Forensic analysis of a number of Flame malware toolkit command-and-control servers revealed an additional three unidentified pieces of malicious code are under the control of the attackers, including one in the wild. Researchers at Kaspersky Lab, Symantec, CERT-Bund/BSI, and the International Telecommunication Union’s Impact Alliance said today they also pinpointed the first work done on the Flame espionage campaign was carried out in 2006, much earlier than the 2010 date development was initially thought to have begun.
In June, Kaspersky Lab reported they’d found a definitive connection between Flame and Stuxnet; researchers said the unidentified malware reported today has no connection to either Stuxnet or Gauss, another nation-state threat discovered by Kaspersky last month.
Analysis also determined at least four programmers are on the team behind the attacks, each with varying levels of expertise; additional confirmation was also made that sophisticated cryptography is being used to encrypt data as it’s sent between the victims’ machines and the C&C servers. The C&C code also handles three communications protocols, and researchers saw evidence of a fourth under development.
Alexander Gostev, chief security expert at Kaspersky Lab, called the discoveries examples of cyber espionage conducted on a massive scale.
The attackers, researchers said, spent significant resources covering their tracks and disguising the project from hosting providers. The C&C platform used by Flame was made to look like an ordinary content management system and unlike most botnet control panels that rely on labels such as malware command and infection, these attackers used common terms such as data, download, client, news, blog, ads and more. Also, the C&C panel was not set up to send commands to the victim, instead, the attackers uploaded special tar.gz archives and scripts were processed by the server that extracted the archive contents. The script also encrypted all the files received from a zombie machine using Blowfish, and the Blowfish key is then encrypted. No one other than the attacker would have the private key to decrypt the files.
Communication was carried out over four protocols: OldProtocol; OldProtocolE; SignupProtocol; and RedProtocol (under development). Four different types of malware clients were revealed: SP, SPE, FL and IP. FL, researchers determined, is Flame and concluded the three remaining client names are similar malware tools. The researchers used a sinkhole–the networking equivalent of a honeypot–to catalog connections into two categories, those coming from Flame and another set from the SPE malware client, confirming that one in the wild as well.
For one week, starting March 25, 5,377 unique IP addresses connected to a C&C server owned by a European country with data centers in another EU country. More than 3,700 connections were made from Iran, another 1,280 from the Sudan. Researchers deduced this was a targeted campaign against these two nations since no large amount of activity had been detected originating from the Sudan in particular before. Less than 100 connections were made from each of the United States, Germany, India, Pakistan, the United Kingdom and several other countries, most from the Middle East.
The server had limited functionality and infected machines supported few commands, including some that would fetch updates and new Flame modules, some storage commands and some directory commands. Researchers also found that the four respective developers left their nicknames and timestamps in the scripts; the earliest timestamp being Dec. 3, 2006. One developer in particular worked on a majority of the files and seemed to be the more experienced of the four. “He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms. We think [developer] was most likely a team lead,” the report said.
The C&C server was running a 64-bit version of the Debian operation system; researchers got a server image which was an OpenVZ file-system container. Most of the code was written in PHP; some Python and bash was used. All data was stored on a MySQL database with InnoDB tables. The Web server was Apache 2.x with self-signed certificates. The last modification to the C&C server was made May 18.
The forensics also found automated scripts that would wipe log files and disable further logging. Researchers also found the chkconfig tool present, a Debian version of a popular Red Hat tool RedHatCentOS found in Duqu. A shred tool also used by the Duqu team was used here to wipe information. Other scripts were found that downloaded new data and removed old data every 30 minutes.