Researchers unravel Flame's secrets
Kaspersky Lab has published a new report on the Flame trojan in which the company summarises research it has undertaken in conjunction with Symantec, the German Federal Office for Information Security (BSI) and the International Telecommunication Union's IMPACT alliance. The investigation of Command and Control (C&C) servers used by the creators of Flame revealed several new findings, including the discovery of three as yet unidentified malicious programs. The researchers also learned that the development of Flame dates back as far as December 2006.
Looking at the C&C servers, the researchers found them to be disguised to look like common content management system servers to hide them from hosting providers or cursory random investigations. The servers were running a virtualised version of Debian 6 in an OpenVZ image. The majority of the control code was written in Python and PHP which was in turn connected to a MySQL database. Furthermore, the installed Apache 2 web server was serving the C&C interface from a folder with the name /newsforyou/CP. The web interface itself looked rather bland, which the researchers also attribute to a desire by Flame's creators to stay as inconspicuous as possible.
All data collected by the trojan and sent to the C&C servers was locally encrypted using strong public-key cryptography. This data can only be decrypted with the private key of the server owner. The encrypted data was downloaded every half-hour and then deleted off the server. According to the report, one server sent on 5.5GB of captured data in a week. This server was contacted by over 5,000 IP addresses during this week. 3,700 of these addresses were Iranian, while 1,280 other contacts where coming in from Sudan. The researchers estimate that Flame has infected over 10,000 computers in total.
When analysing the communication protocols used by Flame and its C&C servers, the researchers discovered that the servers were able to control four different clients. The code names for these clients are IP, SP, SPE and FL – the latter acronym being used for the Flame trojan itself. This leads the research team to believe that there are three other trojans that were created by the same developers as Flame.
Kaspersky says it has found traces of at least one of the Flame derivatives: SPE is currently operating in the wild but could not be captured yet. There are also signs that a fifth derivative was in development but could not be completed by its authors by the time that Flame caused global attention and was shut down. The researchers conclude this from a communication scheme called "Red Protocol" which is mentioned in the C&C code but not yet implemented. According to Kaspersky, there is no sign that Flame's control servers were ever used to control other known malware such as Stuxnet or Gauss.
The forensic technicians have extracted even more information from the C&C servers, including the nicknames of four server operators. A report published by Symantec shows a clear distinction in the roles of these operators and the use of data compartmentalisation techniques suggests the hackers belonged to a well-funded and organised organisation. Keeping the cryptographic setup and the complexity of the C&C servers in mind, Kaspersky also agrees that it is likely that Flame and its variants were developed with nation-state sponsorship. According to an earlier report by the Washington Post, both the Flame and Stuxnet trojans were developed with sponsorship from the US and Israel.
One observation of the researchers is that the developers of Flame's C&C system seem to be mostly familiar with Red Hat based systems as they were using the chkconfig tool which is rather unusual under Debian. This reminded them of the C&C server implementation of the Duqu trojan which was based on CentOS, a clone of Red Hat's own Red Hat Enterprise Linux (RHEL). This presents another possible connection between Flame and Stuxnet.
Flame was originally discovered in May of this year. It was soon discovered that the trojan had been active for years but that its use had been concentrated on the Middle East. It was later discovered that the malware was being distributed with a valid Microsoft certificate and delivered through the Windows Update mechanism.