Information Security News mailing list archives
Flame espionage malware issues self-destruct command
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 11 Jun 2012 03:30:06 -0500 (CDT)
http://arstechnica.com/security/2012/06/flame-espionage-malware-issues-self-destruct-command/ By Dan Goodin ars technica June 8, 2012The Flame espionage malware that infected Iranian computers has initiated a self-destruct command that removes all traces of itself on infected machines that receive the instruction, researchers said.
The 20-megabyte piece of malware already had a self-destruct module known as SUICIDE that removed all files and folders associated with Flame, but the purging command observed by Symantec researchers instead relied on a file called browse23.ocx that did much the same thing. The removal tool, which researchers from Kaspersky Lab briefly documented last month, was downloaded from a command and control server still under the control of Flame attackers to several machines in a honeypot. White hats monitored the activities of the sophisticated malware, which is also known as Flamer and sKyWIper.
"This command was designed to completely remove Flamer," Symantec researchers wrote in a blog post. "The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers."
As a result, the compromised computers in the honeypot deleted at least 163 files and four folders belonging to the sprawling set of modular code. The self-destruct mechanism then overwrote the disk with random characters to prevent researchers from studying the files.
[...] -- Certified Ethical Hacker, ISSMP, ISSAP, CISSP training with Expanding Security gives the best training and support. Get a free live class invite weekly. Best programs, best prices. http://www.ExpandingSecurity.com/PainPill
Current thread:
- Flame espionage malware issues self-destruct command InfoSec News (Jun 11)