Symantec has picked up the suicide command sent by the creators of Flame, which removes the malware from infected computers.
The security firm caught the command after using booby-trapped computers to watch Flame’s action. Symantec says that the command was designed to completely remove Flame from the compromised computers.
Symantec’s blog explains the process in more detail.
“Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarised as the module responsible for removing Flamer from the compromised computer. One could also call it the uninstaller.”
“The browse32.ocx module has two exports. Firstly EnableBrowser - This is the initialiser, which sets up the environment (mutex, events, shared memory) before any actions can be taken. And secondly StartBrowse - This is the part of the code that does the actual removal of the Flamer components.”
Described as a ‘very sophisticated cyber-attack’, Flame targeted countries such as Iran and Israel with the intention of stealing large amounts of sensitive data.
Want to receive up-to-the-minute tech news straight to your inbox? Then click here to sign up for the completely free PCR Daily Digest and Newsflash email services. You can also follow PCR on Twitter and Facebook.