The makers of the massive Flame computer virus unleashed against Iran, Israel and other countries and made public last week by cybersecurity experts have deployed a suicide code intended to wipe it from some infected machines.
The computer security firm Symantec reported that while monitoring the virus's activity, staff noticed that some of the command-and-control (C&C) servers that control the virus had deployed a file designed to remove all traces of it from several computers infected with Flame, also known as Flamer or sKyWIper.
"Compromised computers regularly contact their pre-configured control server to acquire additional commands," Symantec wrote in a blog post earlier this week. "Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer."
'Even after the attention that the threat has gotten, the operators were still determined to go ahead and try to wipe out the infections from wherever they could.' — Vikram Thakur, Symantec
This specific suicide code was created on May 9, just a few weeks before the existence of Flame was made public, and deployed on June 3.
Symantec said that although similar wipe commands had likely been issued before, it was the first time that such a command was spotted since Flame was discovered.
"It's really interesting for us to see that even after the attention that the threat has gotten, the operators were still determined to go ahead and try to wipe out the infections from wherever they could by throwing caution to the wind and taking a risk of being identified by going over to these servers, logging in and sending down a command," said Vikram Thakur, a researcher with the computer security firm Symantec.
Caught in honey trap
Symantec managed to catch the remote wipe in action by setting up so-called honeypots, computers that are deliberately infected with Flame so that analysts can observe the virus communicate with its C&C servers.
Cybersecurity experts have identified more than 80 domains associated with the Flame malware that were registered between 2008 and 2012 in various countries, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the U.K. and Switzerland.
The domains correspond to a smaller number of dedicated C&C servers, some which have been shut down by law enforcement agencies in the time since the virus was identified.
"Each of these virus files that we've obtained contain anything between four and maybe 10 different command and control servers, so the malware authors included some sort of redundancy in their own program thinking that it's possible that one or two of these servers might be unreachable at some point," Thakur said.
The servers commanding the virus have likely been leased or bought from small hosting providers, Thakur said, in order to minimize the likelihood of them being traced to the creators of the malware, who in the case of Flame, are suspected to be intelligence agencies of one or more nation states.
"No agency who is creating these kind of pieces of malware would ever host the command and control server on their own infrastructure or, essentially, any infrastructure that could be attributed to them," Thakur said.
"The key for them is to remain as anonymous as possible, so they pick small vendors who will typically be unresponsive to abuse notices, who might even be difficult for different investigative agencies to locate and get in touch with, and even if they do try to do so, the damage is already done by then."
The recent remote removal of Flame from some computers doesn't mean the virus has been wiped out completely, says Thakur. Security experts and law enforcement agencies are still detecting communication between infected computers and the domains they have identified as being associated with the malware.
Flame does damage in many ways
Computer experts at the Moscow-based Kaspersky Lab, Iran's Maher Computer Emergency Response Team Co-ordination Centre (CERT) and the Budapest University of Technology and Economics in Hungary uncovered Flame while trying to trace a piece of malware that was deleting sensitive information from computers in Europe and the Middle East.
What they found was a powerful, previously undetected virus that was much bigger and more damaging than the infamous Stuxnet worm, which had knocked out the systems controlling centrifuges at Iran's nuclear enrichment facility in Natanz in 2010.
The Flame virus is unique in its ability to steal information in a variety of ways, including by taking screenshots, recording audio, logging keystrokes, detecting passwords and intercepting Bluetooth communication with other devices. It was deployed with a code that would allow its control servers to wipe it remotely if necessary.
Security experts estimate that Flame has been around possibly since as early as 2007, and that it was likely created by a nation state. To date, those tracking the virus have found that it has infiltrated machines in several Mideast countries, including Iran, Israel, Lebanon and Syria.
Iran's CERT admitted that the virus was likely behind a recent massive loss of data in the country but said it had devised an antidote to the worm.
Experts initially suspected that while the new virus shared some similarities with Stuxnet, it was probably created by someone else and deployed in parallel but not in conjunction with it.
But on June 11, cybersecurity researchers at Kaspersky Lab revised that analysis and said they had found evidence that the creators of the two viruses co-operated at least once and shared some source code.
Kaspersky expert Alexander Gostev said in a blog post that his company had identified a similarity between a subset of the code used in Flame and another set of code used in an early version of Stuxnet.
Stuxnet is believed to have been created by U.S. and Israeli intelligence agencies, a suspicion that surfaced again in a new book by New York Times journalist David E. Sanger.