C&C Coding for ‘Flame’ Dates Back to 2006

(Ping! Zine Web Tech Magazine) – Since its initial discovery in May, more details have become known regarding the virus known as Flame. And today, Kaspersky Lab, the company which originally reported on the massive malware threat, provided an in depth analysis.

Flame likely launched from a nation state and mostly infected computer systems in middle-eastern countries including Iran. It includes a database manipulation capability and works to gather system information with screenshots, key logging, networking traffic sniffing and audio capturing.

“The Flame malware, including all of its components, was very large and our ongoing investigation revealed more and more details since that time,” commented Kaspersky in today’s report.

Flame relies on a 64-bit Debian 6.0.x operating system while featuring virtualization compatibility by running with OpenVZ. Programming languages used include PHP, Python and bash. Apache 2.x serves as Flame’s web server while database manipulation is made possible with a reliance on MySQL.

Surprisingly, Flame, along with what Kaspersky called “cyber-espionage projects” has a history going back to 2006. There’s also the existence of Flame-related malware, controlled under the same C&C coding. Kaspersky said something called SPE is “in-the-wild” while other malware platforms include IP and SP.

Other critical findings included the existence of “at least four programmers,” and that the last known source change occurred on May eighteenth. Kaspersky inadvertently discovered Flame when attempting to find unrelated malware known as Wiper.