Kaspersky: Flame Has Three Unidentified Malware Siblings

By Wolfgang Gruener
published

After discovering that the authors of Stuxnet and Flame have been in contact and both malwares have been, most likely, been developed under government authority, we learned today that the rabbit hole is much deeper than we thought.

There are at least three more viruses related to Flame that have not been found yet.

In a rather comprehensive analysis, the security experts at Kaspersky published new and additional information about the timeline of the Flame virus, its control mechanism and servers as well as the fact that there are more viruses that have yet to be found. It appears that Flame was managed via a web-based control panel called "newsforyou", a name that is commonly used for admin panels by content monetization services. Once in the admin system, Kaspersky found a relatively simple control panel that revealed command capability, as well as access to stored stolen data. In its simplicity, the panel looks very generic, but purpose-focused without typical hacker gimmicks and graphics. In its appearance it is rather inconspicuous.

"The [command and control] developers didn't use professional terms such as bot, botnet, infection, malware-command or anything related in their control panel," Kaspersky said. "Instead they used common words like data, upload, download, client, news, blog, ads, backup etc. We believe this was deliberately done to deceive hosting company sys-admins who might run unexpected checks."

Kaspersky found in its investigation that Flame is much older than originally believed, with some files dating back to 2006. At least four different developers, which left traces of their online names, worked on Flame. Most interestingly, Kaspersky found hints of three more viruses, abbreviated as SP, SPE and IP. None of these viruses have been discovered yet and at least one of them is believed to be still in operation today.

Flame itself has been very damaging to the victims and potentially very beneficial to the attackers. About 5.5 GB of data was extracted on a weekly basis. The server logs of one of two servers showed 3,702 computers were infected in Iran, 1,280 in Sudan. Infection rates in other countries were below 100 each. Kaspersky estimates that more than 10,000 computers were infected in total. In its conclusion the security firm said that the analysys is "reaffirming [Kaspersky's] initial conclusions that Flame is a nation-state sponsored attack. Based on the code from the server, we know Flame was a project from a list of at least four. The purpose and nature of the other three remain unknown."

Contact Us for News Tips, Corrections and Feedback

Wolfgang Gruener
9 Comments Comment from the forums
  • A Bad Day
    So, will critical infrastructures (including hospitals) get Friend or Foe Identification?
    Reply
  • A Bad Day
    Will Cyberwarfare eventually become destructive as EMP weapons or even nukes?...
    Reply
  • A Bad Day
    Why does this website take so long to update the comment section?
    Reply
  • mistigrisvicar
    http://goo.gl/0Pdku
    Reply
  • jprahman
    I would expect there to be even more elements involved than what the investigation up to this point has revealed. All in all this was a pretty impressive attack.
    Reply
  • adgjlsfhk
    I'm saying Israel is behind it. Seems a lot like their type of attack. Also, their the only ones who really care about Iran's nuclear program that would not march in. I think one of the 4 was the virus that screwed up the reactors, and that this ones purpose was to track Iran's progress towards getting nukes.
    PS I am not antisemitic, I'm actually Jewish.
    Reply
  • huron
    Strange...I had read that the US worked with Israel on both Flame and Stuxnet. There was an article in the NY Times as well as other places detailing the admission of sanctioning of the Cyber Attacks.
    Reply
  • Usersname
    MOSSAD
    Reply
  • COLGeek
    Only The Shadow knows.......
    Reply