Flame malware has 3 “undiscovered cyber-espionage” sisters, say researchers

Fire equipment

Flame, the malware related to the infamous Stuxnet that hit Iranian nuclear systems in 2010, may have three sisters in the wild, according to new research by Russian security firm Kaspersky Lab.

Kaspersky Lab first announced the existence of Flame in May, saying it was deployed around two years prior in 2010, and had already affected thousands of computers. Work may have even started on the malware as early as 2007. It targeted a number of countries in the Middle East, and was called one of the most advanced cyber espionage tools to date.

Since May, Kaspersky Lab has been studying Flame’s command and control servers, or the server that receives any data Flame steals and regularly communicates with the malware. When researchers first accessed the command and control server’s dashboard, they immediately assumed it was created by “script kiddies,” or young, inexperienced hackers. The writers also avoided using what Kaspersky calls “professional terms,” including bot, botnet, infection, or malware-command. Instead, they used words like backup, blog, and download. Kaspersky realized that the simplicity of the C&C home as well as the verbiage used was meant to trick anyone who might have audited the server.

In addition to learning about how the malware writers configured their “home base,” Kaspersky also found logs that displayed the nickname of the hacker, along with when the hacker did work on the C&C. Researches hid the nicknames in its analysis report, but provided the initials O, D, H, and R, indicating that there were four separate developers. Each had a different job and accessed a different amount of files within the system .

The four hackers also built four protocols, which communicated with different “clients,” or pieces of malware.

“A close look at these protocol handlers revealed four different types of clients codenamed SP, SPE, FL and IP,” said Kaspersky in its analysis. “We can confirm that the Flame malware was identified as client type FL. Obviously, this means there are at least three other undiscovered cyber-espionage or cyber-sabotage tools created by the same authors: SP, SPE and IP.”

What these three do and whether they are currently active is unknown.

The Flame virus, however, is enough to indicate what the sisters could do. While active, Flame unpacked 20 different modules that spied on the infected computer in different ways. It could tell when you had a communication app open, such as GMail or instant message, and take periodical screen shots to record your conversations. Flame could also turn on the computer’s microphone to record audio happening in the vicinity.

hat tip Wired; Fire equipment image via Shutterstock