火焰病毒软件被设计为可窃取图纸等PDF文件

域名最早注册时间是在2008年，使用至少22个不同IP地址，服务器运行Ubuntu Linux发行版。卡巴斯基与GoDaddy和OpenDNS合作，将域名重定向到其控制的服务器上，收集到了恶意程序上传的数据。








安全研究人员发现，Flame和Duqu有许多共同特征，都对受感染机器上的Autocad绘图文件感兴趣。为了限制窃取的文件数量和避免上传无关的文件，Flame会从PDF、电子表格和word文档中提取1KB样本，压缩和上传样本到命令控制服务器，然后攻击者发出指令抓取他们感兴趣的特定文档。



















与Duqu不同之处是，Duqu会利用SSH端口转发伪装攻击者的真实身份，而Flame则是直接上传到服务器，换句话说，它的幕后攻击者没有Duqu的操作者谨慎。



DuquFlame
Server OSCentOS LinuxUbuntu Linux
Control scriptsRunning on remote server, shielded through SSH port forwardingRunning on servers
Number of victims per server2-350+
Encryption of connections to serverSSL + proprietary AES-based encryptionSSL
Compression of connectionsNoYes, Zlib and modified PPMD
Number of known C;C’s domainsn/a80+
Number of known C;C IPs515+
Number of proxies used to hide identity10+Unknown
Time zone of C;C operatorGMT+2 / GMT+3Unknown
Infrastructure programming.NETUnknown
Locations of serversIndia, Vietnam, Belgium, UK, Netherlands, Switzerland, Korea, etc...Germany, Netherlands, UK, Switzerland, Hong Kong, Turkey, etc...
Number of built-in C;C IPs/domain in malware15, can update list
SSL certificateself-signedself-signed
Servers statusMost likely hackedMost likely bought
SSH connectionsnoyes