Flame Virus Makers Send Suicide Command

The people behind the complex malware known as Flame, have send a suicide code which removes it from some infected computers.

According to security firm Symantec, the creators of Flame sent out this updated 'suicide' command last week, which was designed to "completely remove Flame from the compromised computer."

The creators of Flame were still in control of a number of Command and Control (C&C) servers and were able to communicate with a specific set of compromised PCs. It is the nature of compromised computers such as those infected with the Flame malware to regularly check-in with their C&C servers to receive updated instructions.

Following a request for an update from the remote computers, the C&C server was instructed to send them a file named browse32.ocx, which Symantec describe as "the module responsible for removing Flame from the compromised computer" or in other words, an uninstaller.

Symantec, like many other security firms has been keeping an eye on Flame with so-called 'honeypot' computers, designed to report when anything changes with the malware.

The uninstaller removes every file with Flame in the name on the compromised PC, and replaces it gibberish to hinder forensic examination. "Any client receiving this file would have had all traces of Flame removed, including this module itself," the company said on its blog.

The version of the uninstaller detected was created only a few weeks prior to the malware being uncovered, though it is likely according to Symantec that older versions of the module were used in the past.

Analysis of the Flame code has revealed a component called SUICIDE which is very similar in functionality to the browse32.ocx, but Symantec could not say why this was not used instead of sending the new file.

Flame designed by world-class cryptographers.

According to two cryptography experts, the Flame espionage malware achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers.

ArsTechnica reports that having analysed Flame, cryptography experts Marc Stevens and B.M.M. de Weger claim that the attack was unlike any seen before.

"More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant," Stevens wrote in a statement. "This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis. Further research will be conducted to reconstruct the entire chosen-prefix collision attack devised for Flame."

Described as one of the most complex pieces of malware in existence, it was uncovered following an investigation prompted by the International Telecommunications Union (ITU), and carried out by Kaspersky Lab and CrySyS Lab.

The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world.

Earlier this week it was uncovered that C&C servers "went dark" hours after the presence of Flame was made public on 28 May. C&C servers based in the UK, Hong Kong and Switzerland had been in operation for years.

From research by Kaspersky, it has been discovered that systems infected by Flame were mostly located in the Middle East, though there were some infected systems around the globe, as you can see in the map below.