A new type of malware termed as Flame (also know as Flamer, sKyWIper, Skywiper and Flamer.A) that was discovered on 28th May 2012 has been making headlines in the computer security world and has been dubbed as the most discrete and dangerous malware ever. The malware is the most complicated piece of software ever created for Cyber Warfare and has been speculated to be around from as long as 2007 (around five years!!).
The malware was first identified by the Russian security firm Kaspersky Lab in May 2012 when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.
Following are some of the very unusual behaviors and tactics exhibited by this malware:
- It is an unusually large program; about 20 megabytes in size and attacks Microsoft Windows operating System.
- Is believed to be sponsored by a nation-state.
- Is partly written in Lua scripting language with compiled C++ code linked in. The malware also makes use of Assembly Language.
- Is capable of spreading through USB devices and local networks.
- Is highly modular, making it highly flexible and capable of carrying out any task for its attackers.
- Has several modules that can be added, removed and turned on/off from a remote location.
- Is speculated to be roaming undetected in the wild from as long as 2007.
- Uses five encryption algorithms and an SQLite database to communicate and store data.
- Is believed to be 20 times more complicated than the Stuxnet and Duqu malware and would take about 10 years to be completely understood by security experts.
- Is capable of stealthily switching on devices such as microphone, Bluetooth and camera to siphon off information. It also takes system screenshots and keystrokes from time to time and adjusts its frequency based on the type of active applications.
- According to estimates by Kaspersky, Flame has infected approximately 1,000 machines,with victims including governmental organizations, educational institutions and private individuals. As of May 2012, the countries most affected are Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
Following are some more gory and technical details taken from Bitdefender Labs.
The following is the list of modules that have been discovered and inspected so far:
- EUPHORIA (controls the spreading mechanism via USB sticks)
- JIMMY (deals with data leakage)
- GATOR (responsible with communication between the infected host and the C&C servers)
- MICROBE (used to record audio and upload the captured audio streams to a remote location)
- FROG (purpose: unknown as of 31st May 2012)
- FLASK (purpose: unknown as of 31st May 2012)
- GADGET (purpose: unknown as of 31st May 2012)
- MUNCH (purpose: unknown as of 31st May 2012)
- SNACK (purpose: unknown as of 31st May 2012)
- SUICIDE ( used to automatically clean up the system when the appropriate command is issued by remote attackers)
- REAR_WINDOW [nteps32.ocx] (spying component)
- atmpsvcn.ocx (purpose: unknown as of 31st May 2012)
The EUPHORIA module controls the spreading mechanism via USB sticks. It also exploits the system’s autorun feature.
[fragment of the configuration file for the EUPHORIA module]
EUPHORIA.PayloadNamesList.1.data.PayloadName string Lss.ocx
EUPHORIA.PayloadNamesList.2.data.PayloadName string System32.dat
EUPHORIA.PayloadNamesList.3.data.PayloadName string NtVolume.dat
Flamer particularly focuses on documents, pictures and CAD files. The analysis also reveals that the MICROBE component is used to record audio and upload captured audio streams to remote location.
[fragment of the configuration file for the MICROBE module]
MICROBE.DEFAULT_RATE dword 20000
MICROBE.SAMPLING_RATE dword 32000
MICROBE.MIN_ENERGY dword 0
MICROBE.SEGMENT_LENGTH_SECS dword 600
The SUICIDE component is responsible for wiping out the malware footprints when issued a remote command by the attackers. The referenced files are listed below:
SUICIDE.RESIDUAL_FILES.A string %temp%\~a28.tmp
SUICIDE.RESIDUAL_FILES.B string %temp%\~DFL542.tmp
SUICIDE.RESIDUAL_FILES.C string %temp%\~DFL543.tmp
SUICIDE.RESIDUAL_FILES.D string %temp%\~DFL544.tmp
SUICIDE.RESIDUAL_FILES.E string %temp%\~DFL545.tmp
SUICIDE.RESIDUAL_FILES.F string %temp%\~DFL546.tmp
SUICIDE.RESIDUAL_FILES.G string %temp%\~dra51.tmp
SUICIDE.RESIDUAL_FILES.H string %temp%\~dra52.tmp
SUICIDE.RESIDUAL_FILES.I string %temp%\~fghz.tmp
SUICIDE.RESIDUAL_FILES.J string %temp%\~rei524.tmp
SUICIDE.RESIDUAL_FILES.K string %temp%\~rei525.tmp
SUICIDE.RESIDUAL_FILES.L string %temp%\~TFL848.tmp
SUICIDE.RESIDUAL_FILES.M string %temp%\~TFL849.tmp
SUICIDE.RESIDUAL_FILES.N string %temp%\~ZFF042.tmp
SUICIDE.RESIDUAL_FILES.O string %temp%\GRb9M2.bat
SUICIDE.RESIDUAL_FILES.P string %temp%\indsvc32.ocx
SUICIDE.RESIDUAL_FILES.Q string %temp%\scaud32.exe
SUICIDE.RESIDUAL_FILES.R string %temp%\scsec32.exe
SUICIDE.RESIDUAL_FILES.S string %temp%\sdclt32.exe
SUICIDE.RESIDUAL_FILES.T string %temp%\sstab.dat
SUICIDE.RESIDUAL_FILES.U string %temp%\sstab15.dat
SUICIDE.RESIDUAL_FILES.V string %temp%\winrt32.dll
SUICIDE.RESIDUAL_FILES.W string %temp%\winrt32.ocx
SUICIDE.RESIDUAL_FILES.X string %temp%\wpab32.bat
SUICIDE.RESIDUAL_FILES.Z string %windir%\system32\commgr32.dll
SUICIDE.RESIDUAL_FILES.A1 string %windir%\system32\comspol32.dll
SUICIDE.RESIDUAL_FILES.A2 string %windir%\system32\comspol32.ocx
SUICIDE.RESIDUAL_FILES.A3 string %windir%\system32\indsvc32.dll
SUICIDE.RESIDUAL_FILES.A4 string %windir%\system32\indsvc32.ocx
SUICIDE.RESIDUAL_FILES.A5 string %windir%\system32\modevga.com
SUICIDE.RESIDUAL_FILES.A6 string %windir%\system32\mssui.drv
SUICIDE.RESIDUAL_FILES.A7 string %windir%\system32\scaud32.exe
SUICIDE.RESIDUAL_FILES.A8 string %windir%\system32\sdclt32.exe
SUICIDE.RESIDUAL_FILES.A9 string %windir%\system32\watchxb.sys
SUICIDE.RESIDUAL_FILES.A10 string %windir%\system32\winconf32.ocx
SUICIDE.RESIDUAL_FILES.A11 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\rccache.dat
SUICIDE.RESIDUAL_FILES.A12 string %windir%\system32\mssvc32.ocx
SUICIDE.RESIDUAL_FILES.A13 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\dstrlog.dat
SUICIDE.RESIDUAL_FILES.A14 string %COMMONPROGRAMFILES%\Microsoft Shared\MSAudio\dstrlog.dat
SUICIDE.RESIDUAL_FILES.A15 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\dstrlogh.dat
SUICIDE.RESIDUAL_FILES.A16 string %COMMONPROGRAMFILES%\Microsoft Shared\MSAudio\dstrlogh.dat
SUICIDE.RESIDUAL_FILES.A17 string %SYSTEMROOT%\Temp\~8C5FF6C.tmp
SUICIDE.RESIDUAL_FILES.A18 string %windir%\system32\sstab0.dat
SUICIDE.RESIDUAL_FILES.A19 string %windir%\system32\sstab1.dat
SUICIDE.RESIDUAL_FILES.A20 string %windir%\system32\sstab2.dat
SUICIDE.RESIDUAL_FILES.A21 string %windir%\system32\sstab3.dat
SUICIDE.RESIDUAL_FILES.A22 string %windir%\system32\sstab4.dat
SUICIDE.RESIDUAL_FILES.A23 string %windir%\system32\sstab5.dat
SUICIDE.RESIDUAL_FILES.A24 string %windir%\system32\sstab6.dat
SUICIDE.RESIDUAL_FILES.A25 string %windir%\system32\sstab7.dat
SUICIDE.RESIDUAL_FILES.A26 string %windir%\system32\sstab8.dat
SUICIDE.RESIDUAL_FILES.A27 string %windir%\system32\sstab9.dat
SUICIDE.RESIDUAL_FILES.A28 string %windir%\system32\sstab10.dat
SUICIDE.RESIDUAL_FILES.A29 string %windir%\system32\sstab.dat
SUICIDE.RESIDUAL_FILES.B1 string %temp%\~HLV751.tmp
SUICIDE.RESIDUAL_FILES.B2 string %temp%\~KWI988.tmp
SUICIDE.RESIDUAL_FILES.B3 string %temp%\~KWI989.tmp
SUICIDE.RESIDUAL_FILES.B4 string %temp%\~HLV084.tmp
SUICIDE.RESIDUAL_FILES.B5 string %temp%\~HLV294.tmp
SUICIDE.RESIDUAL_FILES.B6 string %temp%\~HLV927.tmp
SUICIDE.RESIDUAL_FILES.B7 string %temp%\~HLV473.tmp
SUICIDE.RESIDUAL_FILES.B8 string %windir%\system32\nteps32.ocx
SUICIDE.RESIDUAL_FILES.B9 string %windir%\system32\advnetcfg.ocx
SUICIDE.RESIDUAL_FILES.B10 string %windir%\system32\ccalc32.sys
SUICIDE.RESIDUAL_FILES.B11 string %windir%\system32\boot32drv.sys
SUICIDE.RESIDUAL_FILES.B12 string %windir%\system32\soapr32.ocx
SUICIDE.RESIDUAL_FILES.B13 string %temp%\~rf288.tmp
SUICIDE.RESIDUAL_FILES.B14 string %temp%\~dra53.tmp
SUICIDE.RESIDUAL_FILES.B15 string %systemroot%\system32\msglu32.ocx
The malware heavily relies on the Lua scripting language.
The malware employs the use of SSL connection to transmit data over the network.
The malware uses an encrypted SQLite database for storing information.
NOTE: We recommend everyone to please scan your computer for this malware. The disinfection procedure is given in the link below:
More details about the Flame / Flamer malware can be found out in the following URLS: