Flame and its C&C Domains

I'll keep this brief because there are much better sources of information about what Flame (Skywiper) is and how it works.

So to summarize -

What Flame is:

http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat

This is a trojan used in cyber espionage, originally targeting Iran. It appears to have been around since 2010 (and maybe as early as 2008) and is touted as one of the most complex trojans and C&C infrastructures created to date.

How Flame works:

http://www.crysys.hu/skywiper/skywiper.pdf
http://blog.soleranetworks.com/2012/05/30/what-we-know-so-far-about-the-flame-trojan-3/

Those are both great analysis that reverse engineers the application.



How Flame communicates:

http://www.securelist.com/en/blog?weblogid=208193540

That article includes some of the sinkholed domains and IP octets in use by the command and control servers.

http://malwaresurvival.net/2012/05/29/is-the-flame-malware-a-trojan-or-worm/

There one of the IP addresses used by the C&C is revealed.


One of the ways Flame has been able to hide itself is by signing its code with a compromised Microsoft cert:

http://www.f-secure.com/weblog/archives/00002377.html


I will update this article as more information becomes available. Keep in mind that although this started as a targeted attack limited to Iran, current stats reveal that many more hosts in other countries have been compromised. Statistics based on Kaspersky's KSN notes at least 11 compromised in the United States. Remember that Kaspersky is just 1 of many antivirus vendors, and isn't one of the top vendors in the US - which means there are far more than 11.

UPDATE:

Flame received a suicide command from its command and control servers at the end of May, deleting all of its files and overwriting with random garbage.
  
Read the full article at Flame and its C&C Domains