September 18, 2012, 9:56 AM — Researchers have cracked the password protecting a server that controlled the Flame espionage botnet giving them access to the malware control panel to learn more about how the network functioned and who might be behind it.
Kaspersky analyst Dmitry Bestuzhev cracked the hash for the password Sept. 17 just hours after Symantec put out a public request for help getting into the control panel for Flame, which infected thousands of computers in the Mideast.
The hash - 27934e96d90d06818674b98bec7230fa - was resolved to the plain text password 900gage!@# by Bestuzhev.
Symantec said it tried to break the hash with brute force attacks but failed. Flame has been investigated by a joint effort of Symantec, ITU-IMPACT and CERT-Bund/BSI.
Meanwhile, researchers at Symantec report that Flame was being developed at least as long ago as 2006, four years before its Flamer's compilation date of 2010 and well before the initial deployment of the first Flame command and control server March 18 of this year.
By May, Flame had been discovered and owners of infected computers in Iran and other Mideast countries were cleaning up. The malware itself also executed a suicide command in May to purge itself from infected computers.
The command and control server also routinely wiped out its log files, which successfully obliterated evidence of who might be behind the attacks. "Considering that logging was disabled and data was wiped clean in such a thorough manner, the remaining clues make it virtually impossible to determine the entity behind the campaign," the Symantec report says.
Despite Flame being neutralized earlier this year, more undiscovered variants may exist, the report concludes. Evidence for this is that the command and control module can employ four protocols to communicate with compromised clients, three of which are in use. "The existence of three supported protocols, along with one protocol under development, confirms the C&C server's requirement to communicate with multiple evolutions (variants) of W32.Flamer or additional cyberespionage malware families currently unknown to the public."