http://arstechnica.com/security/2012/06/flame-espionage-malware-issues-self-destruct-command/ By Dan Goodin ars technica June 8, 2012 The Flame espionage malware that infected Iranian computers has initiated a self-destruct command that removes all traces of itself on infected machines that receive the instruction, researchers said. The 20-megabyte piece of malware already had a self-destruct module known as SUICIDE that removed all files and folders associated with Flame, but the purging command observed by Symantec researchers instead relied on a file called browse23.ocx that did much the same thing. The removal tool, which researchers from Kaspersky Lab briefly documented last month, was downloaded from a command and control server still under the control of Flame attackers to several machines in a honeypot. White hats monitored the activities of the sophisticated malware, which is also known as Flamer and sKyWIper. "This command was designed to completely remove Flamer," Symantec researchers wrote in a blog post. "The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers." As a result, the compromised computers in the honeypot deleted at least 163 files and four folders belonging to the sprawling set of modular code. The self-destruct mechanism then overwrote the disk with random characters to prevent researchers from studying the files. [...] -- Certified Ethical Hacker, ISSMP, ISSAP, CISSP training with Expanding Security gives the best training and support. Get a free live class invite weekly. Best programs, best prices. http://www.ExpandingSecurity.com/PainPillReceived on Mon Jun 11 2012 - 01:30:06 PDT
This archive was generated by hypermail 2.2.0 : Mon Jun 11 2012 - 01:23:42 PDT