Concerns raised about time taken to detect Flame
Concerns raised about time taken to detect Flame

One of three newly detected strains of malware, linked to the authors of Flame, is already operating in the wild, according to new research on the cyber espionage campaign.

Recent findings also date the development of Flame's command-and-control platform as far back as December 2006.

Flame, which targeted victims primarily in Iran, is thought to be created by a nation-state, due to the resources needed for the large-scale, sophisticated attacks. Reports by researchers at Kaspersky Lab and Symantec found that one Flame server that was set up in March had collected nearly 6GB from infected computers in a week's time.

Kaspersky Lab found that there were files stolen from more than 5,000 machines, bringing the estimated count of Flame victims to more than 10,000. Researchers were able to measure the amount of stolen files due to a mistake by the attackers, in which they left behind files that would have normally been deleted.

“On one of the servers, the attackers forgot to delete the HTTP logs. This allowed us to get an idea of how many victims connected to the server,” it said.

The information gathered during the week between 25th March and 2nd April showed that of the 5,377 unique IPs that connected to the server, around 4,000 infected machines were in Iran, while 1,280 were in Sudan.

“Our previous statistics did not show a large number of infections in Sudan, so this must have been a dedicated campaign targeting systems in Iran and Sudan,” Kaspersky researchers said.

The owners also developed a web application, called 'Newsforyou', that was disguised to be undetected and to communicate with the infected machines.

Symantec's analysis said: “The application is designed to resemble a simple news [or] blog. This approach may serve to disguise the true nature of the application from any automation or casual inspection.”

The three strains of malware were named, 'IP', 'SP' and 'SPE', with the latter being the name of the Flame-related malware currently in the wild. Researchers have yet to discover what the malware is capable of doing to infected machines.

Kaspersky Lab said: “Based on the code from the server, we know Flame was a project from a list of at least four.” The purpose and nature of the other three malicious programs remain unknown.

Alexander Gostev, chief security expert at Kaspersky Lab, said: “It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its command and control (C&C) servers. Flame's creators are good at covering their tracks. This is certainly an example of cyber espionage conducted on a massive scale.”