Several months ago, the malware Flame was discovered, and shortly afterward it was linked to the Stuxnet and Duqu malware found in the past two years. Since then researchers have been examining the code as closely as they can to learn where it came from and how to protect against it. To that end, those at Kaspersky Labs have gotten an image of one of the command and control (C&C) servers for Flame, and made some very interesting discoveries.
When the researchers first looked at the login screen and control panel, they were surprised by its simplicity, as typical malware developers will make flashy pages. They believe the simplistic design was actually to fool uninvolved server administrators into thinking the C&C was a regular piece of software, and not something malicious. Obviously the researchers now know better and quickly dived into the code and found some very surprising, and at times disconcerting information.
Based on the comments within the code, the C&C was written by at least four developers and work started as early as December 2006, which is earlier than previous estimates. Development also continued until as recently as May of this year, when some code was updated. The C&C was designed to collect encrypted data from systems infected by Flame, and pass it along to the developers, but was also supposed to delete the data regularly. Due to some mistakes by the developers though, not everything was deleted, including a week's worth of stolen data that, compressed, was 5.5 GB large. That data was taken from just 5377 unique IPs, which indicates the actual size of the Flame botnet may be much larger than previous estimates.
The researchers also found something else which is quite troubling. The C&C was designed to operate more than just Flame. Three other clients were listed: SP, SPE, and IP. The logs that were not deleted from the C&C indicate that SPE is currently in the wild and activated, but it is not the newest of these clients and none of their purposes are known (except for Flame's). Neither SP nor IP have been identified, but they know IP is the newest of the four.