Flame espionage malware issues self-destruct command

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2012/06/flame-espionage-malware-issues-self-destruct-command/

By Dan Goodin
ars technica
June 8, 2012

The Flame espionage malware that infected Iranian computers has 
initiated a self-destruct command that removes all traces of itself on 
infected machines that receive the instruction, researchers said.

The 20-megabyte piece of malware already had a self-destruct module 
known as SUICIDE that removed all files and folders associated with 
Flame, but the purging command observed by Symantec researchers instead 
relied on a file called browse23.ocx that did much the same thing. The 
removal tool, which researchers from Kaspersky Lab briefly documented 
last month, was downloaded from a command and control server still under 
the control of Flame attackers to several machines in a honeypot. White 
hats monitored the activities of the sophisticated malware, which is 
also known as Flamer and sKyWIper.

"This command was designed to completely remove Flamer," Symantec 
researchers wrote in a blog post. "The Flamer attackers were still in 
control of at least a few C&C servers, which allowed them to communicate 
with a specific set of compromised computers."

As a result, the compromised computers in the honeypot deleted at least 
163 files and four folders belonging to the sprawling set of modular 
code. The self-destruct mechanism then overwrote the disk with random 
characters to prevent researchers from studying the files.

[...]


--
Certified Ethical Hacker, ISSMP, ISSAP, CISSP training
with Expanding Security gives the best training and support.
Get a free live class invite weekly. Best programs, best prices.
http://www.ExpandingSecurity.com/PainPill