Updated 19 May, 2013, 5:16 pm IST
Kaspersky Lab's analysis of Flame virus points to more malware
| by tech2 News Staff |
Kaspersky Lab revealed the results of a new research pertaining to the discovery of the widely reported, sophisticated, nation-state sponsored Flame cyber-espionage campaign. An official statement reveals that during the research carried out by Kaspersky Lab together with International Telecommunication Union’s cyber security executing arm -- IMPACT, CERT-Bund/BSI and Symantec, several Command and Control (C&C) servers that were used by Flame’s creators were looked into in detail. According to the official statement, analysing the C&C servers shed light on “groundbreaking facts about Flame”.
A new threat, Flame Virus
Following the analysis, traces of three yet undiscovered malicious programs were found, and it was discovered that the development of the Flame platform goes back to December 2006.
The official statement puts forth the major findings of the analysis as follows:
The widely reported Flame cyber-espionage campaign was originally discovered in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. On the discovery of the campaign, ITU-IMPACT got things running quickly and issued an alert to its 144 member nations, along with the appropriate remediation and cleaning procedures.
The findings add, “The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation. Originally it was estimated that Flame started operations in 2010, but the first analysis of its Command and Control infrastructure (covered by at least 80 known domains names) shifted this date two years earlier.”
The findings in this particular investigation are based on the analysis of the content that which was retrieved from several C&C servers used by Flame. Interestingly, it has been revealed that the information was recovered despite the fact that Flame’s control infrastructure went offline immediately after Kaspersky Lab disclosed the existence of malware. “All servers were running the 64-bit version of the Debian operating system, virtualized using OpenVZ containers. Most of the servers’ code was written in the PHP programming language. Flame’s creators used certain measures to make the C&C server look like an ordinary Content Management System, in order to avoid attention from the hosting provider,” it added.
Reportedly, the encryption methods that were used were sophisticated, ensuring that no one, but the attackers, could receive the data uploaded from infected machines. The analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame. It means that at least three other types of malware used these Command and Control servers. There is enough evidence to prove that at least one Flame-related malware is operating in the wild. These unknown malicious programs are yet to be discovered.
Worryingly, the analysis revealed that there are signs revealing that the platform is still in the process of development, as a new and yet unimplemented protocol called the 'Red Protocol' was found on the servers. The latest modification of the servers’ code was made on May 18, 2012 by one of the programmers.
“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers. Flame’s creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale,” commented Alexander Gostev, Chief Security Expert, Kaspersky Lab.
Tags: Flame Virus , Kaspersky Lab , Kaspersky Antuvirus , Stuxnet virus , Malicious software , Cyber Crime , Data Theft , Cyber Weapon , Duqu Virus , Eugene Kaspersky , state sponsored attack , flame state sponsored , kaspersky labs
19 May, 2013, 04:24 PM
19 May, 2013, 01:20 PM
19 May, 2013, 01:19 PM
To avoid all the hassle and with a view to make it convenient for...
We have 5 tech gift ideas that will help you find a gift that will...
If you are bored of wearing the run-of-the-mill t-shirts, then you can...
Sun May 19, 23:54:10
Sun May 19, 21:37:54
Nidhish FalcOn Dave
Sun May 19, 21:36:30