Jun 11, 2012 11:42 AM PT
The Flame malware has reportedly begun to self-destruct.
Some command-and-control (C&C) servers for the malware sent an order recently that completely removes it from infected systems, according to Symantec.
Why the self-destruct command was sent is not clear, although it could be that the malware's creators were afraid of detection, as cybersecurity experts had shut down most of their C&C servers.
Flame was designed to steal information, and "when you run covert operations, you get operatives out of the target area when their job is done or their presence is a risk to the operation," Randy Abrams, an independent security consultant, told TechNewsWorld. "This isn't a self-destruct command; it's more analogous to wiping out the trail."
Flame "is a very advanced, very targeted weapon," Tony Zirnoon, senior director of security strategy and marketing at VSS Monitoring , told TechNewsWorld. "It's changed the game from cybercrime to cyberwar."
Most of Flame's C&C servers had been shut down by last week, but its creators still controlled a few because they had retained control of their domain registration accounts, so they could host these domains with a new ISP, Symantec said.
These servers let the malware's creators communicate with a specific set of compromised systems.
Compromised computers regularly contact their C&C servers to ask for additional commands, and the servers that were still working shipped a file Symantec named "Browse32.ocx." This was, in essence, an uninstaller, Symantec said.
Without a Trace
The Browse32.ocx module has two parts. One, which Symantec named "EnableBrowser," was the initializer. It set up the environment prior to action. The other, "StartBrowse," actually wipes the files.
Browse32.ocx has a list of files and folders that are used by Flame, Symantec said. It locates every file on disk, removes it and overwrites the disk with random characters to prevent anyone from obtaining information about the files. This is recommended procedure for wiping a hard drive.
Symantec captured a version of the Browse32.0cs module created on May 9, shortly before Flame made the headlines. It's likely that previous versions of this module have been used in the past, Symantec said.
Goodbye Is Not Forever
It's possible that traces of Flame still reside on systems that the Browse32.ocx module apparently wiped. "If I was running a cyberespionage operation, I would certainly consider leaving modules on non-mission oriented computers for misinformation tactics," Abrams said.
Or, if infected computers were offline when the uninstaller module was sent out, they would not be affected, Abrams pointed out. An adverse interaction with other software could have prevented the removal command from working. Different versions of the malware might respond to different versions of the uninstaller, and so some might remain infected.
Further, "the removal of malware that arrives on a system using exploits will never assure the system hasn't been infected with something else," Abrams said. "This is true of all malware infections."
Microsoft has overhauled its Update feature, which Flame leveraged, to prevent further similar attacks.
However, operating systems are "so complex that it's difficult to know if all attack vectors have been found," Abrams warned. "Just like Apple Update or any other automated updating mechanism, there is always the potential for exploitation of unknown vulnerabilities."
The Evil That Men Do
Flame "is very advanced getting in, advanced getting out, and advanced in not leaving traces," VSS Monitoring's Zirnoon said. That could end up causing trouble for the United States and its allies.
"We won't go into who might have been responsible for creating it, but it's been targeting countries in the Middle East, and I wouldn't be surprised if somebody somewhere leverages [Flame's advanced capabilities] and targets European and Western financial institutions like what was done with Duqu," Zirnoon speculated.
Symantec did not respond to our request for more details.