According to the research, Flame's command-and-control system was designed to look more like a content management system (CMS). Simple commands were used such as "upload," "client," "news," "blog" and "ads" that mimic a CMS interface rather than looking like other botnet interfaces.

"We believe this was deliberately done to deceive hosting company sys-admins who might run unexpected checks," Kaspersky wrote.

Surprisingly, those who modified Flame's code left nicknames embedded in the code along with timestamps. The researchers identified four people who modified the code, though the nicknames were censored in Kaspersky's writeup. One of the coders appeared to be the team's leader, while another specialized in advanced cryptography.

Kaspersky said it had received many questions about the amount of data Flame might have taken. Although it appeared that stolen information was transferred to other servers every 30 minutes, Flame's operators for some reason became locked out of one of the drop servers used to collect their stolen data. Flame may have collected as much as 5.5GB of compressed information in just a week.

Flame's controllers made another mistake: forgetting to delete log files that showed how many victim computers were sending back information. During a one-week period between the end of March and early April, some 3,702 unique IP addresses from Iran connected to that drop server, with another 1,280 from Sudan.