Flame malware network based on shadowy domains, fake names
The espionage malware has already been updated on some infected machines -- after command-and-control domains were shut down last week, researchers say.
The mysterious Flame malware used domain names registered with fake names to communicate with infected computers in the Middle East for at least four years, researchers said today.
Someone began creating the 86 domains and more than 24 IP addresses that host the command-and-control (C&C) servers as early as 2008, using fake identities and addresses in Austria and Germany to register them with GoDaddy and others, Roel Schouwenberg, senior researcher at Kaspersky Lab, said in a Web conference with reporters this morning. He speculated that stolen credit cards were used for the transactions.
The IP addresses point to hotels, doctor's offices and other non-existent businesses, while the C&C servers are located in Germany, the Netherlands, U.K., Switzerland, Hong Kong, Turkey, Poland and Malaysia, according to Kaspersky.
"We definitely can't be sure" who is behind the attack, said Dan Hubbard, chief technology officer at OpenDNS, which has been working with Kaspersky on the research into the C&C infrastructure. "This has been very well planned and it's been well executed."
Believed to be a cyberespionage toolkit, Flame leaves a backdoor on computers and has at least 20 known modules that can be mixed and matched to steal documents, sniff network traffic, record audio communications and take screenshots, among other things. The 20MB of code can be instructed to propagate through a network and has infected an estimated 1,000 computers, mostly in the Middle East.
Details about Flame are coming out as researchers analyze the code. For instance, some Flame componentsfor Terminal Server to trick computers into accepting the software as legitimate. Microsoft is releasing a security patch to plug the hole in Terminal Server, which is used for remote desktop connections.
To create a sinkhole for research purposes, GoDaddy took 30 of the domains offline and put up researcher-controlled servers to receive communications from infected computers. About 50 percent of the connections to the researchers' sinkhole are from Windows 7 machines, 45 percent are Windows XP and just fewer than five percent are running Windows Vista, Schouwenberg said.
The computers use a password of "LifeStyle2" when communicating with the C&C servers. Data is uploaded in small 8-kilobyte chunks, probably to accommodate slow Internet speeds in the Mideast, according to Schouwenberg.
"What we can say is that Flame is indeed a sophisticated operation. The domains were clearly registered by people and not through a domain name generation algorithm," Hubbard wrote in a blog post today. "And not only was the malware designed to send data in small packets, but the domains are disguised as regular Internet traffic. The most obvious reason is to go under the radar."
The domains were shut down about an hour or so after Kaspersky and others went public with their findings on Flame last Monday. However, the malware on several of the infected machines has been updated since then to a newer version that could have additional functions, Schouwenberg said. "There is possibly some unknown backup system in place," he said.
On Saturday, some domains started pointing to new IP address in Germany, Schouwenberg said, adding that it was unclear if this was due to activity on the part of Flame creators or researchers. The IP addresses went offline the following day, he said.
The Flame creators are interested in receiving PDF files, Microsoft Office documents and AutoCAD files, which are typically used to design things, "anything from turbines in the industrial field to designing buildings," according to Schouwenberg. This is circumstantial evidence that Flame was an operation run in parallel with the cyber espionage malware dubbed "Duqu." Duqu is believed to have been created by the same team that developed Stuxnet, which experts widely believe the U.S. created to sabotage Iran's nuclear program. A New York Times report from last week .
Kaspersky's network has registered 184 infected computers in Iran, 95 in Israel and Palestine, 32 in Sudan, 29 in Syria and 18 in Lebanon, according to statistics published in a blog post today.