Skip to main content

Flame Malware Has Self-Destruct Switch

Security firm Symantec reports that the Flame(r) malware uses a downloadable component that completely removes it from compromised computers. "Completely" also includes covering its tracks by overwriting the disk with random characters to prevent anyone from obtaining information about the infection.

"Compromised computers regularly contact their pre-configured control server to acquire additional commands," the firm reports. "Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the 'uninstaller.'"

The module contains a long list of files and folders that are used by Flame. It locates each listed file, removes it, and then covers up any evidence of its existence by dumping random characters in its place thanks to a routine that generates random characters to use in the overwriting operation. In essence, it tries to leave no traces of the infection behind.

"The existence of this module is interesting in itself. Previously analyzed Flamer code showed us a component named SUICIDE, which is functionally similar to browse32.ocx," Symantec says. "It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module."

Of course, deleting a file in Windows does not actually remove the data from the physical disk. Instead, the parent sector is flagged to be re-written at some point. That means for a limited time, the data could be recovered using special recovery tools that can be downloaded from the Internet.

Chief security expert with Kaspersky Lab's global research & analysis team Aleks Gostev disagrees with Symantec about the overwriting of file data with meaningless characters. He said it happens before the Flame files get deleted by browse32.ocx, not after as Symantec suggested. Still, the goal is the same: eliminate all traces of Flame to make forensic analysis even harder.

Last month Gostev called Flame, a cyber espionage worm, the most sophisticated cyber weapon yet unleashed. Kaspersky discovered the weapon after the UN’s International Telecommunication Union came to the firm asking for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for the Malware, Kaspersky stumbled across new malware codenamed Worm.Win32.Flame.

"Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators," he said. "Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

Ilmar Tamm, Head of the NATO Cyber Defense Center, said on Thursday that Stuxnet and Flame have shown a nasty side of the Internet that the average user doesn't even consider.

"[They] will bring a lot of challenges to all experts who deal with critical infrastructure protection issues - IT experts, lawyers, policy makers," he told AFP. "The number of cyber conflicts keeps rising and it is important to understand who the actors in these events are, how to classify these events and participants, and how to interpret all that."