X

Flame authors force self-destruct

After Flame was exposed publicly and partially compromised, the malware's authors apparently retained enough control to make it almost disappear.

ZDNet Australia staff Special to CNET News
See full bio
ZDNet Australia staff
 
The new Flame malware that has infected computers in Iran and the Middle East is named after one of the main modules it uses to spread.
Flame malware is named after one of the main modules it uses to spread. Securelist
Amid the exposure of Flame, its authors appear to be going to ground, using what control they have of the malware to force it to self-destruct and disappear (almost) without a trace.

Earlier this week, Kaspersky Labs noted that in a matter of hours after researchers had announced the discovery of Flame, the command and control infrastructure behind Flame went dark. This infrastructure was important because Flame is initially configured to contact a number of these servers and then run the control scripts that they serve. However, by 28 May -- the day that Flame's details began to emerge -- requests for these scripts were met with 403/404 errors, hampering efforts to learn more about the servers behind the malware.

Related stories

Kaspersky Lab, with the assistance of GoDaddy and OpenDNS, attempted to sinkhole the malware; however, Symantec noted that this effort was only partially successful -- Flame's authors still had control of a few command and control servers -- enough to communicate with some of the infected computers. "[Flame's authors] had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider," Symantec wrote on its blog.

Read more of ZDNet Australia's "Flame lights its own self-destruct fuse."