The authors of Flame – a piece of malicious software that infected and spied on hundreds of computers in Iran and elsewhere for years – are now trying to wipe out any trace of its existence.
Late last week, the software received instructions to begin deleting itself from infected computers, according to researchers. The instructions appear to be part of a strategy by Flame’s still-unidentified authors to make it very difficult for the software’s victims to study its inner workings.
Flame made headlines late last month when Russian security researchers discovered the malicious software on hundreds of computers, primarily in the Middle East. It is one of the most complex pieces of malware ever designed, marking a major escalation in the growing cyberwar between nation-states.
Researchers at the computer security firm Symantec say the command and control servers behind Flame began updating and activating a “suicide” module in the software late last week. The module essentially deletes all traces of the malware from an infected computer and then overwrites the section of the computer’s hard drive where the software used to live with random characters. In effect, the command is designed to make it impossible for the owner of the infected machine to study the infection.
The malware’s authors “are trying to roll up the operation so that it’s harder to know what they did and how they did it,” said Kevin Haley, director of Symantec Security Response. “They’re trying to cover their tracks.”
Discovered late last month by Russian security firm Kaspersky Labs, the Flame malware is one of the most sprawling pieces of snooping software ever designed. It is composed of roughly 60 modules, each capable of a different function, such as capturing video footage from an infected computer’s camera or activating and using Bluetooth technology.
The malware appears to have been targeted at computers in the Middle East – specifically, high-level machines within Iran. Researchers believe the software has lived on those machines for upwards of five years, silently collecting information. Unlike previous high-profile malicious software, such as the Stuxnet virus that temporarily crippled some of Iran’s nuclear facilities, Flame was not designed to destroy computers, only to snoop.
As researchers have picked apart Flame’s source code, evidence is mounting that the software was almost certainly the work of a well-funded, expertly staffed organization – essentially, an arm of a large government.
“We’ve said that this is probably the work of a nation-state, not because anything in code says so, but because of the kind of resources this would take,” said Mr. Haley. “Everything we find seems to re-enforce that this was incredibly well-resourced malware.”
In addition to its massive size and many modules, the software’s sophistication is evident from the way it infected machines in the first place. To get on a host computer, Flame was designed to provide a fake Microsoft security certificate. Pulling that off, experts say, would have required incredibly advanced knowledge of cryptography, indicating that math geniuses were among Flame’s authors.
Mr. Haley also pointed to Flame’s sophisticated use of Bluetooth technology to figure out how infected machines worked together. By combining Bluetooth data with unique computer identifiers, Flame could begin to build a picture of a physical workspace, figuring out which users work together in an office.
“Now I can figure out the layout of an office,” Mr. Haley said. “Now I can do things that may have required someone sitting in a car watching, but now we can do it with software.”
But with the public now aware of its existence, Flame’s usefulness as a snooping tool has likely come to an end. Iranian authorities have said they’ve developed tools to delete the malware. Having activated the suicide modules, the software’s authors now appear concerned with making sure the Iranian government and others are unable to extract more information about exactly how the malware worked.