Flame’s massive C&C infrastructure revealed
Day after day, new details are discovered by security researchers that seem to prove the talent and the apparently unlimited resources that the authors of the Flame toolkit had at their disposal.
As Microsoft continues its effort to keep its users safe, Kaspersky Lab researchers keep sharing their findings about the malware and the infrastructure behind it.
“For the past weeks, Kaspersky Lab has been closely monitoring the C&C infrastructure of Flame. In collaboration with GoDaddy and OpenDNS, we succeeded in sinkholing most of the malicious domains used by Flame for C&C and gain a unique perspective into the operation,” Kaspersky Lab Expert Alexander Gostev explained.
The infrastructure is massive: over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries.
“The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008. In general, each fake identity registered only 2-3 domains but there are some rare cases when a fake identity registered up to 4 domains,” Gostev shared. “The largest batch of Flame C&C domains was registered with GoDaddy.”
After the news about the discovery of the Flame malware broke last Monday, the domains went dark in a matter of hours, indicating that the operators were shutting down the operation. Still, the malware on three of the infected computers received an upgrade during the sinkhole operation.
“This means basically that this week, after the [news] announcement, the Flame command-and-control network was still operational and sending updates, possibly commands, to the victims,” Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, commented for Wired. “Which, in my opinion, this is quite amazing, that despite all this noise and the story being everywhere, they’re still using the command-and-control infrastructure to send updates.”
The sinkholing operation allowed Kaspersky Lab to gather the data exfiltrated by the malware, encrypted and uploaded to the C&C servers.
By analyzing it, the researchers concluded that the attackers were particularly interested in AutoCAD drawings (DWG files) – same as the operators behind Duqu – but also wanted to get their hands on PDF, Office files, emails and other documents that contained interesting information.
In order to do that, but not download files that would not interest them, the malware would parse through the files and extract a small sample of the text from them, and then upload it to the C&C domain. If the content was found to be of interest, the attackers would instruct the malware to download the entire files.
The number of still infected computers has shrank since the discovery of the malware, and now reaches barely above 400 – mostly in Iran, Israel, Palestine, Sudan and Lebanon.
It’s interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware.