Saturday, 9 June 2012

Did the World's Nastiest Virus Try to Self-Destruct?


Whoever designed the Flame malware that's been found infecting computers across the Middle East clearly doesn't want it analyzed.
Servers controlling the virus sent a self-destruct command designed to clear any trace of the code from infected computers, computer security firm Symantec, which has been studying Flame, noted in a blog post this week.
As with other similar cyberattacks, Flame's authors run the malware via Command and Control, or C&C, servers. Some of those servers have fallen into the control of Symantec and other security firms -- trophies of victories won in the behind-the-scenes war being fought between cybersecurity firms and malware designers -- but others remain in the hands of Flame's authors.
Symantec has also been using so-called "honeypot" computers, which are purposely infected with malware, to study Flame like a biological virus is analyzed in a laboratory.
Computers infected with Flame, including honeypots, have been routinely contacting its C&C servers to check for new commands. When the C&C servers still owned by Flame's authors recently sent out a self-destruct code, Symantec detected the command immediately.
The self-destruct command was a file called "browse32.ocx." When the file is run on an infected computer, it automatically locates every bit of Flame's code, removes it, and writes random data over the original code. That process is designed to prevent anybody from studying Flame using a computer that's been infected but has received the self-destruct code.
"This command was designed to completely remove Flame from the compromised computer," wrote Symantec in its official blog. "This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the 'uninstaller.'"
"It tries to leave no traces of the infection behind," added Symantec.
Since some of Flame's C&C servers have slipped from the grasp of the malware's authors, not every computer infected with the malware will hear the self-destruct command.
The timing of the self-destruct is suspect: it seems to have happened just after Flame became widely reported. However, Symantec said the version of the self-destruct code it encountered was created in early May, before the virus was public knowledge. The security firm added that it's "very likely" that Flame's authors have sent out the self-destruct signal in the past, while also saying that it's witnessed the command being sent out "as late as just last week."
Harry Sverdlove, chief technical officer of the security firm Bit9, suggested that Flame's self-destruct code may have been added as a way to protect the author's intellectual property.
"You can look at Flame as one of the most highly sophisticated attacks of our time, and like any other program, it has intellectual property," Sverdlove told Mashable. "I'm just surmising, but it's a fairly good guess that the Flame authors are trying to proect their intellectual property."
Flame's origins are still unknown, but many experts believe that only a national government or military force has the expertise required to design malware as complex as Flame.
Sverdlove said that if a government is behind Flame, the self-destruct would make sense: if Flame's code was released online, it would only be a Google search away from that government's enemies.
"The stakes are a little higher in the sense that once things get exposed, all of a sudden the level of entry for similar attacks goes way down and the number of attacks goes way up," said Sverdlove.
Recently, a New York Times report alleged that the U.S. and Israel worked together to create Stuxnet, one of the most complex cyberattacks ever launched.
Why do you think Flame's creators would issue a self-destruct command? Share your thoughts in the comments.




(courtesy:news.yahoo.com)

No comments:

Post a Comment

Twitter Bird Gadget