Security firm Symantec has witnessed Flame malware removing itself from infected machines, overwriting the information with random characters to cover its tracks. This process was discovered late last week on Symantec's "honeypot" computers, or machines that are purposely infected with malware for the purpose of monitoring and studying its behavior. Symantec's blog post on the finding says the instigating file is called "browse32.exe" and it uninstalls all traces of the malware — including this file — and replaces it with randomly generated characters, effectively blocking any attempt to investigate its presence. The so-called 'suicide' code was not successful at removing Flame from Symantec's computers, and the company determined that this version of the code was created on May 9th, before information on the malware became public, and was used as recently as two weeks ago.
Cryptanalyst Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam analyzed Flame, and confirmed that the malware infects targeted machines by disguising itself as a valid Windows Update. Microsoft released an emergency update last weekend to address the malware, which was using a fraudulent certificate obtained in a cryptographic collision attack. There is no information yet on Flame's origins, but the complexity of the attack and the presence of this 'suicide' code to remove itself from targeted systems suggest that Flame originated from a nation-state rather than a fringe group. The malware is primarily active on systems in the Middle East and North Africa, with the highest concentration of infections found in Iran and Israel.