Could the writers of the Flame malware be attempting to cover their tracks?
Security software maker Symantec noticed this week that computers infected with Flame have sent out urgent commands to remove all traces of the malware from other systems.
Flame has been described as a “nightmare scenario” by security researchers, who are learning something new about the malware seemingly every day. But that education could be something that the malware’s writers want to put a stop to.
“This command was designed to completely remove Flamer from the compromised computer,” Symantec wrote in a blog post on Wednesday.
The functionality, however, is not entirely new. Research firm Kaspersky first mentioned the module in a research note published last week.
That the program’s writers would want to cover things up is unsurprising: Meant to be a covert operation, Flame is currently very much exposed to those trying to understand it. Which means it’s not doing its job.
“Stealth is of the utmost importance in [Flame’s mission],” Kaspersky senior researcher Roel Schouwenberg told VentureBeat. “As such, the attackers will have wanted to remove their traces from at least a number of targets,” he said.
“It’s interesting to note that the version of the removal module that we have was compiled in mid-May” he added. Clearly, Flame’s writers have had the erasure tactic in mind for quite some time.
As with most researchers, the company has been keeping an eye on the threat via so-called “honeypot” computers, which are used to lure and monitor threats like Flame.
With Flame, however, things are more dire. The malware is one of the most complicated in recent memory, which means that it’s pretty important for researchers to be able to study it. This is one fire they don’t want put out just yet.
Photo: Flickr/U.S. Army