Flame-related malware detected in the wild

Share this article:

One of three newly detected strains of malware, linked to the authors of Flame, is already operating in the wild, according to new research on the cyber espionage campaign.

Recent findings also date the development of Flame's command-and-control platform as far back as December 2006.

Flame, which has targeted victims primarily in Iran, is thought to be the creation of a nation-state due to the resources needed for the large-scale, sophisticated attacks.

Malicious capabilities of Flame, believed to be related to Stuxnet and Duqu, include screenshot-capturing and keystroke-logging features, as well the ability to engage microphones to record victims' conversations. The malware is also designed to uninstall itself from computers after stealing information.

Researchers at Kaspersky Labs and Symantec have both published reports on the new Flame developments.

In a Symantec blog post, it was revealed that one Flame server, set up in March, had collected nearly 6 GB from infected computers in a week's time.

Vikram Thakur, a principal security response manager at Symantec, told SCMagazine.com on Monday that the data-stealing feat put Flame in a league of its own.

“[This] is significantly larger than any data-stealing software we've come across, as far as impact on a daily or even yearly basis,” said Thakur. “No other malware extricates this amount of information. We don't see this happening.”

Kaspersky's blog post highlighted the massive amount of files stolen from more than 5,000 machines, bringing the estimated count of Flame victims to more than 10,000. Researchers were able to measure the amount of stolen files due to a mistake by the attackers, in which they left behind files that would have normally been deleted.

“On one of the servers, the attackers forgot to delete the HTTP logs,” said the blog post. "This allowed us to get an idea of how many victims connected to the server."

The information gathered during the week between March 25 and April 2 showed that of the 5,377 unique IPs that connected to the server, the majority of machines, nearly 4,000, were in Iran.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.