A Massive Web of Fake Identities and Websites Controlled Flame Malware

Map showing the number and geographical location of Flame infections on Kaspersky customer machines. Courtesy of Kaspersky Lab

The attackers behind the complex Flame cyberespionage toolkit, believed to be a state-sponsored operation, used an extensive list of fake identities to register at least 86 domains, which they used as part of their command-and-control center, according to researchers at Russia-based antivirus firm Kaspersky Lab.

Kaspersky says the size of the command-and-control infrastructure, which appears to have been still partially active a few days ago even after the operation was publicly exposed, exceeds anything they’ve seen before.

“The huge amount of fake domains and fake identities used to run this infrastructure is pretty much unprecedented and unlike any other malware that we have seen before,” said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. “In my opinion, it’s an indication of the huge resources which went into this project.”

Many of the domains, set up as early as 2008 in some cases and as late as April this year, were registered with the GoDaddy registrar service, and used fake addresses in Germany and Austria, with Vienna being a particularly popular choice for the attackers, according to research done by Kaspersky. A lot of the addresses tracked to places like hotels, medical offices, and shops. At least one address was for the British library in Paris and shops. Other addresses did not appear to exist at all.

The domains pointed to 24 IP addresses, at various times, that were located in Germany, Poland, Malaysia, Latvia, Switzerland, Turkey, the Netherlands, Hong Kong and other places.

The attackers used each identity only two or three times on average to register a domain, before choosing a new one. It’s not clear what they used to pay for the domains. Kaspersky referred the question to GoDaddy, but the registrar did not respond to a request for comment.

Cybercriminals often use stolen credit card numbers to pay for domains used in their operations, but since Flame is believed to be a state-run operation, the attackers likely used pre-paid cards issued under fake names to register the domains.

Although the domains went dark about an hour after news of the operation broke worldwide last Monday, suggesting the attackers were shutting down the mission, at least three infected machines in Iran, Iraq, and Lebanon were upgraded by the attackers with new versions of the malware after this occurred, Schouwenberg said, suggesting a certain boldness on their part.

Two of the machines went from having version 2.212 of Flame installed on them to suddenly having version 2.242.

“This means basically that this week, after the [news] announcement, the Flame command-and-control network was still operational and sending updates, possibly commands, to the victims,” Schouwenberg said. “Which, in my opinion, this is quite amazing, that despite all this noise and the story being everywhere, they’re still using the command-and-control infrastructure to send updates.”

Flame has a hardcoded password, ‘LifeStyle2’, that infected machines use to connect to command-and-control servers. Courtesy of Kaspersky

New findings also show that the attackers were particularly interested in stealing AutoCAD drawings from infected machines, according to the types of stolen files Kaspersky has seen infected machines trying to upload to the attackers’ domains.

AutoCAD is a popular software program that is used to render computerized models and schematics for architectural designs and consumer products, as well for the layout of machinery and networks at plants and factories, including critical infrastructure facilities.

The interest in AutoCAD documents is something Flame shares with DuQu, another espionage tool that was discovered on machines in various countries last year and is closely related to Stuxnet, the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010.

Flame is a 20MB malicious toolkit that consists of at least 20 known modules that can be swapped in and out to provide various functionality for the attackers – such as eavesdropping on conversations via the internal microphone on an infected computer, stealing documents or taking screenshots of email and instant message communications — depending on what the attackers want to do on a particular machine.

The toolkit is believed be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and DuQu.

Flame appears to have been operating in the wild as early as March 2010, though there are clues that the malware may have been active as early as 2007. It was only discovered about three weeks ago by Kaspersky. It’s believed to have infected about 1,000 machines in the Middle East and elsewhere.

After news of Flame broke last Monday and the attackers shut down their domains, infected machines contacting the servers to report in and receive commands were met with 403/404 errors.

The researchers had already set up a sinkhole, however, and worked with GoDaddy and OpenDNS to divert traffic for about 30 of the domains to their sinkhole instead. This means that stolen files that would have landed in the hands of the attackers, are now being delivered to Kaspersky, though they’re encrypted by the malware before they’re sent out to Kaspersky.

The researchers got their first hit from an infected machine late that first evening after the redirect was completed, and have received communication from 118 infected systems from 18 countries and the Occupied West Bank since then.

Chart showing the domains the attackers registered for Flame and the registration dates. Courtesy of OpenDNS

Because antivirus firms distributed signatures and tools to detect and remove Flame quickly last week, the machines contacting the sinkhole are ones that either didn’t have antivirus installed on them, or don’t have updated signatures installed and are therefore still infected. These include 45 machines in Iran, 21 in Lebanon, 14 in Sudan, and 8 in the United States.

Each time an infected machine tries to contact the attack domains, they use a hardcoded password, LifeStyle2, to identify themselves as a Flame-infected machine. The password is coded into the malware’s configuration file, but can be changed.

Once a connection is established, the infected machine begins uploading compressed and encrypted packages of data, including an activity log that records everything the malware has done on the infected machine as well as a list of files it has sent to the attackers.

To avoid uploading entire documents from an infected machine to the attackers — which would mean collecting a lot of data in which they have no interest — the attackers designed their malware to just parse through PDFs, Excel and word-processing documents and extract a 1-kilobyte sample of the text. The malware then compresses and uploads the sample text to a command-and-control domain where, presumably, the attackers would pick through the contents and instruct the malware to then grab only specific documents that interested them.

Kaspersky still hasn’t figured out definitively if Flame is related to a piece of malware called “Wiper” that Iran reported had deleted files from machines at its Oil Ministry in April. The researchers have not found any module for Flame that wipes out files in the way that “Wiper” reportedly did, but have not ruled out that a wiper module may exist for Flame that they haven’t found yet.

One final new tidbit about Flame: the researchers previously reported that a kill module for Flame, called “browse32,” can be sent out by the attackers to wipe Flame off of systems. The kill module, they previously stated, searches for every trace of the malware on the system, including stored files full of screenshots and data stolen by the malware, and eliminates them, leaving nothing of the malware left behind.

The researchers now say that there is a mistake in the kill module and instead of deleting every trace of Flame, it leaves one file behind. The file is named “~DEB93D.tmp.” It’s the same file that Kaspersky has been instructing users to look for on their systems to determine if they are infected with Flame.