An analysis of servers used to control the Flame cyber espionage malware that mostly targeted computers in the Middle East indicate that several other related malware existed -- with one still operating.
Kaspersky Lab, Symantec, and other researchers released details of their research on Monday. Other key findings indicated a highly sophisticated operation in which a variety of defensive mechanisms were used to cover the attackers' tracks.
[ Also on InfoWorld: Is a cyber-9/11 looming? | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Researchers examined two of the command-and-control servers behind Flame and discovered that they communicated with at least three other Flame-related programs. "There is enough evidence to prove that at least one Flame-related malware is operating in the wild," Alexander Gostev, chief security expert for Kaspersky, said in a statement.
There is no indication that the servers controlled any other malware besides Flame, which has been linked to Stuxnet, another espionage malware. While Flame's purpose was to steal data, the U.S. and Israeli governments created Stuxnet as part of a secret operation with the goal of crippling Iran's nuclear program, The New York Times reported.
[Bill Brenner in Salted Hash: Flame - The importance vs. the hype]
The new Flame analysis revealed that four developers working since December 2006 built the malware system that targeted Middle Eastern states, particularly Iran and Palestine. Because the expensive operation infected a relatively small number of computers and lacked a clear moneymaking strategy is an indication that it was government funded.
"It's not stealing credit card numbers, so who's paying for these resources? What's the payoff for the threat?" said Kevin Haley, director of Symantec's Security Response team. "So you've got to say it's probably a nation-state."
The attackers launched one of the analyzed servers March 25 and the other May 18. Each made contact with Flame-infected computers within hours. The March computer gathered 5GB of data a week from more than 5,000 compromised systems, while the other system was used solely to distribute one command module to infected computers, Kaspersky said. Both systems were disguised as common content management systems, in order to fool hosting providers or security investigators.