Kaspersky reports 3 more Flame-related malware variants

Kaspersky Lab and its partners say at least one of the new malware strains is still operating in the wild, and claim to have traced the campaign back to 2006.

Rachel King Staff Writer
Rachel King is a staff writer for ZDNet based in San Francisco.
Rachel King
2 min read

Kaspersky Lab has published an update in its investigation of the Flame cyber-espionage campaign, which the security experts discovered in May.

The research, which Kaspersky conducted in partnership with IMPACT, CERT-Bund/BSI and Symantec, identified traces of three previously undiscovered malicious programs.

Specifically, Symantec has highlighted forensic analysis of two of the command-and-control (C&C) servers behind the W32.Flamer attacks that targeted the Middle East earlier this year.

Here's what the group found after analyzing the C&C servers:

  • The two servers were set up on March 25, 2012, and May 18, 2012.
  • The servers controlled at least a few hundred compromised computers over the next few weeks of their existence.
  • The server set up in March collected almost 6 GB of data from compromised computers in a little over a week. The May server only received 75MB of data, as it was used to distribute one command module to the compromised computers.

As for the three Flame-related programs, Kaspersky said at least one of them is currently operating in the wild, though no one has yet identified it. There isn't any evidence that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

Kaspersky posted the detailed Flame analysis on its Securelist blog. Essentially, the attackers used a web application that enabled them to upload packages of code, deliver them to compromised computers, and then download packages containing stolen client data.

The researchers believe that this malware has allegedly been under development by a group of at least four developers since at least December 2006. They also found that the same servers have probably been used for more attacks than just the ones in this report, and that the hackers used multiple encryption techniques while trying to securely wipe data from the servers on a periodic basis.

That suggests the group behind the W32.Flamer attacks is quite sophisticated. In fact, Kaspersky concluded its report by noting that the findings reinforce "our initial conclusions that Flame is a nation-state sponsored attack."

This item first appeared on ZDNet's Zero Day blog under the headline "Kaspersky Lab: Flame cyber-espionage campaign dates back to 2006."