Flame Malware Attempts To Thwart Detection With Suicide Code
June 8, 2012

Flame Malware Attempts To Thwart Detection With Suicide Code

A little more than a week after researchers at Kaspersky Lab discovered one of the “most sophisticated” viruses to date, the authors have sent it a “suicide code” so that it will self-destruct on certain infected computers, according to Symantec, which caught the command while monitoring booby-trapped computers.

The malware, called Flame, is a highly complex malicious tool that has actively targeted computers in the Middle East. The authors are now using what control they have of the virus to force it to self-terminate almost completely without a trace.

Flame was discovered after UN´s telecoms arm reached out to security firms to get help with identifying a virus stealing data from many Middle Eastern computers last month.

After uncovering the malware, Kaspersky Lab, with the assistance of GoDaddy.com and OpenDNS, attempted to take down the virus. But that move only had limited success, Symantec noted, stating that Flame´s authors still had control of a few command and control servers.

“[Flame´s authors] had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider,” Symantec wrote on its blog, adding that infected machines received a new module from the remaining command and control servers, which was used to cover Flame´s tracks, keeping old data from being retrieved by others.

Symantec has continued to monitor Flame´s movements closely using “honeyspot” computers that report what happens when they are infected with a malicious program. And Flame is very malicious.

“Flame can easily be described as one of the most complex threats ever discovered. It´s big and incredibly sophisticated,” Alexander Gostev, Kaspersky Lab´s head of global research and analysis, wrote in a blog post last week. “It pretty much redefines the notion of cyberwar and cyberespionage.”

The suicide command sent out by Flame´s authors was meant to completely remove the virus from all infected machines. But because the authors do not have access to all their command and control servers, Symantec and other security firms will be able to continue to monitor how the virus works and hopefully find a way to track down the creators, taking down the virus for good.

The suicide command locates every Flame file on an infected PC and removes it. It then overwrites the memory locations with gibberish to thwart forensic examination. “It tries to leave no traces of the infection behind,” wrote Symantec.

The exact method of carrying out such an attack was first demonstrated in 2008 and the Flame creators came up with their own variation of the command.

“The design of this new variant required world-class cryptanalysis,” cryptoexpert Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam said in a statement, according to BBC News. That would mean that Flame was most likely created by a nation state rather than cyber criminals, he noted. Yet, it is not clear which nation could have created the program.

Security firm CrySys, while analyzing infected PCs, uncovered a temporary file -- DEB93D.tmp --  that contains a SQLite database of NetBIOS name look-ups. The firm said the file could provide forensic teams with the ability to determine the names of all the computers Flame was able to see and possibly infect.

Researchers haven´t been able to determine if leaving this file behind was an intended feature or an oversight by Flame´s creators, but its existence is already being used as a temporary indicator for if a computer is, or was, infected by Flame.

Symantec, noting a peculiar aspect of Flame´s self-destruction, said it could have killed itself without downloading the creators´ new module.

Kaspersky Lab´s Costin Raiu noted on Twitter that he found a major bug in the module and wondered if anyone else has also found it, according to ZDNet.