New in-the-wild malware linked to state-sponsored Flame targeting Iran

The operators behind Flame, the highly advanced espionage malware that targeted Iran, began their campaign no later than 2006 and supported three other pieces of malicious software, one of which is still circulating on the Internet, researchers said.

The revelations are the result of a forensic investigation of control servers used to help execute the Flame operation. They show the state-sponsored campaign was even more far-reaching than previously believed. The servers were disguised as publishing platforms running a fictitious content management application called Newsforyou and were programmed to destroy hard-drive data to prevent the espionage from ever coming to light. They also used strong cryptography to prevent lower-level operators from controlling infected computers or viewing the contents of data that was extracted from them.

A series of administrative errors left some of the data intact, allowing researchers to extract new evidence that further underscores the sophistication and magnitude of the operation. Key among the undeleted data is the names or code names of four of the people who developed code for the platforms, some as early as 2006. Previous research pegged the start date no later than 2008.

Separately, the recovered data showed that a single server, which was set up on March 25, managed to siphon almost six gigabytes worth of data from its targets in just eight days. Combined with evidence suggesting it was only one of many almost identical servers run by the same group, researchers say they believe the number of Flame victims alone likely exceeded 10,000. The total amount of data they lost is almost incomprehensible.

"That's pretty staggering," said Vikram Thakur, a researcher with Symantec Security Response, referring to the 5.5 gigabytes of data collected by one of two servers he analyzed. "If the attackers actually continued their operations in a similar manner or with high frequency over the past five years they probably have terabytes of information collected from pretty much whoever they chose. That's a lot of information that they could make use of. That would be every target's life history a few times over." The Symantec report he helped prepare is here.

The joint investigation by researchers from Symantec and competing antivirus provider Kaspersky Lab analyzed disk images of two or more command and control servers, at least one of which was owned by an unidentified European company with data centers located in another European Union country. Compared with most control panels used to manage large armies of infected computers, the Newsforyou interface was so sparse that it appeared to be in an early, "alpha" stage of development. But it turned out the absence of overt features for infecting or conducting other botnet-related activities was an attempt to conceal its activities.

"The C&C developers didn't use professional terms such as bot, botnet, infection, malware-command, or anything related in their control panel," a report published on Monday by Kaspersky Lab explained. "Instead they used common words like data, upload, download, client, news, blog, ads, backup etc. We believe this was deliberately done to deceive hosting-company sys-admins who might run unexpected checks."

Kaspersky researchers' reached that assessment after they dissected logs that showed how the back-end server software securely communicated with Flame-infected computers. It used a custom-developed communications scheme dubbed Oldprotocol to upload and download data in an encrypted format that could only be decrypted by people with keys not stored on the server. This allowed the Flame operators to establish a highly regimented distinction of roles within the organization. Administrators could set up and maintain servers, but they had no control over what updates were pushed to infected clients or access to the sensitive data that was collected from them.

As a result, attack operators could download stolen data in encrypted form, but only offline attack coordinators with encryption keys had the ability to decrypt and analyze the data.

The OldProtocol scheme used for Flame, it turns out, is only one of four communications protocols supported with the Newsforyou software, researchers from both AV companies said. Separate protocols dubbed OldProtocolE, SignupProtocol, and RedProtocol were designed to interact with substantially different pieces of malware that have yet to be identified. Significantly, so-called "sinkhole" servers deployed by Kaspersky to intercept connections from Flame-infected computers have received connections from machines compromised by a completely different malware they've dubbed "SPE" that works with the OldProtocolE scheme.

A development timeline of the Newsforyou software that formed the guts of the Flame command and control server. It shows the operation was active in 2006, about two years earlier than previously established.

Credit: Kaspersky Lab

"Therefore, we can confirm the malware known as 'SPE' exists and is currently in-the-wild," Kaspersky researchers wrote. They also found that the RedProtocol had not yet implemented, an indication that the capabilities of the back-end system were continuing to evolve as recently as May, when one of the control servers was deployed. Little is known about the remaining SignupProtocol, other than it appeared to work with a little-known client dubbed IP.

Botched Suicide Mission

One of the two servers analyzed by Symantec was deployed on May 14, two weeks before the discovery of Flame became public. Unlike the command channel from March, it hosted a new Flame module dubbed "SHREDER" that, as previously reported, instructed Flame-infected computers to remove all traces of the malware. Thakur, the Symantec researcher, told Ars he believes the server was deployed after Flame actors were racing the clock shortly after learning their operation had become public. In their hurry, Thakur believes they made crucial mistakes that left key evidence leading to these latest discoveries.

"On the server which was operating in May, we know that the operators and people behind that server were in a big rush, such a big rush that they didn't set up the server properly," he explained. "It just goes to show that these people were totally human and prone to errors."

Other control servers also appear to have made critical mistakes. The Newsforyou application executed a script every two minutes that moved any newly collected data to an encrypted archive folder, where it could be accessed by senior members of the operation. It also regularly called a python-based script that was supposed to permanently remove all temporary files on the server to prevent any forensic examiners from extracting clues about these activities. But because of a typo, the Eraser.py file never executed. The folder name included in a script that called the file pointed to a directory called "pycleaner," while the file's location was in a directory called "pycleanscr." The operators made other critical mistakes, such as failing to destroy a bash history file that showed Unix-based commands the administrators issued.