In Fitting Mission Impossible-Style Conclusion, Flame Malware Self-Destructs

No way are the authors letting researchers study their work if they can help it.

Sorry, we can’t help ourselves. (

Could the Flame malware infection be any more straight out of a spy movie? Answer: nope. Ars Technica reports that attackers have now issued a “suicide” command to the infected computers, thereby essentially scrubbing its tracks.

Discovered by Kaspersky Lab, the malware has made headlines because of the eye-catching little detail that, at 20 megabytes, it’s much bigger than the dreaded Stuxnet and designed to collect dirt on the user of the infected machine. That said, it’s not a particularly far-reaching infection, targeting largely computers in the Middle East, including Iran. Unsurprisingly, it’s thought to be nation-state designed, rather than the work of cyber criminals. Cyber criminals can probably jack your password without designing something that big. 

Symantec researchers broke it down (in a post dramatically named “Flamer: Urgent Suicide”):

Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers.

Ars Technica interprets:

As a result, the compromised computers in the honeypot [deliberately infected computers, used to study things like Flame] deleted at least 163 files and four folders belonging to the sprawling set of modular code. The self-destruct mechanism then overwrote the disk with random characters to prevent researchers from studying the files.

Maybe everyone’s gotten in wrong and Flame is an incredibly sophisticated viral marketing campaign for an upcoming Tom Clancy novel. Hey, it could happen.

In Fitting Mission Impossible-Style Conclusion, Flame Malware Self-Destructs