Complex Cyberwar Tool ‘Flamer’ Found Infecting Computers In Iran & Israel

In December last year, Microsoft released the patch for the vulnerability used by Duqu to propogate itself across Windows desktops. The other nasty worm going around was Stuxnet – both cyberwarfare tools, and most recently a piece of malware claimed to be more sophisticated than both has been found infecting computers in the middle east....

Read the full post at

Skywiper – Fanning the ‘Flames’ of Cyberwarfare

A few weeks ago, Iran reported intensified cyberattacks on its energy sector that they observed as a direct continuation of the Stuxnet and Duqu attacks.

Over the weekend, the IR Cert (Iran’s emergency response team) published a new report that describes this attack as Flame and/or Flamer. Some other news agencies also called  the attack Viper. The complex functionality of the malware is controlled by command servers, of which there are possibly dozens. The malware is also capable of slowly spreading via USB drives.

CrySys Lab, a Hungarian security team, noticed that a complex threat it had been analyzing for weeks was clearly the same threat as Flamer. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done to analyze the full details of this malware, as it has some extraordinary complexity.

Previously, other cyberthreats such as Stuxnet and Duqu required months of analysis; this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smallest encrypted modules is more than 70,000 lines of C decompiled code, which contains over 170 encrypted “strings”!

Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.

We found publicly available reports from antispyware companies, and log files in public help forums that could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example, in March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.

Skywiper is a modular, extendable, and updateable threat. It is capable of, but not limited to, the following key espionage functions:

- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources

To summarize, the threat shows great similarity to Stuxnet and Duqu in some of its ways of operation, yet its code base and implementation are very different, and much more complex and robust in its basic structure.

Skywiper’s main executable files:

Windows\System32\mssecmgr.ocx – Main module

Misleading Program Information Blocks

According to its program information block, the main module pretends to be written by Microsoft Corporation. It claims to be a “Windows Authentication Client” for Microsoft Windows Version 5.1 (2600 Build). Several other modules also claim to be Microsoft Windows components. However, none of the files analyzed so far are signed with a valid (or even possibly stolen) key, as it was the case with Duqu and Stuxnet.

Further key filenames of the threat can include:


Mutex usage

The threat files also use the TH_POOL_SHD_PQOISNG_#PID#SYNCMTX Mutex name to identify already infected systems, a common technique in modern malware. The #PID# is the process ID of the process in which the injection of the threat occurred.

I change my name; I change my extension

The threat files can change both filenames and extensions, according to specific control server requests, as well as configuration usage. In some cases, Skywiper detects specific antivirus software. The malware might then change the extension of the executable files (DLLs) from OCX to TMP, for example. However, we have not always seen this functionality on affected systems, especially if the threat has been installed prior to the security product in question.

Skywiper’s main module is over 6MB in size, while the completely deployed set is close to 20MB. Yes, this is a lot of code for malware, but this is necessary to carry the complex libraries such as Zlib, LUA interpreter, SQLite support, custom database support code, and so on.

Encryption includes simple obfuscation like XOR with a byte value. The XOR key, 0xAE, has appeared in some other cases–showing a potential relationship to Duqu and Stuxnet, as they also used this value. However, Stuxnet and Duqu always used other values in conjunction with this byte, which included dates of possible meaning.

Other than the above, Skywiper does not show a direct relationship in its code to Stuxnet or Duqu at this point. It uses a similar yet more complex structure, which in many ways reminds researchers of these attacks. In some ways it could be a parallel project, as the early date may suggest. The attack files showed recent development in January and August 2011, according to some of the leftover date values in its files. The dates in the file headers have been purposely changed (claiming to be from 1994, etc.), but export-table date values and dates elsewhere in the files indicate 2011.

The main module of Skywiper starts via the registry, over an exported function:

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages
- mssecmgr.ocx

Initial infections gathered by our network sensors are shown on the map below:

Generally, attackers try to conceal their presence by infecting locations unrelated to the main targets, possibly to further conceal their identity, and then use these locations as control servers. Continuing research will certainly need to take this into consideration.

McAfee antivirus products will detect and clean the threat as W32/Skywiper from infected systems. Our initial data indicates that there are multiple variants of this threat in the field.

Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East

Over the past few days, we have been analyzing a potential new threat that has been operating discreetly for at least two years. We were contacted about this threat by Crysys who have released their own analysis. (The threat is referred to by CrySys as 'Skywiper'). There are indications that W32.Flamer is also the same threat as described recently by the Iranian national cert. Our analysis of the retrieved samples reveals complex code that utilizes several components. At first glance, the executable appears to be benign but further inspection reveals cleverly concealed malicious functionality.

The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry.

While our analysis is currently ongoing, the primary functionality is to obtain information and data. Initial telemetry indicates that the targets of this threat are located primarily in Eastern Europe and the Middle East. The industry sectors or affiliations of the individuals targeted are currently unclear. However, initial evidence indicates that the victims may not all be targeted for the same reason. Many appear to be targeted for individual personal activities rather than the company they are employed by. Symantec detects this threat as W32.Flamer.

Threat activity

By examining infection reports of one the main components and its configuration file, we can determine the targets of W32.Flamer and also a partial timeline. The timeline and targets will likely change, however, as we uncover more infection reports. Several component files have been identified. These are:

  • advnetcfg.ocx
  • ccalc32.sys
  • mssecmgr.sys
  • msglu32.ocx
  • boot32drv.sys
  • nteps32.ocx

Two variants of the advnetcfg.ocx file have been discovered. The first variant dates back to September 2010. The second variant appeared in February 2011. The configuration file ccalc32.sys also has two variants, both of which appear around the same time as the advnetcfg.ocx file.

Figure 1. Timeline of threat activity

In addition to our initial telemetry, there are unconfirmed reports of infections dating back to 2007 as well. We expect to be able to confirm these reports in the coming days.

Figure 2. Distribution of the threat

Based on the number of compromised computers, the primary targets of this threat are located in the Palestinian West Bank, Hungary, Iran, and Lebanon. However, we have additional reports in Austria, Russia, Hong Kong, and the United Arab Emirates. These additional reports may represent a targeted computer that was temporarily taken to another region—for example, a laptop. Interestingly, in addition to particular organizations being targeted, many of the compromised computers appear to be personal computers being used from home Internet connections.

Threat details

A number of components of the threat have been retrieved and are currently being analyzed. Several of the components have been written in such a way that they do not appear overtly malicious. There is no high-entropy data and no obviously suspicious strings. The code itself is complex, which hampers analysis. The overall functionality includes the ability to steal documents, take screenshots of users' desktops, spread through removable drives, and disable security products. Additionally, under certain conditions, the threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows in order to spread across a network.

Figure 3 describes the interaction of the various threat components identified so far. Note that in other infections, the file names may change.

Figure 3. Threat components

The advnetcfg.ocx file loads and decrypts configuration data from a file called ccalc32.sys. The ccalc32.sys file is RC4-encrypted with a 128-bit key. When the threat creates the ccalc32.sys file, it retroactively modifies the timestamp on it to be the same as kernel32.dll, a Windows system file, in an attempt to prevent the user from noticing the file. The advnetcfg.ocx file is also responsible for handling commands issued by a third component. Analysis of the remaining components has not yet identified which component is responsible for communicating with advnetcfg.ocx.

The file uses a complex method to inject itself into winlogon.exe, security products processes, or other selected processes. Multiple code blocks will be injected and called as necessary. In addition, it may also load shell32.dll (a clean Windows system DLL), but once loaded, replace the DLL in memory with a malicious DLL. The advnetcfg.ocx file also has the ability to capture screenshots and perform certain anti-debugging tricks.

The mssecmgr.ocx file is large and contains substantial functionality as shown in Figure 4.

Figure 4. mssecmgr.ocx identified components

It contains an LUA interpreter, SSH code, and SQL functionality. The implementation of an LUA interpreter makes this component highly flexible and configurable. It allows attackers to deploy updated commands and functionality very quickly and efficiently. This file may also be referenced in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Authentication Packages" = "mssecmgr.ocx"

Several additional modules are also contained in mssecmgr.ocx as shown in the diagram.

The mssecmgr.ocx file is especially interesting since its functionality references a file named ~DEB93D.tmp. The ~DEB93D.tmp file has been publicly associated by third-party researchers with a 'wiper' virus that caused several oil terminals in Iran to be disconnected from the Internet. The 'wiper' virus was named as such since it reportedly erased information from hard disks.

The nteps32.ocx file is primarily responsible for capturing screenshots. It retrieves configuration information from boot32drv.sys. This configuration data, encrypted with 0xFF, defines how the functionality operates. For example, it specifies how often to capture screenshots.

The msglu32.sys file contains code that allows it to open and steal data from various types of documents, images, images with GPS data, presentations, project files, and technical drawings. Similar to mssecmgr.sys, it also contains SQL functionality. Interestingly, this module contains multiple references to the string 'JIMMY', with messages such as 'Jimmy Notice: failed to convert error string to unicode'. Jimmy may be the codename of this module.

Within the code that we have analyzed so far, there are multiple references to the string 'FLAME'. This may be a reference to certain attacks made by various parts of the code (injections, exploits, etc.), or it may be an indication of the malware's developmental project name. No further observations have been made that could assist in locating the origin of the malware.

The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware. The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products.

Analysis and investigation into the various components is ongoing and additional more in-depth technical details as well as attack information will be published soon.

Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers

Map showing the number and geographical location of Flame infections detected by Kaspersky Lab on customer machines. Courtesy of Kaspersky

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based antivirus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size — the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”

Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.