UK, Abingdon, June 2012 - On May 28, 2012 Kaspersky Lab announced the discovery of a highly sophisticated malicious program, known as Flame, which was actively being used as a cyber-weapon targeting entities in several countries. Flame was discovered by Kaspersky Lab's experts during an investigation prompted by the International Telecommunication Union (ITU), and the analysis of the malicious program revealed it was the largest and most complex attack toolkit to date.
Kaspersky Lab's analysis of the malware revealed that it was currently being used for cyber-espionage and it would infect computers to steal data and sensitive information. The stolen data was then sent to one of Flame's command & control (C&C) servers.
Kaspersky Lab has been closely monitoring Flame's C&C infrastructure and published a detailed research post today about the findings.
In collaboration with GoDaddy and OpenDNS, Kaspersky Lab succeeded in sinkholing most of the malicious domains used by Flame's C&C infrastructure. The following details summarise the results of the analysis:
- The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence last week.
Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012.
During the past 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.
The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America and Asia-Pacific.
The Flame attackers seem to have a high interest in PDF, Office and AutoCad drawings.
The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.
Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame.
Kaspersky Lab would like to thank William MacArthur and GoDaddy Network Abuse Department for their fast reaction and exceptional support of this investigation. In addition, Kaspersky Lab would also like to thank the OpenDNS Security Research Team, who also offered invaluable assistance during the course of this investigation.
During the past week, Kaspersky Lab contacted CERT's in multiple countries to inform them about the Flame C&C domain information and IP addresses of the malicious servers. Kaspersky Lab would like to thank all who participated for their support of this investigation.
If you are a GovCERT institution and would like to receive more information about the C2 domains, please contact us at: "email@example.com"
To read the full analysis of Flame's C&C infrastructure and all its technical details, please visit: Securelist.
Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe (http://newsroom.kaspersky.eu/), for journalists throughout Europe. The newsroom is specifically designed to serve many of the media's most common requests, making it easier for journalists to find product and corporate information, facts and figures, editorial copy, images, videos and audio files, as well as details about the appropriate PR contacts.
About Kaspersky Lab
Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world's most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The company is ranked among the world's top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry's fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry's leading IT security solution providers. Learn more at www.kaspersky.com. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit www.securelist.com.
Follow us on Twitter
Like us on Facebook
Telephone: 0118 909 0909
Fax: 0118 988 6911
1650 Arlington Business Park
RG7 4SA, Reading
Kaspersky Lab UK
Telephone: 0871 789 1633
Milton Business Park
OX14 4RY, Oxford
© 2012 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.