Flame Malware: Everything You Need To Know About The World’s Most Dangerous Malware

May 31, 2012 1:39 amLeave a Comment

A new type of malware termed as Flame (also know as Flamer, sKyWIper, Skywiper and Flamer.A) that was discovered on 28th May 2012 has been making headlines in the computer security world and has been dubbed as the most discrete and dangerous malware ever. The malware is the most complicated piece of software ever created for Cyber Warfare and has been speculated to be around from as long as 2007 (around five years!!).

The malware was first identified by the Russian security firm Kaspersky Lab in May 2012 when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.

Following are some of the very unusual behaviors and tactics exhibited by this malware:

  • It is an unusually large program; about 20 megabytes in size and attacks Microsoft Windows operating System.
  • Is believed to be sponsored by a nation-state.
  • Is partly written in Lua scripting language with compiled C++ code linked in. The malware also makes use of Assembly Language.
  • Is capable of spreading through USB devices and local networks.
  • Is highly modular, making it highly flexible and capable of carrying out any task for its attackers.
  • Has several modules that can be added, removed and turned on/off from a remote location.
  • Is speculated to be roaming undetected in the wild from as long as 2007.
  • Uses five encryption algorithms and an SQLite database to communicate and store data.
  • Is believed to be 20 times more complicated than the Stuxnet and Duqu malware and would take about 10 years to be completely understood by security experts.
  • Is capable of stealthily switching on devices such as microphone, Bluetooth and camera to siphon off information. It also takes system screenshots and keystrokes from time to time and adjusts its frequency based on the type of active applications.
  • According to estimates by Kaspersky, Flame has infected approximately 1,000 machines,with victims including governmental organizations, educational institutions and private individuals. As of May 2012, the countries most affected are Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.

 

Following are some more gory and technical details taken from Bitdefender Labs.

The following is the list of modules that have been discovered and inspected so far:

  1. EUPHORIA (controls the spreading mechanism via USB sticks)
  2. JIMMY (deals with  data leakage)
  3. GATOR (responsible with communication between the infected host and the C&C servers)
  4. MICROBE (used to record audio and upload the captured audio streams to a remote location)
  5. FROG (purpose: unknown as of 31st May 2012)
  6. FLASK (purpose: unknown as of 31st May 2012)
  7. GADGET (purpose: unknown as of 31st May 2012)
  8. MUNCH (purpose: unknown as of 31st May 2012)
  9. SNACK (purpose: unknown as of 31st May 2012)
  10. SUICIDE ( used to automatically clean up the system when the appropriate command is issued by remote attackers)
  11. REAR_WINDOW [nteps32.ocx] (spying component)
  12. atmpsvcn.ocx (purpose: unknown as of 31st May 2012)

 

The EUPHORIA module controls the spreading mechanism via USB sticks. It also exploits the system’s autorun feature.

[fragment of the configuration file for the EUPHORIA module]
EUPHORIA.PayloadNamesList.1.data.PayloadName           string  Lss.ocx
EUPHORIA.PayloadNamesList.2.data.PayloadName           string  System32.dat
EUPHORIA.PayloadNamesList.3.data.PayloadName           string  NtVolume.dat

LUA script controlling the EUPHORIA component SOURCE: Bitdefender Labs

 

Flamer particularly focuses on documents, pictures and CAD files. The analysis also reveals that the MICROBE component is used to record audio and upload captured audio streams to remote location.

[fragment  of the configuration file for the MICROBE module]
MICROBE.DEFAULT_RATE                                dword   20000
MICROBE.SAMPLING_RATE                               dword   32000
MICROBE.MIN_ENERGY                                  dword   0
MICROBE.SEGMENT_LENGTH_SECS                         dword   600
MICROBE.RUN_MODE

 

The SUICIDE component is responsible for wiping out the malware footprints when issued a remote command by the attackers. The referenced files are listed below:

SUICIDE.RESIDUAL_FILES.A string %temp%\~a28.tmp
 SUICIDE.RESIDUAL_FILES.B string %temp%\~DFL542.tmp
 SUICIDE.RESIDUAL_FILES.C string %temp%\~DFL543.tmp
 SUICIDE.RESIDUAL_FILES.D string %temp%\~DFL544.tmp
 SUICIDE.RESIDUAL_FILES.E string %temp%\~DFL545.tmp
 SUICIDE.RESIDUAL_FILES.F string %temp%\~DFL546.tmp
 SUICIDE.RESIDUAL_FILES.G string %temp%\~dra51.tmp
 SUICIDE.RESIDUAL_FILES.H string %temp%\~dra52.tmp
 SUICIDE.RESIDUAL_FILES.I string %temp%\~fghz.tmp
 SUICIDE.RESIDUAL_FILES.J string %temp%\~rei524.tmp
 SUICIDE.RESIDUAL_FILES.K string %temp%\~rei525.tmp
 SUICIDE.RESIDUAL_FILES.L string %temp%\~TFL848.tmp
 SUICIDE.RESIDUAL_FILES.M string %temp%\~TFL849.tmp
 SUICIDE.RESIDUAL_FILES.N string %temp%\~ZFF042.tmp
 SUICIDE.RESIDUAL_FILES.O string %temp%\GRb9M2.bat
 SUICIDE.RESIDUAL_FILES.P string %temp%\indsvc32.ocx
 SUICIDE.RESIDUAL_FILES.Q string %temp%\scaud32.exe
 SUICIDE.RESIDUAL_FILES.R string %temp%\scsec32.exe
 SUICIDE.RESIDUAL_FILES.S string %temp%\sdclt32.exe
 SUICIDE.RESIDUAL_FILES.T string %temp%\sstab.dat
 SUICIDE.RESIDUAL_FILES.U string %temp%\sstab15.dat
 SUICIDE.RESIDUAL_FILES.V string %temp%\winrt32.dll
 SUICIDE.RESIDUAL_FILES.W string %temp%\winrt32.ocx
 SUICIDE.RESIDUAL_FILES.X string %temp%\wpab32.bat
 SUICIDE.RESIDUAL_FILES.Z string %windir%\system32\commgr32.dll
 SUICIDE.RESIDUAL_FILES.A1 string %windir%\system32\comspol32.dll
 SUICIDE.RESIDUAL_FILES.A2 string %windir%\system32\comspol32.ocx
 SUICIDE.RESIDUAL_FILES.A3 string %windir%\system32\indsvc32.dll
 SUICIDE.RESIDUAL_FILES.A4 string %windir%\system32\indsvc32.ocx
 SUICIDE.RESIDUAL_FILES.A5 string %windir%\system32\modevga.com
 SUICIDE.RESIDUAL_FILES.A6 string %windir%\system32\mssui.drv
 SUICIDE.RESIDUAL_FILES.A7 string %windir%\system32\scaud32.exe
 SUICIDE.RESIDUAL_FILES.A8 string %windir%\system32\sdclt32.exe
 SUICIDE.RESIDUAL_FILES.A9 string %windir%\system32\watchxb.sys
 SUICIDE.RESIDUAL_FILES.A10 string %windir%\system32\winconf32.ocx
 SUICIDE.RESIDUAL_FILES.A11 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\rccache.dat
 SUICIDE.RESIDUAL_FILES.A12 string %windir%\system32\mssvc32.ocx
 SUICIDE.RESIDUAL_FILES.A13 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\dstrlog.dat
 SUICIDE.RESIDUAL_FILES.A14 string %COMMONPROGRAMFILES%\Microsoft Shared\MSAudio\dstrlog.dat
 SUICIDE.RESIDUAL_FILES.A15 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\dstrlogh.dat
 SUICIDE.RESIDUAL_FILES.A16 string %COMMONPROGRAMFILES%\Microsoft Shared\MSAudio\dstrlogh.dat
 SUICIDE.RESIDUAL_FILES.A17 string %SYSTEMROOT%\Temp\~8C5FF6C.tmp
 SUICIDE.RESIDUAL_FILES.A18 string %windir%\system32\sstab0.dat
 SUICIDE.RESIDUAL_FILES.A19 string %windir%\system32\sstab1.dat
 SUICIDE.RESIDUAL_FILES.A20 string %windir%\system32\sstab2.dat
 SUICIDE.RESIDUAL_FILES.A21 string %windir%\system32\sstab3.dat
 SUICIDE.RESIDUAL_FILES.A22 string %windir%\system32\sstab4.dat
 SUICIDE.RESIDUAL_FILES.A23 string %windir%\system32\sstab5.dat
 SUICIDE.RESIDUAL_FILES.A24 string %windir%\system32\sstab6.dat
 SUICIDE.RESIDUAL_FILES.A25 string %windir%\system32\sstab7.dat
 SUICIDE.RESIDUAL_FILES.A26 string %windir%\system32\sstab8.dat
 SUICIDE.RESIDUAL_FILES.A27 string %windir%\system32\sstab9.dat
 SUICIDE.RESIDUAL_FILES.A28 string %windir%\system32\sstab10.dat
 SUICIDE.RESIDUAL_FILES.A29 string %windir%\system32\sstab.dat
 SUICIDE.RESIDUAL_FILES.B1 string %temp%\~HLV751.tmp
 SUICIDE.RESIDUAL_FILES.B2 string %temp%\~KWI988.tmp
 SUICIDE.RESIDUAL_FILES.B3 string %temp%\~KWI989.tmp
 SUICIDE.RESIDUAL_FILES.B4 string %temp%\~HLV084.tmp
 SUICIDE.RESIDUAL_FILES.B5 string %temp%\~HLV294.tmp
 SUICIDE.RESIDUAL_FILES.B6 string %temp%\~HLV927.tmp
 SUICIDE.RESIDUAL_FILES.B7 string %temp%\~HLV473.tmp
 SUICIDE.RESIDUAL_FILES.B8 string %windir%\system32\nteps32.ocx
 SUICIDE.RESIDUAL_FILES.B9 string %windir%\system32\advnetcfg.ocx
 SUICIDE.RESIDUAL_FILES.B10 string %windir%\system32\ccalc32.sys
 SUICIDE.RESIDUAL_FILES.B11 string %windir%\system32\boot32drv.sys
 SUICIDE.RESIDUAL_FILES.B12 string %windir%\system32\soapr32.ocx
 SUICIDE.RESIDUAL_FILES.B13 string %temp%\~rf288.tmp
 SUICIDE.RESIDUAL_FILES.B14 string %temp%\~dra53.tmp
 SUICIDE.RESIDUAL_FILES.B15 string %systemroot%\system32\msglu32.ocx

 

The malware heavily relies on the Lua scripting language.

Core LUA scripts copied on the USB drive SOURCE: Bitdefender Labs

 

The malware employs the use of SSL connection to transmit data over the network.

Decrypted traffic sent over HTTPS SOURCE: Bitdefender Labs

 

The malware uses an encrypted SQLite database for storing information.

SQL Schema dumped on the USB drive SOURCE: Bitdefender Labs

 

 

NOTE: We recommend everyone to please scan your computer for this malware. The disinfection procedure is given in the link below:
http://thetechnofreaks.com/2012/05/31/how-to-disinfect-your-computer-from-flame-malware/

 

 

More details about the Flame / Flamer malware can be found out in the following URLS:

http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/

http://en.wikipedia.org/wiki/Flame_(malware)

http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat

 

 

Posted in Breaking, Featured, News, Views & ConfusedTagged , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>