Flame malware makers send 'suicide' code

Screenshot of Flame The malware is said to have infected more than 600 specific targets

Related Stories

The creators of the Flame malware have sent a "suicide" command that removes it from some infected computers.

Security firm Symantec caught the command using booby-trapped computers set up to watch Flame's actions.

Flame came to light after the UN's telecoms body asked for help with identifying a virus found stealing data from many PCs in the Middle East.

New analysis of Flame reveals how sophisticated the program is and gives hints about who created it.

Clean machine

Like many other security firms Symantec has kept an eye on Flame using so-called "honeypot" computers that report what happens when they are infected with a malicious program.

Described as a very sophisticated cyber-attack, Flame targeted countries such as Iran and Israel and sought to steal large amounts of sensitive data.

Earlier this week Symantec noticed that some Flame command and control (C&C) computers sent an urgent command to the infected PCs they were overseeing.

Flame's creators do not have access to all their C&C computers as security firms have won control of some of them.

The "suicide" command was "designed to completely remove Flame from the compromised computer", said Symantec.

The command located every Flame file sitting on a PC, removed it and then overwrote memory locations with gibberish to thwart forensic examination.

"It tries to leave no traces of the infection behind," wrote the firm on its blog.

Analysis of the clean-up routine suggested it was written in early May, said Symantec.

Crypto crash

At the same time, analysis of the inner workings of Flame reveal just how sophisticated it is.

According to cryptographic experts, Flame is the first malicious program to use an obscure cryptographic technique known as "prefix collision attack". This allowed the virus to fake digital credentials that had helped it to spread.

The exact method of carrying out such an attack was only demonstrated in 2008 and the creators of Flame came up with their own variant.

"The design of this new variant required world-class cryptanalysis," said cryptoexpert Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam in a statement.

The finding gives support to claims that Flame must have been built by a nation state rather than cybercriminals because of the amount of time, effort and resources that must have been put into its creation. It is not yet clear which nation created the program.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • Cerro RicoSatanic mines

    Devil worship in the tunnels of the man-eating mountain


  • Nefertiti MenoeWar of words

    The woman who sparked a row over 'speaking white'


  • Oil pumpPump change

    What would ending the US oil export ban do to petrol prices?


  • Brazilian Scene, Ceara, in 1893Sir Snapshot

    19th Century Brazil seen through the eyes of an Englishman


BBC Future

(Getty Images)

Is it time to leave planet Earth?

How humans could inhabit the solar system Read more...

Programmes

  • Prof Piot, the first person to indentify Ebola virusHARDtalk Watch

    Ebola expert warns travellers could spread the disease further if it is not contained

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.