Flame virus wiped from computers by suicide command
By Kazi Stastna, CBC News
Posted: Jun 8, 2012 10:51 AM ET
Last Updated: Jun 12, 2012 9:07 AM ET
The makers of the massive Flame computer virus unleashed against Iran, Israel and other countries and made public last week by cybersecurity experts have deployed a suicide code intended to wipe it from some infected machines.
The computer security firm Symantec reported that while monitoring the virus's activity, staff noticed that some of the command-and-control (C&C) servers that control the virus had deployed a file designed to remove all traces of it from several computers infected with Flame, also known as Flamer or sKyWIper.
"Compromised computers regularly contact their pre-configured control server to acquire additional commands," Symantec wrote in a blog post earlier this week. "Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer."
'Even after the attention that the threat has gotten, the operators were still determined to go ahead and try to wipe out the infections from wherever they could.'— Vikram Thakur, Symantec
This specific suicide code was created on May 9, just a few weeks before the existence of Flame was made public, and deployed on June 3.
Symantec said that although similar wipe commands had likely been issued before, it was the first time that such a command was spotted since Flame was discovered.
"It's really interesting for us to see that even after the attention that the threat has gotten, the operators were still determined to go ahead and try to wipe out the infections from wherever they could by throwing caution to the wind and taking a risk of being identified by going over to these servers, logging in and sending down a command," said Vikram Thakur, a researcher with the computer security firm Symantec.
Caught in honey trap
Symantec managed to catch the remote wipe in action by setting up so-called honeypots, computers that are deliberately infected with Flame so that analysts can observe the virus communicate with its C&C servers.
Cybersecurity experts have identified more than 80 domains associated with the Flame malware that were registered between 2008 and 2012 in various countries, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the U.K. and Switzerland.
The domains correspond to a smaller number of dedicated C&C servers, some which have been shut down by law enforcement agencies in the time since the virus was identified.Eugene Kaspersky, chairman and CEO of Kaspersky Labs, one of the computer security labs that uncovered the Flame virus, speaks at a cybersecurity conference at Tel Aviv University on June 6, 2012. (Baz Ratner /Reuters)
"Each of these virus files that we've obtained contain anything between four and maybe 10 different command and control servers, so the malware authors included some sort of redundancy in their own program thinking that it's possible that one or two of these servers might be unreachable at some point," Thakur said.
The servers commanding the virus have likely been leased or bought from small hosting providers, Thakur said, in order to minimize the likelihood of them being traced to the creators of the malware, who in the case of Flame, are suspected to be intelligence agencies of one or more nation states.
"No agency who is creating these kind of pieces of malware would ever host the command and control server on their own infrastructure or, essentially, any infrastructure that could be attributed to them," Thakur said.
"The key for them is to remain as anonymous as possible, so they pick small vendors who will typically be unresponsive to abuse notices, who might even be difficult for different investigative agencies to locate and get in touch with, and even if they do try to do so, the damage is already done by then."
The recent remote removal of Flame from some computers doesn't mean the virus has been wiped out completely, says Thakur. Security experts and law enforcement agencies are still detecting communication between infected computers and the domains they have identified as being associated with the malware.
Flame does damage in many ways
Computer experts at the Moscow-based Kaspersky Lab, Iran's Maher Computer Emergency Response Team Co-ordination Centre (CERT) and the Budapest University of Technology and Economics in Hungary uncovered Flame while trying to trace a piece of malware that was deleting sensitive information from computers in Europe and the Middle East.
What they found was a powerful, previously undetected virus that was much bigger and more damaging than the infamous Stuxnet worm, which had knocked out the systems controlling centrifuges at Iran's nuclear enrichment facility in Natanz in 2010.Researchers work at the Idaho National Laboratory, a government cyber defence lab in Idaho Falls. U.S. Barack Obama's administration has taken an increasing interest in combating cyberattacks but, a recent book alleges, has also stepped up its own use of cyberweapons. (Chris Morgan/Idaho National Laboratory /Reuters)
The Flame virus is unique in its ability to steal information in a variety of ways, including by taking screenshots, recording audio, logging keystrokes, detecting passwords and intercepting Bluetooth communication with other devices. It was deployed with a code that would allow its control servers to wipe it remotely if necessary.
Security experts estimate that Flame has been around possibly since as early as 2007, and that it was likely created by a nation state. To date, those tracking the virus have found that it has infiltrated machines in several Mideast countries, including Iran, Israel, Lebanon and Syria.
Iran's CERT admitted that the virus was likely behind a recent massive loss of data in the country but said it had devised an antidote to the worm.
Experts initially suspected that while the new virus shared some similarities with Stuxnet, it was probably created by someone else and deployed in parallel but not in conjunction with it.
But on June 11, cybersecurity researchers at Kaspersky Lab revised that analysis and said they had found evidence that the creators of the two viruses co-operated at least once and shared some source code.
Kaspersky expert Alexander Gostev said in a blog post that his company had identified a similarity between a subset of the code used in Flame and another set of code used in an early version of Stuxnet.
Stuxnet is believed to have been created by U.S. and Israeli intelligence agencies, a suspicion that surfaced again in a new book by New York Times journalist David E. Sanger.With files from The Associated Press
Top News Headlines
- Will Rob Ford's supporters leave Ford Nation?
- The growing controversy over a purported video alleging to show Toronto Mayor Rob Ford smoking crack cocaine may be testing the faith of even his most die-hard supporters. But experts say Ford's policies may trump whatever personal issues he's facing, and that his supporters may rally behind him. more »
- Hockey Canada votes to ban bodychecking in peewee hockey
- Hockey Canada's board of directors voted to eliminate bodychecking from peewee-level hockey on Saturday in Charlottetown. more »
- Neil Macdonald: How serious is Obama about curbing the drone surge?
- In a key speech this week, the U.S. president set out a host of supposed new safeguards for America's controversial practice of remote-controlled rough justice. But as Neil Macdonald writes, the underlying rationale for drone use has not fundamentally changed. more »
- Ontario man lost in Australian mountains has survival skills
- The sister of an Ontario man who disappeared in Australia's Snowy Mountains nearly two weeks ago says she remains hopeful he will be found, partly because of his training as a Canadian Forces reservist. more »
- Toronto Mayor Rob Ford denies using crack cocaine
- The mayor of Canada's largest city told a packed news conference that he doesn't use crack cocaine and isn't a crack addict — and new allegations surfaced Saturday involving Ford's brothers. more »
Latest Technology & Science News Headlines
- 3D printers give rise to 'desktop manufacturing'
- Customizable objects from plastic dollhouse furniture to medical prosthetics can now be designed and printed out by almost anyone at the press of a button, and is going to lead to an 'explosion of new stuff,' predicts author Chris Anderson. more »
- Google Street View captures Galapagos Islands
- Few have explored the remote volcanic islands of the Galapagos archipelago, an otherworldly landscape inhabited by the world's largest tortoises and other fantastical creatures that inspired Charles Darwin's theory of evolution. more »
- King Richard III buried in 'untidy' grave
- New information has surfaced in the odd tale of the British king buried in a car park. King Richard III's remains, which were discovered August under a parking lot in Leicester, England, were laid to rest in a grave researchers are now saying was "badly prepared" and "untidy." more »
- EU pushes through restrictions to protect bees
- The European Union has approved restrictions on three pesticides to better protect dwindling bee populations, to enter into force by December. more »
Bob McDonald's Blog
- Chris Hadfield: The gravity of gravity May. 17, 2013 9:58 AM After five months of being Superman and a media superstar, Canadian astronaut Chris Hadfield is now beginning the challenging task of adapting his mortal body and brain to life back on Earth.
- Will Rob Ford's supporters leave Ford Nation?
- McDonald's CEO chastised by 9-year-old B.C. girl
- Toronto Mayor Rob Ford denies using crack cocaine
- Washington police blame bridge collapse on Alberta trucker
- Dog snared on baited hooks near Vancouver's Grouse Grind trail
- Wallin may be forced to repay thousands in travel expenses
- Canada ranks 3rd last in paid vacations
- Friend of suspect in U.K. soldier's slaying arrested
- Man accused of killing child in patio crash granted bail