Topics
General News
Botnets
Exploit Kits
Antivirus Reviews
Network Defense
Spyware
Anti-Spam
Phishing Scams
Virus Alerts
Security Forums
Desktop Security
Malware Removal Help
Spam Blocking
Patches and Hotfixes
Antivirus Support

Network Security
General Security
Current Threats
Firewalls and Routers
Intrusion Detection
Web Proxies
Vulnerability Assessment
Quick Resources
About Antisource
Malware Threats Triangle
What is my IP?
 

Flame and its C&C Domains

Tuesday, June 05, 2012
Author: Richard S. Westmoreland
Permalink: flame-malware-command-control
Virus Alerts
Printer-Friendly Version Author's Profile


I'll keep this brief because there are much better sources of information about what Flame (Skywiper) is and how it works.

So to summarize -

What Flame is:

http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat

This is a trojan used in cyber espionage, originally targeting Iran. It appears to have been around since 2010 (and maybe as early as 2008) and is touted as one of the most complex trojans and C&C infrastructures created to date.

How Flame works:

http://www.crysys.hu/skywiper/skywiper.pdf
http://blog.soleranetworks.com/2012/05/30/what-we-know-so-far-about-the-flame-trojan-3/

Those are both great analysis that reverse engineers the application.



How Flame communicates:

http://www.securelist.com/en/blog?weblogid=208193540

That article includes some of the sinkholed domains and IP octets in use by the command and control servers.

http://malwaresurvival.net/2012/05/29/is-the-flame-malware-a-trojan-or-worm/

There one of the IP addresses used by the C&C is revealed.


One of the ways Flame has been able to hide itself is by signing its code with a compromised Microsoft cert:

http://www.f-secure.com/weblog/archives/00002377.html


I will update this article as more information becomes available. Keep in mind that although this started as a targeted attack limited to Iran, current stats reveal that many more hosts in other countries have been compromised. Statistics based on Kaspersky's KSN notes at least 11 compromised in the United States. Remember that Kaspersky is just 1 of many antivirus vendors, and isn't one of the top vendors in the US - which means there are far more than 11.

UPDATE:

Flame received a suicide command from its command and control servers at the end of May, deleting all of its files and overwriting with random garbage.
  
Read the full article at Flame and its C&C Domains



Comment about Flame and its C&C Domains | 0 comments |

The following comments are owned by whomever posted them. This site is not responsible for what they say.