After discovering that the authors of Stuxnet and Flame have been in contact and both malwares have been, most likely, been developed under government authority, we learned today that the rabbit hole is much deeper than we thought.
In a rather comprehensive analysis, the security experts at Kaspersky published new and additional information about the timeline of the Flame virus, its control mechanism and servers as well as the fact that there are more viruses that have yet to be found. It appears that Flame was managed via a web-based control panel called "newsforyou", a name that is commonly used for admin panels by content monetization services. Once in the admin system, Kaspersky found a relatively simple control panel that revealed command capability, as well as access to stored stolen data. In its simplicity, the panel looks very generic, but purpose-focused without typical hacker gimmicks and graphics. In its appearance it is rather inconspicuous.
"The [command and control] developers didn't use professional terms such as bot, botnet, infection, malware-command or anything related in their control panel," Kaspersky said. "Instead they used common words like data, upload, download, client, news, blog, ads, backup etc. We believe this was deliberately done to deceive hosting company sys-admins who might run unexpected checks."
Kaspersky found in its investigation that Flame is much older than originally believed, with some files dating back to 2006. At least four different developers, which left traces of their online names, worked on Flame. Most interestingly, Kaspersky found hints of three more viruses, abbreviated as SP, SPE and IP. None of these viruses have been discovered yet and at least one of them is believed to be still in operation today.
Flame itself has been very damaging to the victims and potentially very beneficial to the attackers. About 5.5 GB of data was extracted on a weekly basis. The server logs of one of two servers showed 3,702 computers were infected in Iran, 1,280 in Sudan. Infection rates in other countries were below 100 each. Kaspersky estimates that more than 10,000 computers were infected in total. In its conclusion the security firm said that the analysys is "reaffirming [Kaspersky's] initial conclusions that Flame is a nation-state sponsored attack. Based on the code from the server, we know Flame was a project from a list of at least four. The purpose and nature of the other three remain unknown."