Putting Out Fires — Literally: The Flame Malware


Mon, 10/01/2012 - 19:44
Jun 3rd, 2012
User Badges:
  • Cisco Employee,

It is pretty impressive that Flame (otherwise known as Flamer, sKyWIper, or Skywiper) is already in wikipedia ;-)

Flame is a piece of malware that is fairly complex and used for different targeted attacks. It is known to be used in sophisticated and targeted attacks.  I am not going to try to reproduce what it is already in wikipedia, since it summarizes it very well:

The program is being used for targeted cyber espionage in Middle Eastern countries. Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab. of the Budapest University of Technology and Economics. The last of these stated in its report that “sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”

The attack uses unauthorized digital certificates derived from a Microsoft Certificate Authority. This issue affects all supported releases of Microsoft Windows. An unauthorized certificate could be used to do several things:

  • spoof content
  • phishing attacks
  • man-in-the-middle attacks

Microsoft released a security advisory very promptly at:http://technet.microsoft.com/en-us/security/advisory/2718704This is one more example of why having automatic updates enabled is very important. If you do have automatic updates you don’t need to take much action because the KB2718704 update will be downloaded and installed automatically. Individuals who have not enabled automatic Windows updates must check for this update and install it manually.Why is Flame getting so much attention and media coverage? Because, Flame has some of the characteristics of Stuxnet and Duqu.The Budapest University of Technology and Economics posted an excellent write-up titled: “sKyWIper: A Complex Malware for Targeted AttacksAdditionally, Symantec posted a very detailed write-up of the anatomy of this malware.The creators of this malware (Flame) used a very innovative method by inject this malware into winlogon.exe, securitysoftware processes, and potentially other processes. Flame could  also load shell32.dllreplacing this DLL in memory with a malicious DLL. It is known to also have the ability to capture screenshots of the target machine. It also has some clever anti-debugging tricks.The following are some of the files that are part of this malware:

  • advnetcfg.ocx
  • ccalc32.sys
  • mssecmgr.sys
  • boot32drv.sys
  • nteps32.ocx
  • msglu32.ocx

So far, there are two confirmed variants of the advnetcfg.ocx file.

This still an ongoing investigation and a lot of people call it “military-grade malware”. The good news is that there is a fix from Microsoft and it is being successfully detected by several security software and anti-virus.



This Blog

Related Content