For the past week the OpenDNS Security Research team has been closely collaborating with security company Kaspersky Lab to better understand Flame, the complex malware toolkit infecting targeted systems in Iran, Lebanon, Syria, Sudan and other Middle Eastern and North African states. As the world’s largest Internet security network and DNS provider, serving more than 50 million Internet users, OpenDNS is in a highly opportune position to decipher malware like Flame. In partnership with Kaspersky, we’ve been specifically monitoring its C&C infrastructure and have succeeded in sinkholing most of its malicious domains, which has allowed us unique insight into where the malware’s infections are and, potentially, what it aims to do.

As you can see from the infographic below, there have been more than 85 C&C domains that were embedded into the Flame malware, and those domains were registered as far back as 2008. Additionally, the domains, on average, have been moving around across four IP addresses each and the attackers used more than 20 different registration companies to register them.

This research and insight is a prime example of what’s possible when multiple organizations within the Internet security discipline work collaboratively. What’s particularly impressive in this case is the partnership of an organization with access to big data sets, such as OpenDNS Security Research, and a security software company such as Kaspersky Lab. Both collaboration with other security entities, and turning big data into something useful for securing our customers’ Internet experience, are two prime aims of OpenDNS in 2012. Look for a great deal more of this type of collaboration from us in the near future.

Do we know exactly who is behind Flame? The answer is no. This is very difficult, and our role in this operation has been to work together with the security community, in particular Kaspersky Lab, and provide technical insight into the malware, its operations, behavior, history and backend.


What we can say is that Flame is indeed a sophisticated operation. The domains were clearly registered by people and not through a domain name generation algorithm. And not only was the malware designed to send data in small packets, but the domains are disguised as regular Internet traffic. The most obvious reason is to go under the radar.

Note: OpenDNS security products have been categorizing and blocking the C&C domains within our products since early May, 2012.

Tagged with: