Gostev explained.

But a mistake that locked the attackers out of the server and left behind a collection of files helped the researchers discover more than 5GB of data uploaded from more than 5,000 infected machines to one particular server in a week.

"This is certainly an example of cyber espionage conducted on a massive scale," Gostev said in a statement.

The lab also uncovered details clarifying that development of the Flame C&C platform began as early as December 2006 and may not be finished yet. According to the lab, there are signs that the platform is still in the process of development. The unimplemented "Red Protocol" was recently found on the servers, which were last modified in May.

In late May, Flame reportedly wreaked havoc on Iran, causing at least 189 infections. Isreael/Palestine was also hit hard with 98, followed by Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), and Egypt (5).

U.S. and Israeli officials were linked to both Flame and the 2010 Stuxnet worm, which was intended to thwart Iran's development of nuclear weapons.

For more, see PCMag's and