June 04, 2012, 3:26 PM — Kaspersky Lab Monday shared more details about the sophisticated cyber-espionage Flame malware widely believed to be the work of a nation-state, though the security firm isn't venturing yet to say what country that might be.
Kaspersky Lab is working with OpenDNS to investigate Flame malware tied most closely to cyber-espionage against Iran and Lebanon, and today both companies described what has been found in a week of investigation of Flame command and control (C&C) servers around the world. These servers are being "sinkholed" slowly to cut off ties between the C&C server and Windows-based computers infected with Flame malware, which spies on computer use and can upload content back to Flame's C&C operators.
BACKGROUND: Flame Malware: All You Need to Know
The Flame cyber-espionage botnet has one of the most elaborate and carefully constructed C&C structures ever identified, according to Roel Schouwenberg, senior research at Kaspersky Lab, who joined with Dan Hubbard, CTO at OpenDNS, to discuss the latest discoveries made since a week ago, when Kaspersky's announcement about the malware apparently caused Flame's C&C operators to suddenly drop offline.
However, Flame appears to be updating itself to possibly reconstitute its capabilities, Schouwenberg warns.
"Flame's goal is cyber-espionage," says Schouwenberg, noting it's "hiding in plain sight," and "there may be a cyber-sabotage component to it."
Flame can send up stolen information in 80 kilobyte chunks, and Flame's operators want to steal PDF files, Office documents and AutoCad files, such as mechanical and building designs. He notes, "Whitelisting technologies would have definitely blocked Flame." Whitelisting prevents unauthorized applications from running on computers. Flame is Windows-based and there doesn't seem to be a Linux component for Flame, Schouwenberg says.