Flamer Malware Spied on Middle East for More Than Five Years

An analysis of two newly discovered command-and-control servers sheds new light on the cyber-espionage tool known as Flamer.

The Flamer cyber-espionage tool that targeted the Middle East has likely been operational for more than five years and as recently as May 2012, according to an analysis published by security firm Symantec on Sept. 17.

Analyzing records from two command-and-control (C&C) servers discovered by security researchers, Symantec, along with Kaspersky Lab, the International Multilateral Partnership Against Cyberthreat (IMPACT) and the German computer emergency response team (CERT-Bund), found that at least 1,000 systems in the Middle East had been controlled by one machine in March, while the other deleted spyware and erased its trail in May.

In addition, data inside the C&C servers indicated that the software could communicate with five different clients, Flamer plus four others, said Vikram Thakur, principal security response manager with Symantec.

It's unclear if those clients are still spying on computers today or are old and outdated, he said. In addition, one of the codes appears to be a placeholder and may not indicate an actual client.

"There are codes for five different client types; Flamer is one of those," Thakur said. "We don't know what the other client types are, but clearly the back-end code was meant to handle much more than the Flamer that we know of today."

The analysis comes after successive revelations about espionage activities being conducted worldwide. In June 2010, a small antivirus firm found the Stuxnet worm, which later investigation revealed to be a cyber-weapon focused on shutting down Iran's nuclear processing capability. Yet it turns out that Stuxnet had only been the latest attack. University researchers found another program, dubbed Duqu, which spied on Middle Eastern governments and companies. Then the researchers discovered a third program, Flame, which preceded both attacks.

White House officials later confirmed that the United States had taken part in the development of Stuxnet, according to a book penned by a New York Times writer.

While the latest analysis does not shed light on the origin of the programs, it does give some hints as to how the people behind the most studied cyber-attacks operated.

For example, both systems used a Web application called "Newsforyou" for communications to make any traffic appear legitimate. The packages used to update the spying software on victims' computers, as well as any downloaded intelligence, were encrypted on the servers and could not be decrypted, Thakur said, while the operators of the command-and-control servers aimed to minimize any trace of their activities.

"They were very careful. They went to lengths to make sure that they disabled logging. They made sure that they set up scheduled tasks-cron jobs-to periodically wipe out or shred the data that was logged on the servers, but they missed a good amount," Thakur said.

In its own report on the discovery, security firm Kaspersky Lab stated that the Web application was disguised as a news site to hide its true purpose.

"The C&C developers didn't use professional terms such as bot, botnet, infection, malware-command or anything related in their control panel. Instead they used common words like data, upload, download, client, news, blog, ads, backup etc.," the company wrote. "We believe this was deliberately done to deceive hosting company sys-admins who might run unexpected checks."

Comments in the server software indicate that the Web application was coded by four individuals, whose names were redacted except for the first letters: D, H, O and R. Dates in the comments also indicate that development began on the project in December 2006. The majority of the development was done by January 2007 with additional work completed in September 2007 and in 2011.

The analysis shows a good number of mistakes by the developers, who appear to be English speakers, said Thakur.

"The comments are in English, [and] typos [are] very much from English," he said. "Overall, the picture is that these are very human guys. They are prone to errors, and don't really care about it and I doubt if too many people [were] going through their code."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...