The creators of the Flame cyber-espionage threat ordered infectedcomputers still under their control to download and execute acomponent designed to remove all traces of the malware and preventforensic analysis, security researchers from Symantec said onWednesday. Flame has a built-in feature called SUICIDE that can be used touninstall the malware from infected computers. However, late lastweek, Flame's creators decided to distribute a differentself-removal module to infected computers that connected to serversstill under their control, Symantec's security response team saidin a blog post . The module is called browse32.ocx and its most recent version wascreated on May 9, 2012. "It is unknown why the malware authorsdecided not to use the SUICIDE functionality, and instead makeFlamer perform explicit actions based on a new module," theSymantec researchers said. |
However, even though it is similar in functionality to the SUICIDEfeature -- both being able to delete a large number of filesassociated with the malware -- the new module goes a step further. "It locates every [Flame] file on disk, removes it, andsubsequently overwrites the disk with random characters to preventanyone from obtaining information about the infection," theSymantec researchers said. "This component contains a routine togenerate random characters to use in the overwriting operation. Ittries to leave no traces of the infection behind." Deleting a file in Windows does not remove its actual data from thephysical hard disk.
It only flags the hard disk sectors occupied bythat file as available for the operating system to rewrite. However, since there is no way to predict when the operating systemwill actually overwrite those sectors, the deleted file, orportions of it, can be recovered with special data recovery tools-- at least for a limited period of time. According to Aleks Gostev, chief security expert with KasperskyLab's global research & analysis team, the overwriting of filedata with meaningless characters happens before the Flame files getdeleted by browse32.ocx, not after as Symantec suggested. However,the goal is the same -- eliminating all traces of the malware andmaking forensic analysis harder, he said via email. Last week, Kaspersky's researchers said that they discovered Flamewhile investigating a series of data loss incidents in Iran thatcould have been caused by a piece of malware.
However, no evidencethat links Flame to those attacks has been found yet. Kaspersky's researchers didn't exclude the possibility that ayet-to-be-identified Flame component was responsible for the datadestruction in Iran, but if such a component exists, it's probablynot browse32.ocx. "Browse32 does not overwrite the hard disk the way Wiper [themystery malware] did it," Gostev said. "It wipes only files relatedto Flame.".
The e-commerce company in China offers quality products such as China Automobile Suspension Parts , Turnover Mechanism, and more. For more , please visit Manual Recliner today!
Related Articles -
China Automobile Suspension Parts, Turnover Mechanism,