Attackers behind the Flame espionage malware that targeted computers in Iran used more than 80 different domain names to siphon computer-generated designs, PDF files, and e-mail from its victims, according to a new analysis from researchers who helped discover the threat.
The unknown authors of Flame shut down the sprawling command-and-control (C&C) infrastructure immediately after last Monday’s disclosure that the highly sophisticated malware had remained undetected for at least two years on computers belonging to government-run organizations, private companies, and others. The 80 separate domain names were registered using a huge roster of fake identities, and some of the addresses were secured more than four years ago.
“The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008,” Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. “In general, each fake identity registered only 2-3 domains, but there are some rare cases when a fake identity registered up to 4 domains…”