Flame malware used domain names registered with fake names to communicate with infected computers in the Middle East for at least four years, researchers said.
Someone began creating the 86 domains and more than 24 IP addresses that host the command-and-control (C&C) servers as early as 2008, using fake identities and addresses in Austria and Germany to register them with GoDaddy and others, said Roel Schouwenberg, senior researcher at Kaspersky Lab. He said he thought the malware’s creators used stolen credit cards for the transactions.
The IP addresses point to hotels, doctor’s offices and other non-existent businesses, while the C&C servers are in Germany, the Netherlands, U.K., Switzerland, Hong Kong, Turkey, Poland and Malaysia, according to Kaspersky.
“We definitely can’t be sure” who is behind the attack, said Dan Hubbard, chief technology officer at OpenDNS, which has been working with Kaspersky on the research into the C&C infrastructure. “This has been very well planned and it’s been well executed.”
Believed to be a cyber espionage toolkit, Flame leaves a backdoor on computers and has at least 20 known modules that can mix and match to steal documents, sniff network traffic, record audio communications and take screenshots, among other things. The 20MB of code can propagate through a network and it has infected an estimated 1,000 computers, mostly in the Middle East.
Details about Flame are coming out as researchers analyze the code. For instance, some Flame components spoofed a Microsoft security certificate for Terminal Server to trick computers into accepting the software as legitimate. Microsoft is releasing a security patch to plug the hole in Terminal Server, which is for remote desktop connections.
To create a sinkhole for research purposes, GoDaddy took 30 of the domains offline and put up researcher-controlled servers to receive communications from infected computers. About 50 percent of the connections to the researchers’ sinkhole are from Windows 7 machines, 45 percent are Windows XP and just fewer than five percent are running Windows Vista, Schouwenberg said.
The computers use a password of “LifeStyle2” when communicating with the C&C servers. Data uploads in small 8-kilobyte chunks, probably to accommodate slow Internet speeds in the Mideast, Schouwenberg said.
“What we can say is that Flame is indeed a sophisticated operation. The domains were clearly registered by people and not through a domain name generation algorithm,” Hubbard said. “And not only was the malware designed to send data in small packets, but the domains are disguised as regular Internet traffic. The most obvious reason is to go under the radar.”
The domains shut down about an hour or so after Kaspersky and others went public with their findings on Flame last Monday. However, the malware on several of the infected machines has updated since then to a newer version that could have additional functions, Schouwenberg said. “There is possibly some unknown backup system in place,” he said.
On Saturday, some domains started pointing to new IP address in Germany, Schouwenberg said, adding it was unclear if this was due to activity on the part of Flame creators or researchers. The IP addresses went offline the following day, he said.
The Flame creators are receiving PDF files, Microsoft Office documents and AutoCAD files, typically used to design things, “anything from turbines in the industrial field to designing buildings,” Schouwenberg said. This is circumstantial evidence that Flame was an operation run in parallel with the cyber espionage malware dubbed “Duqu.”
Kaspersky’s network registered 184 infected computers in Iran, 95 in Israel and Palestine, 32 in Sudan, 29 in Syria and 18 in Lebanon, according to statistics.