Flame virus wiped from computers by suicide command

The makers of the massiveFlame computer virusunleashed against Iran, Israeland other countries andmade publiclast week by cybersecurity experts have deployed a suicide code intended to wipe it from some infectedmachines.

The computer security firm Symantecreportedthat while monitoring the virus's activity, staffnoticed that some of the command-and-control (C&C) servers that control the virus had deployed afile designed to remove all traces of it from several computersinfected with Flame, also known as Flamer orsKyWIper.

"Compromised computers regularly contact their pre-configured control server to acquire additional commands," Symantec wrote in ablog postearlier this week. "Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer."

'Even after the attention that the threat has gotten, the operators were still determined to go ahead and try to wipe out the infections from wherever they could.' Vikram Thakur, Symantec

This specific suicide code was created on May 9,just a few weeks before the existence of Flame was made public, and deployed on June 3.

Symantec said that although similar wipe commands had likely been issued before, it was the first time that such a command was spotted since Flame was discovered.

"It's really interesting for us to see that even after the attention that the threat has gotten, the operators were still determined to go ahead and try to wipe out the infections from wherever they could by throwing caution to the wind and taking a risk of being identified by going over to these servers, logging in and sending down a command," said Vikram Thakur, a researcher with the computer security firm Symantec.

Caught in honey trap

Symantecmanaged to catchthe remote wipe in action by setting up so-called honeypots, computers that aredeliberately infected with Flame so that analysts canobserve the virus communicate with its C&C servers.

Cybersecurity experts have identified more than 80 domains associated with the Flame malware that were registered between 2008 and 2012 in various countries, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the U.K. and Switzerland.

The domains correspond to a smaller number of dedicated C&C servers, some which have been shut down by law enforcement agenciesin the time sincethe virus was identified.

"Each of these virus files that we've obtainedcontain anything between four and maybe 10 different command and control servers, so the malware authors included some sort of redundancy in their own program thinking that it's possible that one or two of these servers might be unreachable at some point," Thakur said.

The servers commanding the virushave likely been leased or bought from small hosting providers, Thakur said,in order to minimize the likelihoodof them being traced to the creators of the malware, who in the case of Flame, are suspected to be intelligence agencies of one or more nation states.

"No agency who is creating these kind of pieces of malware would ever host the command and control server on their own infrastructure or, essentially, any infrastructure that could be attributed to them,"Thakur said.

"The key for them is to remain as anonymous as possible, so they pick small vendors who will typically be unresponsive to abuse notices, who might even be difficult for different investigative agencies to locate and get in touch with, and even if they do try to do so, the damage is already done by then."

The recent remote removalof Flame from some computers doesn't mean the virus has been wiped out completely, says Thakur. Security experts and law enforcement agenciesare still detecting communication between infected computers andthe domains they have identified as being associated with the malware.

Flame does damage in many ways

Computer experts at the Moscow-based Kaspersky Lab, Iran's Maher Computer Emergency Response Team Co-ordination Centre (CERT) and the Budapest University of Technology and Economics in Hungary uncovered Flame while trying to trace a piece of malware that was deleting sensitive information from computers in Europe andthe Middle East.

What they found was a powerful, previously undetected virus that was much bigger and more damaging than the infamous Stuxnet worm, which had knocked out the systems controlling centrifuges at Iran's nuclear enrichment facility in Natanz in 2010.

The Flame virus is unique in its ability to steal information in a variety of ways, including by taking screenshots, recording audio, logging keystrokes, detecting passwords and intercepting Bluetooth communication with other devices. It was deployed with a code that would allow its control servers to wipe it remotely if necessary.

Security experts estimate that Flame has been around possibly since as early as 2007, and that it was likely created by a nation state. To date, those tracking the virus have found that it has infiltrated machines in several Mideast countries, including Iran, Israel, Lebanon and Syria.

Iran's CERTadmittedthat the virus was likely behind a recentmassive loss of datain the country but said it had devised an antidote to the worm.

Experts initially suspected that while the new virus shared some similarities with Stuxnet, it wasprobably created by someone else and deployed in parallel but not in conjunction with it.

But on June 11, cybersecurity researchers at Kaspersky Lab revised that analysis and said they had found evidence that the creators of the two viruses co-operated at least once and shared some source code.

Kaspersky expert Alexander Gostev said in ablog postthat his company had identified a similarity between a subset of the code used in Flame and another set of code used in an early version of Stuxnet.

Stuxnet is believed to have beencreated by U.S. and Israeliintelligence agencies, a suspicionthat surfaced againin anew bookby New York Times journalist David E. Sanger.