May 31, 2012 at 15:40Flame: what is currently known
Have you heard about Flame? Have a seat, now we will give you all the details.
The Duqu and Stuxnet viruses have increased the degree of cyber warfare in the Middle East, but we recently discovered perhaps the most sophisticated cyber weapon to date. The Flame worm, created for cyber espionage, came into the view of Kaspersky Lab experts when conducting a study at the request of the International Telecommunication Union (ITU), who asked us for assistance in finding an unknown malware that deleted sensitive data from computers located in the Middle East East. In the process of searching for this program, dubbed Wiper, we discovered a new sample of malware called Worm.Win32.Flame.
Seven countries most affected
Although Flame has a different functionality than the infamous Duqu and Stuxnet cyber weapons, all of these malicious programs have much in common: the geography of attacks, a narrow target orientation combined with the use of specific vulnerabilities in software. This puts Flame on a par with the “cybernetic superweapon” deployed in the Middle East by unknown attackers. Without a doubt, Flame is one of the most complex cyberthreats in the history of their existence. The program has a large size and incredibly complex structure. It forces a rethinking of concepts such as "cyber warfare" and "cyber espionage."
Read more about this sophisticated threat in a post on www.securelist.ru , and here we provide a key description of the malware.
DESCRIPTION
What exactly is Flame? Worm? Backdoor? What is its functionality?
Flame is a very sophisticated attack toolkit, far superior in complexity to Duqu. This is a backdoor Trojan, which also has the features typical of worms and allows it to spread over the local network and via removable media upon receipt of an order from its owner.
The initial entry point of Flame is unknown - we suspect that the initial infection occurs through targeted attacks, but we have not yet been able to find the initial attack vector. We suspect that the vulnerability MS10-033 is being used, but at the moment we cannot confirm this.
After infecting the system, Flame proceeds to perform a complex set of operations, including analyzing network traffic, creating screen captures, recording audio conversations, intercepting key presses, etc. All this data is available to operators through the Flame command servers.
In the future, operators may decide to download additional modules to the infected computers that expand the Flame functionality. There are about 20 modules in total, most of which we are currently studying.
How complicated is Flame?
First of all, Flame is a huge package consisting of software modules, the total size of which, when fully deployed, is almost 20 MB. As a result, the analysis of this malware is of great complexity. The reason Flame is so large is that it includes many different libraries, including code compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), as well as the Lua virtual machine.
Lua is a scripting language, i.e. A programming language that can be easily extended and integrated with code written in C. For many Flame components, the top-level logic is written in Lua, while routines and libraries that directly implement the infection are compiled with C ++.
Compared to the total amount of code, the part written in Lua is relatively small. We estimate that the development volume on Lua is more than 3,000 lines of code. It takes about a month for an average developer to create and debug such a volume of code.
Fig. 1 - decompiled Flame code in LUA language.
In addition, the malicious program uses local databases with embedded SQL queries for internal needs, uses several encryption methods, various compression algorithms, creates scripts using Windows Management Instrumentation, uses batch scripts, etc. .
Launching and debugging malware is not a trivial task, since the malware is not a regular executable file, but several DLLs loaded at startup of the operating system.
In general, it can be stated that Flame is one of the most complex threats detected to date.
ANALYSIS
Key experts of the LC immediately devoted themselves to the analysis of the program, and although it will take months to fully analyze it, some data is already available in the article by reference .
Here we can offer you a method of quick "manual" check of your system for Flame infection:
1. Search for the file ~ DEB93D.tmp. Its presence in the system means that the computer is infected or has been infected by Flame.
2. Check the registry key HKLM_SYSTEM \ CurrentControlSet \ Control \ Lsa \ Authentication Packages. If you find mssecmgr.ocx or authpack.ocx in it, then your computer is infected with Flame.
3. Check for the following folders. If they are, you are infected.
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSecurityMgr
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAudio
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAuthCtrl
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAPackages
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSndMix
4. Run a search in the remaining file names given above. They are all unique, and their presence will mean a very high probability of infection of your Flame computer.
Take care of yourself! And stay tuned ...
The Duqu and Stuxnet viruses have increased the degree of cyber warfare in the Middle East, but we recently discovered perhaps the most sophisticated cyber weapon to date. The Flame worm, created for cyber espionage, came into the view of Kaspersky Lab experts when conducting a study at the request of the International Telecommunication Union (ITU), who asked us for assistance in finding an unknown malware that deleted sensitive data from computers located in the Middle East East. In the process of searching for this program, dubbed Wiper, we discovered a new sample of malware called Worm.Win32.Flame.
Seven countries most affected
Although Flame has a different functionality than the infamous Duqu and Stuxnet cyber weapons, all of these malicious programs have much in common: the geography of attacks, a narrow target orientation combined with the use of specific vulnerabilities in software. This puts Flame on a par with the “cybernetic superweapon” deployed in the Middle East by unknown attackers. Without a doubt, Flame is one of the most complex cyberthreats in the history of their existence. The program has a large size and incredibly complex structure. It forces a rethinking of concepts such as "cyber warfare" and "cyber espionage."
Read more about this sophisticated threat in a post on www.securelist.ru , and here we provide a key description of the malware.
DESCRIPTION
What exactly is Flame? Worm? Backdoor? What is its functionality?
Flame is a very sophisticated attack toolkit, far superior in complexity to Duqu. This is a backdoor Trojan, which also has the features typical of worms and allows it to spread over the local network and via removable media upon receipt of an order from its owner.
The initial entry point of Flame is unknown - we suspect that the initial infection occurs through targeted attacks, but we have not yet been able to find the initial attack vector. We suspect that the vulnerability MS10-033 is being used, but at the moment we cannot confirm this.
After infecting the system, Flame proceeds to perform a complex set of operations, including analyzing network traffic, creating screen captures, recording audio conversations, intercepting key presses, etc. All this data is available to operators through the Flame command servers.
In the future, operators may decide to download additional modules to the infected computers that expand the Flame functionality. There are about 20 modules in total, most of which we are currently studying.
How complicated is Flame?
First of all, Flame is a huge package consisting of software modules, the total size of which, when fully deployed, is almost 20 MB. As a result, the analysis of this malware is of great complexity. The reason Flame is so large is that it includes many different libraries, including code compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), as well as the Lua virtual machine.
Lua is a scripting language, i.e. A programming language that can be easily extended and integrated with code written in C. For many Flame components, the top-level logic is written in Lua, while routines and libraries that directly implement the infection are compiled with C ++.
Compared to the total amount of code, the part written in Lua is relatively small. We estimate that the development volume on Lua is more than 3,000 lines of code. It takes about a month for an average developer to create and debug such a volume of code.
Fig. 1 - decompiled Flame code in LUA language.
In addition, the malicious program uses local databases with embedded SQL queries for internal needs, uses several encryption methods, various compression algorithms, creates scripts using Windows Management Instrumentation, uses batch scripts, etc. .
Launching and debugging malware is not a trivial task, since the malware is not a regular executable file, but several DLLs loaded at startup of the operating system.
In general, it can be stated that Flame is one of the most complex threats detected to date.
ANALYSIS
Key experts of the LC immediately devoted themselves to the analysis of the program, and although it will take months to fully analyze it, some data is already available in the article by reference .
Here we can offer you a method of quick "manual" check of your system for Flame infection:
1. Search for the file ~ DEB93D.tmp. Its presence in the system means that the computer is infected or has been infected by Flame.
2. Check the registry key HKLM_SYSTEM \ CurrentControlSet \ Control \ Lsa \ Authentication Packages. If you find mssecmgr.ocx or authpack.ocx in it, then your computer is infected with Flame.
3. Check for the following folders. If they are, you are infected.
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSecurityMgr
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAudio
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAuthCtrl
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAPackages
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSndMix
4. Run a search in the remaining file names given above. They are all unique, and their presence will mean a very high probability of infection of your Flame computer.
Take care of yourself! And stay tuned ...