NEWS

Flame virus wiped from computers by suicide command

06/08/2012 12:28 EDT | Updated 08/08/2012 05:12 EDT

The makers of the massive Flame computer virus unleashed against Iran, Israel and other countries and made public last week by cybersecurity experts have deployed a suicide code intended to wipe it from some infected machines.

The computer security firm Symantec reported that while monitoring the virus's activity, staff noticed that the command-and-control (C&C) servers that control the virus had deployed a file designed to remove all traces of it from several computers infected with Flame, also known as Flamer or sKyWIper.

"Compromised computers regularly contact their pre-configured control server to acquire additional commands," Symantec wrote in a blog post earlier this week. "Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer."

This specific suicide code was created on May 9, just a few weeks before the existence of Flame was made public, but similar wipe commands had likely been deployed before, Symantec said.

Several computer experts uncovered Flame while trying to trace a piece of malware that was deleting sensitive information from computers in Europe and the Middle East. What they found was a powerful, previously undetected virus that was much bigger and more damaging than the infamous Stuxnet worm, which had knocked out the systems controlling centrifuges at Iran's nuclear enrichment facility in Natanz in 2010.

Flame can do damage in many ways

The Flame virus is unique in its ability to steal information in a variety of ways, including by taking screenshots, recording audio, logging keystrokes, detecting passwords and intercepting Bluetooth communication with other devices. It was deployed with a code that would allow its control servers to wipe it remotely if necessary.

Security experts estimate that Flame has been around since at least 2010, and possibly as early as 2007, and that it was likely created by a nation state. To date, those tracking the virus have found that it has infiltrated machines in several Mideast countries, including Iran, Israel, Lebanon and Syria.

Iran's Maher Computer Emergency Response Team Co-ordination Centre admitted that the virus was likely behind a recent massive loss of data in the country but said it had devised an antidote to the worm.

Experts suspect that while the new virus shares some similarities with Stuxnet and was likely deployed in parallel with it, it was probably created by someone else.

Stuxnet is believed to have been created by U.S. and Israeli intelligence agencies, a suspicion that surfaced again this week in a new book by New York Times journalist David E. Sanger.

MORE:cbcNews