The Flamer malware was really more of a cyber espionage tool. Security researchers have been analyzing a pair of recently discovered command-and-control servers that controlled Flamer. The researchers have uncovered some interesting, and disturbing facts about Flamer from those servers.
According to the researchers, the cyber espionage tool that targeted the Middle East has likely been operational for more than five years. The researchers also note that the malware was active as recently as May 2012. The details are courtesy of security researchers from Symantec with help from researchers at Kaspersky Lab and others.
The group the researchers found that at least 1000 systems in the Middle East had been controlled by one machine in March. The other command-and-control server deleted spyware and erased its trail in May. Data gleaned from inside the command-and-control servers indicated to the researchers that the software could communicate with five different clients, Flamer and four other programs.
According to the researchers, it’s unclear if the other four clients the command-and-control servers could communicate with are still spying on computers today or were retired years ago in favor of Flamer. The researchers note that some of the code appears to be nothing more than a placeholder rather than an actual client. The researchers did note that some packages used to update malware on victim’s computers and downloaded intelligence was encrypted on the servers could not be decrypted. Comments in the code led the researchers to believe that the four individuals who coded Flamer spoke English.