Skywiper (Flame Virus) – Complex cyber-warfare targeted attacks (FAQ) http://securitygarden.blogspot.com/2012/05/flame-aka-flamer-or-skywiper.html
Crysys Security — DETAILED TECHNICAL ANALYSIS http://www.crysys.hu/skywiper/skywiper.pdf
QUOTE (McAfee link) — Over the weekend, the IR Cert (Iran’s emergency response team) published a new report, which describes this attack as “Flame” and/or “Flamer”. The complex functionality of the malware is controlled over Command and Control (C&C) servers, from which there are possibly dozens. The malware is also capable of slowly spreading over USB drives.
CrySys Lab, a Hungarian security team, noticed that a complex threat that they were already analyzing for weeks was clearly the same threat as “Flamer”. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done, to analyze the full details of this malware as it has some extraordinary complexity.
Previously, other cyber threats such as Stuxnet and Duqu both required months of analysis and this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smaller encrypted module is over 70000 lines of C decompiled code, which contains over 170 encrypted “strings”! Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.
Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:
- Scanning network resources - Stealing information as specified - Communicate to C&C Servers over SSH and HTTPS protocols - Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc) - Both kernel and user mode logic is used - Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes - It loads as part of Winlogon.exe then injects to Explorer and Services - Conceals its present as ~ named temp files, just like Stuxnet and Duqu - Capable of attacking new systems over USB Flash Memory and local network (slowly spreads) - Creates screen captures - Records voice conversations - Runs on Windows XP, Windows Vista and Windows 7 systems - Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet - Uses SQLite Database to store collected information - Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware) - Often located on nearby systems: a local network for both C&C and target infection cases - Utilizes PE encrypted resources