Flame

Frog Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.

Infectmedia Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.

var s = GetObject("winmgmts:root\\cimv2");var oProcs = s.ExecQuery("SELECT * FROM Win32_Process ..."); s.Delete("__EventFilter.Name='FilterForClassCreation'");

var objFileSystem = new ActiveXObject("Scripting.FileSystemObject");var s = GetObject("winmgmts:root\\cimv2");

We also have clear indications that Stuxnet’s print spooler exploit (MS10-061) and lnk exploit (MS10-046) is used within sKyWIper as well

Flame... was the first known attack to trick users in this way by hijacking the Microsoft Windows updating tool on machines to infect computers

Frog Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.

Limbo Creates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.

The malware can be started using two different methods: 1. Set msgsecmgr.ocx in the registry ... At startup, mssecmgr.ocx is loaded as LSA Authentication Package.

For installations and startup, LSA is abused: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Autenthication Packages will contain in new line mssecmgr.ocx

Euphoria Create a “junction point” directory with “desktop.ini” and “target.lnk” ... The directory acts as a shortcut for launching Flame.

There are multiple injections of code during startup... the code injection mechanism is stealthier such that the presence of the code injection cannot be determined by conventional methods... these regions must have been allocated dynamically by means of VirtualAllocEx() or WriteProcessMemory().

The 2009 Stuxnet was built to replicate using an exploit from Flame. This indicates the two were indeed connected.

Frog Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.

The malware can be started using two different methods: 1. Set msgsecmgr.ocx in the registry ... At startup, mssecmgr.ocx is loaded as LSA Authentication Package.

For installations and startup, LSA is abused: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Autenthication Packages will contain in new line mssecmgr.ocx

Euphoria Create a “junction point” directory with “desktop.ini” and “target.lnk” ... The directory acts as a shortcut for launching Flame.

There are multiple injections of code during startup... the code injection mechanism is stealthier such that the presence of the code injection cannot be determined by conventional methods... these regions must have been allocated dynamically by means of VirtualAllocEx() or WriteProcessMemory().

Self-kill logic inside ... SUICIDE.RESIDUAL_FILES ... %temp%\~a28.tmp ... %windir%\system32\commgr32.dll

Frog Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.

Run the malware from rundll32 using the command as follows: start /wait rundll32.exe c:\windows\system32\mssecmgr.ocx,DDEnumCallback

Flame... was the first known attack to trick users in this way by hijacking the Microsoft Windows updating tool on machines to infect computers

The attack involved the almost magical re-engineering of a certificate that could be used to sign Windows updates. The certificate relied on an MD5 signature, which the attackers managed to fake.

2005, two x.509 certificates sharing the same hash with different public keys are published... 2012, the Flame malware uses a forged Microsoft code-signing certificate with MD5 collision against a valid one.

Snack Listens on network interfaces, receives and saves NBNS packets in a log file.

It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.

CRUISE_CRED.lua The script gathers credential information from an already infected machine. More precisely, it cruises all the token objects to find the ones belong to the administrator or the Administrators, Domain Admins groups.

2012, the Flame malware uses a forged Microsoft code-signing certificate with MD5 collision against a valid one.

The massive piece of malware secretly mapped and monitored Iran's computer networks, sending back a steady stream of intelligence to prepare for a cyber­warfare campaign.

Beetlejuice Bluetooth: enumerates devices around the infected machine. May turn itself into a “beacon”

Snack Listens on network interfaces, receives and saves NBNS packets in a log file.

Beetlejuice Bluetooth: enumerates devices around the infected machine... Snack Listens on network interfaces, receives and saves NBNS packets in a log file.

Compressed parts contain info on running processes... ~HLV473.tmp – information on running processes inside (Far.exe)

lmcache.dat Information on target computer. ntcache.dat Information on target computer... basic_info_app.lua gathers basic information about an infected computer such as the flame version ... the computer name, the ip address of the machine.

Weasel Creates a directory listing of the infected computer... The malware saves ~rf<number> files in /windows/temp... storing information on drivers, directories, and file names.

Security Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.

Transport: Replication method... that based on bad access permissions is a “Transport”. E.g. “NU” or “NUSystem” refers to “net use” way of propagation. obj.REMOTE_PATH_TEMPLATES = {temp = string.format("\\\\%s\\admin$\\temp", l_4_0.tgt)

Infectmedia Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.

We also have clear indications that Stuxnet’s print spooler exploit (MS10-061) and lnk exploit (MS10-046) is used within sKyWIper as well

The malware was designed to automatically collect everything from infected machines, ranging from documents to screenshots, keystrokes and audio.

It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.

advnetcfg.ocx (0.6 M) Injected part, possibly info stealer (screen shots and alike)

Microbe Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.

Munch: Installation/propagation mechanism related to windows update and web downloads... HTTP server that responds to “/view.php” and “/wpad.dat” requests.

The routine downloads the file mssecmgr.ocx ... Further information shows that this is related to the windows update mechanism and the MUNCH attack

“Those controlling the virus can direct it from a distance,” Mr. Napelian said. “Flame is no ordinary product. This was designed to monitor selected computers.”

C&C servers are changed frequently by changing the IP address of the particular host/domain name (the well-known fluxing technique used by botnets).

connect(10.55.55.55,80,6); ... One method we are aware of is related to windows update and file downloading by some modules using SSL and some proprietary text based protocol.

When such a stick was connected to a machine infected by Flame connected to the Internet, the hidden information was taken off the stick and sent to its C&Cs.

The authors took extra precautions to evade detection by security products... the extensions are chosen according to the detected anti-malware products.