The attackers behind Flame can easily clean up compromised computers, according to research by security firm Symantec who found that some attackers have been able to use command-and-control (C&C) servers to completely remove the malware from certain machines.
According to a post on Symantec’s Security Response blog yesterday, C&C servers can send a file to infected computers to “uninstall” the Flame malware. The file, Browse32.ocx, then goes on to search the infected computer for every file used by Flame, removes them and even overwrite the disk with random bits of information and characters to cover its tracks.
According to Symantec’s analysis, the module contains two different exports: EnableBrowser, which initializes the module and StartBrowse, which does the actual deletion of the Flame files. Symantec also adds that the module appears to have been created on May 9 and looks similar to SUICIDE, an older module previously found in Flame’s code.
Flame was discovered and recent months and disclosed by the Iranian government and western firms last week. The worm quickly drew comparisons to Stuxnet and Duqu. While the malware has apparently existed for years, it wasn’t until this week that it was revealed the attackers used a collision attack to get the malware to exploit a fraudulent certificate from Microsoft to attack Windows systems.