What the Skywiper Files Tell Us

On May 28, my colleagues Peter Szor and Guilherme Venere posted a blog on Skywiper and listed various key filenames. Since then, I have searched these files, as well as some others that appear to be linked to this threat, in our collections. The following table summarizes these investigations.

After I finished creating this table, I noted that:

  • The PE header timestamps are not corrects. They took place between January 1992 and October 1994. They were changed before the files were spread.
  • When available, the Time Date Stamps for the debug info entries seem valid: from January 2011 to October 2011. They are coherent with those visible in the export sections. This information suggests when these files were developed. Among these, one file (advnetcfg.ocx) was sent to VirusTotal in May 2011. The others were sent this year, between May 28 and May 30.
  • Older files were probably created between June 2008 and September 2010. They appeared at VirusTotal between May 2009 and October 2010. Perhaps some are old versions of this threat.

Stay tuned, we shall continue our investigations.