Security researchers investigating servers used by the highly-sophisticated Flame computer virus have found three related pieces of malware, one of which is believed to be in the wild.

Flame Malware
Credit: Kaspersky Lab

Research published today by Kaspersky Lab, Symantec and the International Communication Union (ICU) shows that those behind the Flame virus - believed to be the US and Israeli governments - may have produced at least three related pieces of malware or variants of Flame, which remain undiscovered. One of these is even believed to be still "in the wild."

The Flame cyber-espionage campaign was originally discovered in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union.

Following initial investigation of the Flame virus it was discovered that it shared a common heritage with Stuxnet, the computer worm designed to target the Natanz nuclear facility in Iran, developed by the US government under its secretive Olympic Games cyber warfare program.

The security researchers have been forensically examining two command and control (C&C) servers used by the attackers to control the infected PCs. Analysis of these has uncovered that the initial C&C platform started as early as 2006. It had initially been estimated that Flame was in operation since March 2010.

Following its discovery in May of this year, all of Flame's C&C servers wet offline immediately, however, despite this the researchers were able to discover a lot of information about the virus and the programmers behind it. This was becasue the programmers made a basic mistake and manged to lock themselves out of the servers.

The amount of data being stolen was huge, with 5.7GB of data uploaded to a single server in just ten days, coming from more than 5,000 infected machines. Considering how long the virus went undetected, it is safe to assume the attackers would have collected many terabytes of data from thousands of infected PCs.


Flame was very sophisticated and able to record and collect password and login data; steal files; turn on the machine's microphone to record conversations and even collect phonebook information from mobile phones within range over Bluetooth.

The Flame servers were running a 64-bit version of the Debian operating system - which is a distribution of Linux. The code was written in the PHP programming language and the servers were disguised to look like an ordinary Content Management System (CMS), in order to avoid attention from the hosting provider.

Researchers found four separate communication protocols which were used to handle the data being stolen from the infected PCs. Only one of these was compatible with Flame, meaning at least three other types of malware used these C&C servers.

"There is enough evidence to prove that at least one Flame-related malware is operating in the wild. These unknown malicious programs are yet to be discovered," a statement from Kaspersky said.

It looks like the platform is still being developed, since a new, yet-not-implemented protocol called the 'Red Protocol' was found on the servers. The latest modification of the servers' code was made on 18 May, 2012 by one of the programmers.

"It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers. Flame's creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep," Kaspersky's Chief Security Expert, Alexander Gostev said.

"Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale."


The research has also uncovered some information about those responsible for the virus. While it is clear from the sophistication of the coding involved that this was a state-sponsored creation, it doesn't mean mistakes weren't made.

The research has shown that four programmers developed the code for the servers being examined and they all left their nicknames in the source code - a practice not associated with malware creators of this level.

"Maybe they just never expected their server to reach the wrong hands. But considering that [Flame] has links to Stuxnet and DuQu, we would have expected not to see these names. But also, at the end of the day, they're human," Vikram Thakur, a researcher with Symantec Security Response told Wired.

For more on this and other cyber security stories, make sure to visit out Cyber Warfare page.