It’s like a car wreck. You can’t stop watching. Well… I can’t, anyway.
Symantec has been watching certain “infected” computers very closely to see what they’d do while infected with the “Flame” virus/Trojan.
So, earlier in the week, they noticed that certain Command an Control computers sent an urgent command to the infected PC’s these C&C computers were controlling. The key piece here is that the C&C computers didn’t ‘know’ that their victims no longer were under their control, but that some had been retaken by Symantec.
The C&C computers had sent a “suicide” activation message to the infected computers which would completely remove “Flame” from them, overwriting the space “Flame” was on with gibberish, and leave not a trace behind.
What else is new about “Flame”? It has a distinction (of sorts). It’s a ground breaking pioneer: Flame is the first malware to use “prefix collision attack” (an obscure cryptographic technique see arstechnica reference below), although the technique was first described in 2008.
Just because the “self destruct” message was sent to “Flame”, don’t think this is over. It isn’t. Getting the genie back in the lamp isn’t that easy.