Flame Hackers Kill Own Malware with Suicide Module

The creators of the Flame virus now appear to be attempting to remove it from the computers it has infected.

This bizarre move from hackers, who normally seek to increase rather than decrease the number of machines their code infects, may be part of a belated attempt to prevent further analysis of how Flame works.

The existence of Flame was announced late last month by security firm Kaspersky Lab.

At the time, Kaspersky noted the virus was exceptionally sophisticated and had been designed specifically to harvest data using tactics as diverse as taking screenshots and eavesdropping on phone conversations made via Voice over Internet Protocol (VoIP) services, like Skype.

Flame Blamed On National Government

Security analysts said that Flame was so sophisticated, it was almost certainly the work of a nation-state. There have also been suggestions that the timing of Flame's appearance marked it as a back up plan from the creators of the Stuxnet worm.

Stuxnet has been publicly linked to government sources from Israel and the United States.

Since Flame's existence first became public knowledge, several security firms have seized access to some of its command and control servers. These are the computers that tell infected machines what to do next.

Flame works on a modular approach: computers are first infected with a small amount of code, and then receive additional malicious code in modules designed to carry out specific tasks.

This approach has made wiping out the Flame virus more difficult, because different infected machines carry different combinations of its code.

New Suicide Module Follows Original Self-Destruct Code

Now the US-based security company Symantec says one of the command and control servers it is monitoring has received a new module designed to remove Flame completely from infected computers.

This module not only deletes the malicious code, but replaces it's location in memory and on disk with random characters, making forensic recovery of the Flame code almost impossible. (Source: symantec.com)

The "suicide code" module was apparently written in early May, a few weeks before Flame was first publicly exposed. The most likely explanation, according to experts, is that Flame's creators wanted a way to stop security analysts from uncovering its secrets.

In effect, the new module is the equivalent of sending a cyanide pill to a captured spy: once taken, it puts an end to any efforts to gain more information about the spyware's methods, origins, and purposes. (Source: arstechnica.com)

Symantec notes the original code for Flame contained a similar feature, explicitly dubbed "SUICIDE." But for unknown reasons the creators of Flame chose not to activate that feature and sent out the new module instead.