Forensic analysis of two command-and-control servers for the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected - and has links to other mystery software nasties.
Flame was built by a group of at least four developers as early as December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations' International Telecommunication Union.
The malware, which infected Microsoft Windows computers across the Middle East, came to light in May when the Iranian authorities found it siphoning off data to foreign handlers.
Over the past six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks, using multiple encryption techniques and periodically wiping data from the PCs to hide its activities.
Despite these efforts, the well-funded Flame handlers left behind a number of clues. "The C&C servers were disguised to look like a common content management system to hide the true nature of the project from hosting providers or random investigations," a statement by Kaspersky Labs explained. "The servers were able to receive data from infected machines using four different protocols; only one [was used by] computers to attack with Flame.
"The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created. Their nature is currently unknown."
The command-and-control infrastructure associated with Flame has since been dismantled.
"They [the command servers] are all dead," Costin Raiu, senior security researcher at Kaspersky Lab told El Reg. "About 35 C&C servers were active during the past two to three years, I believe five or six were active in May 2012."
Flame's control systems went offline immediately after Kaspersky Lab first unearthed the malware. All the command servers ran the 64-bit flavour of the Debian GNU/Linux operating system, virtualised using OpenVZ containers and disguised to look like an ordinary web publishing system. Only the team behind the malware would have been able to read the heavily encrypted data uploaded to the systems.
"It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its command-and-control servers," said Alexander Gostev, chief security expert at Kaspersky Lab. "Flame’s creators are good at covering their tracks. But one mistake by the attackers helped us to discover more data that one server intended to keep.
"Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale."
There's no evidence to suggest that Flame's command servers were used to control other known cyber-weapons - such as Stuxnet or Gauss - but they were used to operate a mystery malware strain, codenamed "SPE" by its authors. Kaspersky set up a sinkhole to capture internet traffic generated by SPE, establishing that the malware was in the wild and attempting to communicate with the wider world. By contrast, the two other unidentified Flame-related malicious programs (SP and IP) were not generating traffic and generally inactive at the time of the May 2012 takedown.
A complete run-down of they main findings from the Kaspersky-Symantec analysis can be found here.
The Flame espionage campaign was unearthed in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Flame stealthily takes screenshots and snoops on network traffic and keystrokes, and even records audio conservations, before uploading this sensitive data to servers. The malware spread across the Middle East, but most of the victims were located in Iran.
Flame weighs in at a monster 20MB - 40 times larger than Stuxnet, a lightweight itself by malware standards. This led to accusations that the spying toolkit was nothing more than boring bloatware until it emerged that the malware used a clever MD5 hash collision attack to create counterfeit Microsoft security certificates, allowing malicious software posing as legitimate Windows Update downloads to be installed.
Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran's controversial nuclear enrichment programme. This information was used by Stuxnet to target the country's nuke centrifuge cyber-sabotage mission.
The joint Symantec and Kaspersky research shows Flame has been around for years, consistent with this theory although hardly proving it. The security research boffins would only say data suggests Flame was created by an advanced nation-sponsored group with plenty of cash. A component in an early build of Stuxnet appears in Flame as a plugin. Despite this link Stuxnet and Flame are not regarded as close relatives. ®