Skip to main content

Flame Malware Has Self-Destruct Switch

Security firm Symantec reports that the Flame(r) malware uses a downloadable component that completely removes it from compromised computers. "Completely" also includes covering its tracks by overwriting the disk with random characters to prevent anyone from obtaining information about the infection.

"Compromised computers regularly contact their pre-configured control server to acquire additional commands," the firm reports. "Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the 'uninstaller.'"

The module contains a long list of files and folders that are used by Flame. It locates each listed file, removes it, and then covers up any evidence of its existence by dumping random characters in its place thanks to a routine that generates random characters to use in the overwriting operation. In essence, it tries to leave no traces of the infection behind.

"The existence of this module is interesting in itself. Previously analyzed Flamer code showed us a component named SUICIDE, which is functionally similar to browse32.ocx," Symantec says. "It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module."

Of course, deleting a file in Windows does not actually remove the data from the physical disk. Instead, the parent sector is flagged to be re-written at some point. That means for a limited time, the data could be recovered using special recovery tools that can be downloaded from the Internet.

Chief security expert with Kaspersky Lab's global research & analysis team Aleks Gostev disagrees with Symantec about the overwriting of file data with meaningless characters. He said it happens before the Flame files get deleted by browse32.ocx, not after as Symantec suggested. Still, the goal is the same: eliminate all traces of Flame to make forensic analysis even harder.

Last month Gostev called Flame, a cyber espionage worm, the most sophisticated cyber weapon yet unleashed. Kaspersky discovered the weapon after the UN’s International Telecommunication Union came to the firm asking for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for the Malware, Kaspersky stumbled across new malware codenamed Worm.Win32.Flame.

"Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators," he said. "Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

Ilmar Tamm, Head of the NATO Cyber Defense Center, said on Thursday that Stuxnet and Flame have shown a nasty side of the Internet that the average user doesn't even consider.

"[They] will bring a lot of challenges to all experts who deal with critical infrastructure protection issues - IT experts, lawyers, policy makers," he told AFP. "The number of cyber conflicts keeps rising and it is important to understand who the actors in these events are, how to classify these events and participants, and how to interpret all that."

  • NuclearShadow
    deleting sensitive information across the Middle East

    Okay, so this is the primary function. Now without a list of who/where is effected and what line of information is being deleted we can only try to guess who is behind it and why.

    Clearly it is to hide something and to stop the spread of some sort of knowledge. This means the culprit is already involved heavily in the middle east and has something to hide. While clearly having access to well educated people to and advanced technology to make the worm , gee I wonder who could that be?


    Reply
  • cliffro
    China? lol. I bet one of the alphabet agencies made it.
    Reply
  • NuclearShadow
    cliffroChina? lol. I bet one of the alphabet agencies made it.
    China would be looking to steal information not destroy it. Besides China works more in the lines of censorship at home not elsewhere. It's a obvious whom made it.
    Reply
  • Kami3k
    I knew this would get all the nutters out of their bunkers.
    Reply
  • mstngs351
    The article said it removes traces of itself. That doesn't mean that it didn't grab any information or do anything malicious. Those of you saying that it's obvious who it was or that "China would be looking to steal..." should use your heads before jumping to conclusions.
    Reply
  • Tab54o
    The U.S made it.
    Reply
  • jackbling
    I don't care about the evidence, i think *alarmist conspiracy statement*
    Reply
  • freggo
    The next time we sink a ship as an artificial reef I suggest we use a bunch of hackers as ballast.
    Reply
  • nforce4max
    Kami3kI knew this would get all the nutters out of their bunkers.Tab54oThe U.S made it.
    Indeed
    Reply
  • v3nom777
    It would be awesome to know who made it, but no country is going to admit to it. I'm going with USA, only because they are deeply entrenched in middle eastern politics.
    Reply