The masterminds of the Flame malware campaign were at work on three other unidentified viruses, new research reveals. The findings offer further clues of the increasingly aggressive and broadening push by state-sponsored entities to deploy computer viruses on foreign networks, highlighting how the digital domain has grown increasingly militarized.
Flame is a computer espionage tool discovered this year that targeted computers in Iran and other countries in the Middle East. The structure of the virus bears similarities to Stuxnet, a worm that targeted Iranian nuclear systems and was widely believed to have been the handiwork of Israeli and U.S. entities.
Scrutiny of the command and control servers for Flame reveal that more than 10,000 machines were likely to have been infected with the malware and development work dated back as early as 2006. “Based on the code from the server, we know Flame was a project from a list of at least four,” according to a research note from Moscow-based antivirus company Kaspersky Lab. “The purpose and nature of the other three remain unknown.” The firm collaborated with antivirus provider Symantec, German CERT-Bund and security coalition group Impact Alliance.
One malware strain codenamed SPE is apparently “in the wild” because a handful of machines infected with it reached out to a sinkhole -- a network component where traffic gets diverted -- set up by Kaspersky to “talk” to machines infected with Flame.
The Kaspersky researchers also said that tools on the Flame command and control servers were similar to those used by the operators of Duqu, an espionage malware that has infected Sudanese and Iranian machines. “It appears that the people who managed the C&Cs [command and controls] are more familiar with RedHat systems. This reminds us of the Duqu C&Cs which were all based on RedHatCentOS,” according to a Kaspersky note. RedHat makes a variety of commercially available software.
The researchers said that while the Flame control panel interface was designed to look “generic and unpretentious,” much like the systems used by amateurish hacktivist groups to launch sloppy botnet attacks, signs abounded of a deliberately-executed campaign.
Three people, under the leadership of a particularly adept coder, were responsible for the development of the command and control operation. Any data scooped up relied heavily on encryption.