Kaspersy Lab Discovers Flame Malware More Intricate Than Suspected
On May 29, 2012, Kaspersky Lab issued a press release announcing that as the result of an investigation prompted by the International Telecommunication Union (ITU), its technicians had discovered a new cyber-espionage malware known as Flame.
On Jun. 4, 2012, the security software vendor issued another press release, providing a more detailed description of just how intricate and nefarious Flame malware is.
According to the press release:
In collaboration with GoDaddy and OpenDNS, Kaspersky Lab succeeded in sinkholing most of the malicious domains used by Flame’s command and control (C&C) infrastructure. The following details summarize the results of the analysis:
- The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware’s existence last week.
- Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012.
- During the past 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.
- The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
- According to Kaspersky Lab’s sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America and Asia-Pacific.
- The Flame attackers seem to have a high interest in PDF, Office and AutoCad drawings.
- The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.
- Windows 7 64 bit, which we previously recommended as a good solution against
Researches have yet to gain a full understanding of Flame, and it seems to be updating itself, according to Ellen Messmer in her article for Network World.
Microsoft discovered, on Jun. 3, 2012, a flaw in its certificate-registration process that could allow spoofing. It seems this flaw has been exploited for Flame’s purposes. As a result, Microsoft issued security advisory 2718704. Those who have their computers set up to automatically install updates can ensure that the latest update was installed on their computers in the System and Security section of the Microsoft control panel.
Kaspersky researchers will continue working to learn as much as they can about Flame and will continue to keep the public informed of any new developments.
Are you concerned about viruses, malware and unauthorized access into your business network? Give us a call and we can help you with all your IT security needs.