It is quite an impressive sample of software engineering and deployment:
Attackers behind the Flame espionage malware that targeted computers in Iran used more than 80 different domain names to siphon computer-generated designs, PDF files, and e-mail from its victims, according to a new analysis from researchers who helped discover the threat.
The unknown authors of Flame shut down the sprawling command-and-control (C&C) infrastructure immediately after last Monday’s disclosure that the highly sophisticated malware had remained undetected for at least two years on computers belonging to government-run organizations, private companies, and others. The 80 separate domain names were registered using a huge roster of fake identities, and some of the addresses were secured more than four years ago.
“The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008,” Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. “In general, each fake identity registered only 2-3 domains, but there are some rare cases when a fake identity registered up to 4 domains.”
Names used to obtain the domains included Adrien Leroy, Arthur Vangen, George Wirtz, Gerard Caraty, Ivan Blix, and at least 15 others. They claimed to reside in a host of cities in Europe and elsewhere, in some cases at addresses that turned out to belong to hotels such as the Appart’Hotel Residence Dizerens in Geneva or, with a slight modification, the Apple Inn in Amsterdam. Other fake identities used addresses of shops, organizations, or doctor’s offices. Because of the effectiveness and complexity of Flame and its targeting of Iran and other Middle Eastern computers, researchers have speculated it was sponsored by a wealthy nation-state.