The controllers of Flame, the most powerful cyber weapon discovered to date, have recently sent a kill command that removes the malware from some infected computers.
However, the attackers are still in control of some command-and-control (C&C) servers, which allow them to communicate with a specific set of compromised computers, according to researchers at security firm Symantec.
The researchers caught the command using booby-trapped computers or "honeypots" that were set up to watch Flame, which was discovered by researchers at Kaspersky Lab in May during an investigation prompted by the International Telecommunication Union (ITU).
The Symantec researchers observed how the command locates every file of the malware on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection.
"It is natural that this component has not been seen and recovered from the field, but instead it was captured in honeypots. Any client receiving this file would have had all traces of Flame removed, including this module itself," the Symantec researchers wrote in a blog post.
Initial analysis revealed that Flame can steal valuable information, including – but not limited to – computer display contents, information about targeted systems, stored files, contact data and even verbal conversation, which could enable attackers to hijack administrative accounts and acquire high-level privilege to other computers and network locations.
It then emerged that Flame was using fraudulent Microsoft certificates to hijack Windows Update as a propagation method, prompting the software maker to suspend its Terminal Server Licensing Service and issue a security update for its operating system to block software signed by unauthorised certificates.
Now cryptographic experts have discovered that Flame is the first malicious program to use an obscure cryptographic technique known as "prefix collision attack", which allowed the malware to fake digital credentials that had helped it to spread.
The experts said the exact method of carrying out such an attack was demonstrated in 2008, and the creators of Flame came up with their own variant, according to the BBC.
"The design of this new variant required world-class cryptanalysis," said cryptoexpert Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam in a statement.
The finding supports claims that Flame was created by a nation state rather than cybercriminals because of the amount of time, effort and resources that must have been put into its creation.
The creators of Flame have yet to be identified, but the fact that it has been used only in highly targeted attacks points to a Western intelligence agency, according to Mikko Hypponen, F-Secure's chief research officer.