Security Protection – Harry Waldron MVP Rotating Header Image

May 29th, 2012:

Skywiper (Flame Virus) – Complex cyber-warfare targeted attacks

The most complex malware attack constructed to date has been identified and is currently being researched by security firms:

Skywiper (Flame Virus) – Complex cyber-warfare targeted attacks (FAQ) http://securitygarden.blogspot.com/2012/05/flame-aka-flamer-or-skywiper.html
https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
http://blogs.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare
http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east
http://www.f-secure.com/weblog/archives/00002371.html
 
Crysys Security — DETAILED TECHNICAL ANALYSIS http://www.crysys.hu/skywiper/skywiper.pdf

QUOTE (McAfee link) — Over the weekend, the IR Cert (Iran’s emergency response team) published a new report, which describes this attack as “Flame” and/or “Flamer”.  The complex functionality of the malware is controlled over Command and Control (C&C) servers, from which there are possibly dozens. The malware is also capable of slowly spreading over USB drives. 

 CrySys Lab, a Hungarian security team, noticed that a complex threat that they were already analyzing for weeks was clearly the same threat as “Flamer”. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done, to analyze the full details of this malware as it has some extraordinary complexity.


Previously, other cyber threats such as Stuxnet and Duqu both required months of analysis and this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smaller encrypted module is over 70000 lines of C decompiled code, which contains over 170 encrypted “strings”!  Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.


Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

- Scanning network resources – Stealing information as specified – Communicate to C&C Servers over SSH and HTTPS protocols – Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc) – Both kernel and user mode logic is used – Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes – It loads as part of Winlogon.exe then injects to Explorer and Services – Conceals its present as ~ named temp files, just like Stuxnet and Duqu – Capable of attacking new systems over USB Flash Memory and local network (slowly spreads) – Creates screen captures – Records voice conversations – Runs on Windows XP, Windows Vista and Windows 7 systems – Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet – Uses SQLite Database to store collected information – Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware) – Often located on nearby systems: a local network for both C&C and target infection cases – Utilizes PE encrypted resources

Microsoft – Decade of TWC progress shared at RSA conference

An excellent and detailed history to Trustworthy Computing over past decade.

Microsoft – Decade of TWC progress shared at RSA conference http://blogs.technet.com/b/security/archive/2012/05/25/webcast-code-red-to-zbot-10-years-of-tech-researchers-and-threat-evolution.aspx

MALWARE DEVELOPMENTS PAST DECADE PDF – EXCELLENT (4.5MB) http://365.rsaconference.com/servlet/JiveServlet/download/38-4003/May_23_2012_Webcast_Microsoft.pdf

QUOTE: For those of you that joined us at RSA this year in San Francisco, you may have taken in the session presented by Jeff Jones and Tim Rains on 10 Years of Tech, Researchers and Threat Evolution. The great news is that Tim and Jeff have delivered a webcast of the session, which you can find here. Jeff and Tim followed up with a series of blog posts delving in to more detail:

I would also recommend reading the Behind the Charts – Scrubbing the Vulnerability Data post to understand more about the data sources and methodology Jeff used in his analysis.