A sophisticated support team ran the spy network that gathered data from infected computers and uploaded it to command servers, the Symantec report says. The team had three distinct roles - server admins, operators who sent and received data from infected client machines and coordinators who planned attacks and gathered stolen data.
"This separation of operational and attacker visibility and roles indicates that this is the work of a highly organized and sophisticated group," the report authors conclude.
The servers gathered the data encrypted then passed it along to be decrypted offline. Each infected machine had its own encryption key.
Evidence from one of its command and control servers indicates the server can talk to at least four other pieces of malicious code that researchers believe are either undiscovered Flame variants or completely separate attacks, according to a Symantec report.
This is accomplished with a versatile Web application called Newsforyou supported by a MySQL database that could be used as a component for other attacks.
Researchers also discovered a set of commands the server could execute including one that wipes log files in an effort to minimize forensic evidence should the server be compromised. It also cleaned out files of stolen data in order to keep disk space free.
"The Newsforyou application is written in PHP and contains the primary command-and-control functionality split into two parts," the report says, "the main module and the control panel." The main module includes sending encryption packages to infected clients, uploading data from infected clients, and archiving when unloading files.
The application resembles a news or blog application, perhaps in an effort to avoid detection by automated or causal inspection, the researchers say.
PHP source code for Newsforyou included notes that identified four authors - D***, H*****, O****** and R*** - who had varying degrees of involvement. D*** and H***** edited the most files and so had the most input. "O****** and R*** were tasked with database and cleanup operations and could easily have had little or no understanding of the inner workings of the application," the report says. ". It is likely D*** and O****** knew each other, as they both worked on the same files and during a similar time period in December 2006."
Newsforyou employed both public key and symmetric key encryption depending on the type of data being encrypted. News files intended for clients were encrypted with symmetric keys while stolen data was encrypted using public/private key pairs.