Security Protection – Harry Waldron MVP Rotating Header Image

Skywiper (Flamer Virus) – Huge 20MB modular suite of malware

The new Skywiper (aka Flamer) malware suite is modular and incredibly complex as documented in this PC Magazine article:

PC Magazine – Flamer Isn’t a Stuxnet Spinoff
http://securitywatch.pcmag.com/security-spyware/298425-flamer-isn-t-a-stuxnet-spinoff

QUOTE: A new and seriously complex malware threat came to light this past weekend, targeting PCs in the Middle East. Some researchers and commentators made the natural assumption that it was connected with the Stuxnet worm which made news in 2010 by disrupting Iran’s nuclear research. After all, when Duqu turned up in 2011, experts concluded it was indeed written by the Stuxnet crowd, or coders with full access to Stuxnet source. But like the song says, it ain’t necessarily so.

 

This latest threat is called Flamer, Flame, or sKyWIper, depending on who you ask. Flamer, Duqu, and Stuxnet do have some things in common. To start, all three are seriously modular, in a way that lets their command and control servers add or update functionality at any time. Flamer takes this to an extreme, downloading its modules in multiple sessions.

Flamer definitely needs to take it easy on download impact to avoid giving itself away. At 20MB for all modules, it’s a veritable giant. A Stuxnet infestation takes just 500KB of space, according to Kaspersky researchers. Part of Flamer’s size involves the use of many third-party code libraries, prefab modules that handle tasks like managing databases and interpreting script code. Neither Stuxnet nor Duqu rely on third-party modules.

Skywiper (Flame Virus) – Several good links here
http://securitygarden.blogspot.com/2012/05/flame-aka-flamer-or-skywiper.html

McAfee shares excellent summary of Skywiper’s features
http://blogs.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare

QUOTE: Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

- Scanning network resources
– Stealing information as specified
– Communicate to C&C Servers over SSH and HTTPS protocols
– Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc)
– Both kernel and user mode logic is used
– Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes
– It loads as part of Winlogon.exe then injects to Explorer and Services
– Conceals its present as ~ named temp files, just like Stuxnet and Duqu
– Capable of attacking new systems over USB Flash Memory and local network (slowly spreads)
– Creates screen captures
– Records voice conversations
– Runs on Windows XP, Windows Vista and Windows 7 systems
– Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet
– Uses SQLite Database to store collected information
– Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware)
– Often located on nearby systems: a local network for both C&C and target infection cases
– Utilizes PE encrypted resources

Comments are closed.