The Flame virus discovered last week targeting computers in Iran has been ordered to self-destruct, leaving no trace – and no indication of who created it.
While the 20MB behemoth contained a Suicide self-destruct module, its creators for some reason decided not to use this. Instead, they used a separate removal tool, browse32.ocx, downloaded from a command and control server still under the control of the attackers – a risky move, given the likelihood of detection.
“The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection,” says security company Symantec in a blog post.
“This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind.”
Ordering the virus to self-destruct in this way should help preserve its secrets. The move means that victims will never know if their data was stolen, and makes it harder to establish where the virus originated – although the US and Israel are widely suspected.
Virus experts have described Flame as particularly sophisticated, and requiring a very high degree of technical and mathematical knowledge.
It primarily hit machines in the Midle East, particularly in Iran, although infections have also been reported in Hungary, Russia and Hong Kong.