Flame: what is known at the moment
Have you heard about Flame? Sit back, now we will give you all the details.
The Duqu and Stuxnet viruses increased the cyber warfare degree in the Middle East, however, recently we have found, perhaps, the most sophisticated cyber weapon in the world today. The Flame worm, created for cyber espionage, came to the attention of experts at Kaspersky Lab when conducting a study requested by the International Telecommunication Union (ITU), who contacted us for assistance in finding an unknown malicious program that deleted confidential data from computers located in the Middle East. In the process of searching for this program, called Wiper, we discovered a new sample of malware, which was named Worm.Win32.Flame.
Seven countries with the most attacks
')
Although Flame has a different functionality than the infamous cyber weapons of Duqu and Stuxnet, all of these malicious programs have much in common: the geography of attacks, a narrow target orientation combined with the use of specific vulnerabilities in software. This puts Flame on par with the “cybernetic super-weapon” deployed in the Middle East by unknown perpetrators. Without a doubt, Flame is one of the most complex cyber threats in the entire history of their existence. The program has a large size and an incredibly complex structure. It forces to rethink such concepts as "cyber war" and "cyber espionage."
For more information about this sophisticated threat, see the post on www.securelist.ru , and here we will provide a key description of the malware.
DESCRIPTION
What exactly is Flame? Worm? Backdoor? What is its functionality?
Flame is a very tricky set of tools for conducting attacks, far exceeding Duqu in complexity. This Trojan program is a backdoor, which also has features characteristic of worms and allowing it to spread across the local network and through removable media when it receives a corresponding order from its owner.
The initial entry point of Flame is unknown - we suspect that the initial infection occurs through targeted attacks, but we have not yet managed to find the source attack vector. We suspect that the vulnerability is MS10-033, but at the moment we cannot confirm this.
After infecting the system, Flame proceeds to perform a complex set of operations, including analyzing network traffic, creating screenshots, recording conversations, intercepting keyboard taps, etc. All this data is available to operators via Flame command servers.
In the future, operators may decide to download additional modules to the infected computers that extend the functionality of Flame. In total there are about 20 modules, the purpose of most of which we are currently studying.
How complex is Flame?
First of all, Flame is a huge package consisting of software modules, the total size of which, when fully deployed, is almost 20 MB. As a result, the analysis of this malicious program is of great complexity. The reason Flame is so large is that it includes many different libraries, including code compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), as well as a Lua virtual machine.
Lua is a scripting language, i.e. A programming language that is easily extensible and integrated with code written in C. For many components of Flame, the top-level logic is written in Lua — while routines and libraries that directly implement the infection are compiled with C ++.
Compared to the total amount of code, the part written in Lua is relatively small. According to our estimates, the amount of development on Lua is more than 3000 lines of code. For an average developer, it takes about a month to create and debug such amount of code.
Fig. 1 - decompiled Flame code in LUA language
In addition, the malware uses local databases with embedded SQL queries for internal needs, uses several encryption methods, different compression algorithms, creates scripts using Windows Management Instrumentation, uses packet scripts, etc.
Running and debugging malware is not a trivial task, since malware is not a regular executable file, but several DLL libraries that are loaded when the operating system starts.
In general, it can be stated that Flame is one of the most complex threats found to date.
ANALYSIS
Key LC experts immediately devoted themselves to the analysis of the program, and even though it will take months to complete analysis, some data is already available in the article by reference .
Here we can offer you a quick “manual” method of checking your system for Flame infection:
1. Search for the ~ DEB93D.tmp file. Its presence in the system means that the computer is infected or has been infected with Flame.
2. Check the registry key HKLM_SYSTEM \ CurrentControlSet \ Control \ Lsa \ Authentication Packages. If you find mssecmgr.ocx or authpack.ocx, it means that your computer is infected with Flame.
3. Check for the following folders. If they are, you are infected.
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSecurityMgr
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAudio
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAuthCtrl
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAPackages
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSndMix
4. Run a search on the remaining file names given above. They are all unique, and their presence will mean a very high probability of infection of your computer Flame.
Take care of yourself! And stay tuned ...
The Duqu and Stuxnet viruses increased the cyber warfare degree in the Middle East, however, recently we have found, perhaps, the most sophisticated cyber weapon in the world today. The Flame worm, created for cyber espionage, came to the attention of experts at Kaspersky Lab when conducting a study requested by the International Telecommunication Union (ITU), who contacted us for assistance in finding an unknown malicious program that deleted confidential data from computers located in the Middle East. In the process of searching for this program, called Wiper, we discovered a new sample of malware, which was named Worm.Win32.Flame.
Seven countries with the most attacks
')
Although Flame has a different functionality than the infamous cyber weapons of Duqu and Stuxnet, all of these malicious programs have much in common: the geography of attacks, a narrow target orientation combined with the use of specific vulnerabilities in software. This puts Flame on par with the “cybernetic super-weapon” deployed in the Middle East by unknown perpetrators. Without a doubt, Flame is one of the most complex cyber threats in the entire history of their existence. The program has a large size and an incredibly complex structure. It forces to rethink such concepts as "cyber war" and "cyber espionage."
For more information about this sophisticated threat, see the post on www.securelist.ru , and here we will provide a key description of the malware.
DESCRIPTION
What exactly is Flame? Worm? Backdoor? What is its functionality?
Flame is a very tricky set of tools for conducting attacks, far exceeding Duqu in complexity. This Trojan program is a backdoor, which also has features characteristic of worms and allowing it to spread across the local network and through removable media when it receives a corresponding order from its owner.
The initial entry point of Flame is unknown - we suspect that the initial infection occurs through targeted attacks, but we have not yet managed to find the source attack vector. We suspect that the vulnerability is MS10-033, but at the moment we cannot confirm this.
After infecting the system, Flame proceeds to perform a complex set of operations, including analyzing network traffic, creating screenshots, recording conversations, intercepting keyboard taps, etc. All this data is available to operators via Flame command servers.
In the future, operators may decide to download additional modules to the infected computers that extend the functionality of Flame. In total there are about 20 modules, the purpose of most of which we are currently studying.
How complex is Flame?
First of all, Flame is a huge package consisting of software modules, the total size of which, when fully deployed, is almost 20 MB. As a result, the analysis of this malicious program is of great complexity. The reason Flame is so large is that it includes many different libraries, including code compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), as well as a Lua virtual machine.
Lua is a scripting language, i.e. A programming language that is easily extensible and integrated with code written in C. For many components of Flame, the top-level logic is written in Lua — while routines and libraries that directly implement the infection are compiled with C ++.
Compared to the total amount of code, the part written in Lua is relatively small. According to our estimates, the amount of development on Lua is more than 3000 lines of code. For an average developer, it takes about a month to create and debug such amount of code.
Fig. 1 - decompiled Flame code in LUA language
In addition, the malware uses local databases with embedded SQL queries for internal needs, uses several encryption methods, different compression algorithms, creates scripts using Windows Management Instrumentation, uses packet scripts, etc.
Running and debugging malware is not a trivial task, since malware is not a regular executable file, but several DLL libraries that are loaded when the operating system starts.
In general, it can be stated that Flame is one of the most complex threats found to date.
ANALYSIS
Key LC experts immediately devoted themselves to the analysis of the program, and even though it will take months to complete analysis, some data is already available in the article by reference .
Here we can offer you a quick “manual” method of checking your system for Flame infection:
1. Search for the ~ DEB93D.tmp file. Its presence in the system means that the computer is infected or has been infected with Flame.
2. Check the registry key HKLM_SYSTEM \ CurrentControlSet \ Control \ Lsa \ Authentication Packages. If you find mssecmgr.ocx or authpack.ocx, it means that your computer is infected with Flame.
3. Check for the following folders. If they are, you are infected.
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSecurityMgr
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAudio
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAuthCtrl
C: \ Program Files \ Common Files \ Microsoft Shared \ MSAPackages
C: \ Program Files \ Common Files \ Microsoft Shared \ MSSndMix
4. Run a search on the remaining file names given above. They are all unique, and their presence will mean a very high probability of infection of your computer Flame.
Take care of yourself! And stay tuned ...
Source: https://habr.com/ru/post/144967/
All Articles