Friday, June 1, 2012

A quick overview of Skywiper/flame

I have read numerous reports and analysis of this (relatively) new virus discovered in the wild, including, but not limited to, those of The Hacker News, McAfee, TrendLabs, Eset, and Damballa. Here is what I have found so far.

Flame is an incredibly large and sophisticated piece of malware. It seems to be targeting the middle east, and has been around since 2010 (first detection). The file itself is about 20mb large and contains everything it needs to run (libraries, etc). There is speculation about who made it, a private entity or a nation state. I personally am leaning towards a government (possibly US) as it seems to be targeting political and military victims (this may just be the conspiracy theorist inside me). It is capable of monitoring keystrokes, capturing webcam data, taking screenshots, and listening though microphones connected to the infected machine. It spreads by through any connected removable storage, through printer sharing, and domain controllers. It is very careful to not leave any tracks and removes all traces of itself and other viruses when uninstalled. The main class itself is estimated to have 750,000 lines of C code (650,000 have been reversed by McAfee).
Initial detection map
McAfee
It is larger than StuxNet and some believe it to be created or used by the same group, while others think they may just be "recycling" some of StuxNet's code (more likely). Flame is the most sophisticated virus known to date, and contains a vast amount of obfuscation and anti-decompiler code. Accodording to McAfee, it is capable of at least the following:
- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources

I'll keep you all posted and give more info once I get it.

let me know what I should post about next!

No comments:

Post a Comment