More unknown Malware used alongside Flame

The Flame malware as well as its C&C infrastructure were analyzed in order to find some additional data about its creators. As it was claimed before, the malware was discovered by CrySyS researchers and Kaspersky Lab in May this year.

Symantec and Kaspersky Lab together with CERT-Bund/BSI and ITU-IMPACT announced about new discoveries of malware that appears to have been created synchronous with Flame malware as well as it was used then.

Two of the C&C servers have been analyzed as well as the information found on them. A number of conclusions were made during the analysis. According to Symantec researchers, the same control framework is contained in the analyzed servers. One of the servers has collected about 6 GB of information from hacked computers during one week. Another server has collected about 80 MB of data. This one was used to spread one command module to the infected PCs. The first server was set up in March while the other was set up in May.

A Web application called Newsforyou can be used to access the servers. The application processes the W32. A simple control panel is provided by Flamer client. According to Kaspersky Lab experts, the developers of the C&C infrastructure didn't use professional terms such as malware, infection or botnet in the control panel. Such common words as backup, blog, client, data, download and upload are used instead.

As it was discovered, the application for the control panel hasn't been exclusively used for Flame. The application also includes the option to communicate with computers infected with multiple malware identifiers using different protocols.

Among four active protocols only one is used by Flame. The malware that uses other protocols is supposed to be different malware or Flame variants. Researchers also claim there is one of this Flame-related unknown malicious programs that is active and now.

According to Symantec, the servers were configured in a way to record minimum data in case of discovery. They were set up to disable any needless logging event alongside with the deletion of the entries in the database at regular intervals. The securely deletion of the existing log files on the server was made on a regular basis. This was done to prevent any investigations towards servers.

Thanks to set of encrypted records that are contained in the database, it became known that the Middle East is the place that hacked computers had been connecting from. The nicknames of four authors were also recovered. They had worked at the malware code and aspects of the projects. It is said to be in 2006. The fact is that not well-funded criminals stay behind it. They were a part of intelligence or military operation. It is also known that the collected data was stored on the servers in an encrypted format.  It was impossible to decrypt that format as well.

GetAV.org