The controllers of the Flame malware have apparently reacted to the publicity surrounding the attack by sending a self-destruct command.
According to Symantec, some command-and-control machines have sent a command designed to wipe Flame from compromised computers.
The command, which Symantec has dubbed “urgent suicide”, was captured on honeypots (since an ordinary machine would have the malware removed without the user noticing).
The C&C server shipped a file called browse32.ocx, which acts as a Flame uninstaller, complete with a list of files and folders to be deleted. After deletion, the module overwrites the disk with random characters. As Symantec notes, the uninstaller “tries to leave no traces of the infection behind”, in an attempt to thwart anyone capturing and analyzing the malware.
The module is instructed to remove more than 160 files and four folders. Symantec says Flame had originally shipped with a suicide module, and they don’t know why a new suicide module was used.
“The version of this module that we have was created on May 9, 2012,” Symantec’s post notes, which was “just a few weeks” before the malware became known. ®