Flame state-sponsored malware bigger than believed before; older too

The Flame (or Flamer) malware that targeted Iran and Sudan appears to be bigger and older than previously thought. The latest analysis also shows at least three other unknown but related malware projects, possibly at large. The analysts maintain their stance that this is a state-sponsored program.

In IT Blogwatch, bloggers are fascinated and also a little scared.

Flame malware

By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment.

Jeremy Kirk comes in peace:

The study found that the command-and-control mechanisms...may have been developed as far back as December 2006, making the malware much older than previously thought. ... Flame's command-and-control system handled three types of malware that have not been examined by researchers and whose purpose is unknown.


Flame may have collected as much as 5.5GB of compressed information in just a week. ... During a one-week period...3,702 unique IP addresses from Iran connected to [one] server...1,280 from Sudan.  MORE

John Leyden jars us awake with Flame's capacity to shock: [You're fired -Ed.]

Flame was built by a group of at least four developers as early as December 2006. ... The malware...came to light in May when the Iranian authorities found it siphoning off data.


Unnamed US officials [said Flame was] a reconnaissance tool...used to map networks associated with Iran's controversial nuclear enrichment programme. This information was used by Stuxnet [in the] centrifuge cyber-sabotage mission.  MORE

So Kaspersky's Dmitry Bestuzhev blogs the scary detail:

This investigation was done in partnership with Symantec, ITU-IMPACT and CERT-Bund/BSI. ... Source files analysis show that the C&C can understand several communication protocols to talk to different clients. ... A close look at these protocol handlers revealed four different types of clients. ...there are at least three other undiscovered cyber-espionage or cyber-sabotage tools created by the same authors.


One of the most valuable traces left by the developers in the scripts were their nicknames and internal timestamps. ...the first C&C files were created on 03 December 2006, [so it] is much older than we originally estimated. ...just one server handled 5000+ victims during a one-week period...[so] we can estimate the total number of victims for Flame is probably...exceeding 10,000. .  MORE

Meanwhilem Mikko Hyppönen speculates that Flame's authors are happy that its sophistication is becoming known:

We haven't seen real online warfare yet...because we haven't seen wars between technically advanced nations lately.


The main point of any arms race is to let your adversaries know about your capabilities so that they don't even think about starting a fight. ...it will eventually become as public as any other defense technology.  MORE

And Dan Goodin speaks of a "Botched Suicide Mission":

One of the two servers analyzed by Symantec was deployed...two weeks before the discovery of Flame became public. ...it hosted a new Flame module dubbed "SHREDER" that...instructed Flame-infected computers to remove all traces of the malware. ... In their hurry...they made crucial mistakes that left key evidence leading to these latest discoveries.


[It] regularly called a python-based script that was supposed to permanently remove all temporary files. ... But because of a typo, [it] never executed. The...script that called the file pointed to a directory called "pycleaner," while the file's location was..."pycleanscr." The operators made other critical mistakes, such as failing to destroy a bash history file.  MORE
Shop Tech Products at Amazon