About this write-up
This write-up is about a new type of worm/malware, which was in the news recently. The worm called Flamer attracted a lot of hype and media attention given the speculation regarding its likely impact. This write-up is an attempt to cull out some key takeaways for benefit of the readers.
Background
Cyberspace is no longer a benign place to surf. Viruses are getting increasingly nasty and complex over the years. But while worms were traditionally being used by hackers and cybercriminals either to display their prowess or steal information and money, it appears now that even nation–states are backing such crimes to target countries – a trend popularly known as cyber espionage and cyber warfare.
Cyber warfare – the next level – Flamer worm
Circa 2010, news reports started appearing about a new type of a worm i.e., Stuxnet1. What was different about this worm was that it was the first of its kind i.e., the level of complexity, its apparent motive and the intended victims were not the ‘usual’ businesses or gullible individuals. On the contrary, experts believed that this was a ‘first’ – a worm written by a sovereign nation with the sole purpose of disrupting infrastructure facilities in another territory. It was also a ‘first’ because the worm was no longer attacking the zeros and ones (computer code), this time it was attacking the devices that were controlled by these zeros and ones – with a view to disrupt their functionality. There was the nagging feeling . . . . . . the type you get when somebody really bad/capable of doing nasty thing says . . . . I’ll be back (like Arnold Schwarzenegger in Terminator). It was (painfully) obvious that Stuxnet wasn’t the last word on the topic and things were likely to heat up . . . . very soon . . . . Coming back to the present day, that nagging feeling has become a reality – Stuxnet appeared in 2010, Duqu surfaced in 2011. Sometime around May 20122, security experts started issuing warnings about the ‘Flamer’ worm aka W32. Flamer or sKyWIper.
Threat assessment
A senior analyst at a leading security firm, sharing his view on the subject reveals that this is the most sophisticated threat he has ever seen. The same security firm had undertaken a detailed analysis of the ground-breaking Stuxnet virus, which ‘purportedly’ targeted Iran’s nuclear enrichment facilities two years ago, sending some of their centrifuges spinning out of control. The preliminary results shared by the senior analyst suggested that Flamer appeared to be even more complex than Stuxnet, and that it was an incredibly clever, comprehensive ‘spying programme’.
Grapevine reports suggest, “Flamer is a backdoor worm that goes looking for very specific information. It scrapes a mass of information from any infected machine and then sends it, without the user having any idea what is going on. The amount of information it can send is huge”.
Components identified3
A number of components of the threat have been retrieved and are currently being analysed. Several of the components have been written in such a way that they do not appear overtly malicious. Some of the components identified as malicious are:
• advnetcfg.ocx (0.6MB) (backdoor component)
• ccalc32.sys (RCA Encrypted Config file)
• mssecmgr.sys (6MB) (main compression component, LUA interpreter, SHH, SQL library)
• msglu32.ocx (1.6 MB) (Steals data from images and documents
• boot32drv.sys (~1kb) (Config file)
• nteps32.ocx (0.8MB) (performs screen capture)
This time it is different The one thing that everyone is sure about is that Stuxnet, Duqu and Flamer are definitely in another class than your typical spyware or fake antivirus threat. Experts universally agree that this complex software required a coding team and could not be achieved by a lone wolf coder. The complexity of the task has led many to presume only a nation-state would have the resources. Just as is being speculated in case of Stuxnet. It is interesting to note that unlike Duqu, Stuxnet and Flamer have the ability to infect systems via USB key, thus allowing them entry into facilities that are isolated from the Internet. They also use the same printer-driver vulnerability to spread within the local network. While all three worms are similar in the sense that all three are seriously modular (i.e., in a way that lets their command and control servers add or update functionality at any time), Flamer is definitely a step up.
- Here is why: According to Kaspersky researchers, a Stuxnet infestation takes just 500KB of space, as against this, Flamer is an out-and-out giant at 20MB. Part of Flamer’s size involves the use of many thirdparty code libraries, prefab modules that handle tasks like managing databases and interpreting script code. Neither Stuxnet nor Duqu rely on third-party modules.
- Given its size, Flamer is smart enough to mask its download impact. It is downloaded in multiple sessions. This is done to avoid giving itself away. In this respect, it is far more intelligent than its predecessors.
- Stuxnet and Duqu used stolen digital signatures to fool antivirus softwares. Unlike these, Flamer doesn’t use a digital signature. Instead, Flamer uses some unique techniques for self-protection, chief among them is the ability to recognize over 100 antivirus installations and modify its behaviour accordingly. It uses five different encryption methods, three different compression techniques, at least five different file formats (and some proprietary formats too) and special code injection techniques.
- Although Flamer is not concealed by a rootkit, it uses a series of tricks to stay hidden and stealthily export stolen data. One of its most amazing capabilities is the creation of a file on the USB stick simply named ‘.’ (dot). Even if the short name for this file is HUB001.DAT, the long name is set to ‘.’, which is interpreted by Windows as the current directory. This makes the OS unable to read the contents of the file or even display it. A closer look inside the file reveals that it is encrypted with a substitution algorithm.
- Flamer is definitely complex. In one of the earlier reports on this threat, a security expert noted that it has at least 20 modules, most of which are still being investigated. Another expert remarked that one of its smaller modules is over 70,000 lines of C decompiled code and contains over 170 encrypted strings. As for what it does, you might better ask what doesn’t it do. Just about any kind of espionage you can imagine is handled by one of Flamer’s modules.
- Flamer has very advanced functionality to steal information and to propagate. Using this toolkit, multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as has been done in Flamer.
- Stuxnet relied on an unprecedented four zero-day attacks to penetrate systems and Duqu managed with just one zero-day attack. Flamer didn’t use any zero-day attacks.
- Stuxnet and Duqu infestations automatically self-destructed after a set time; Flamer can self-destruct, but only upon receiving the auto-destruct code from its masters.
It’s worth noting that Flamer doesn’t necessarily do any of the things described above, not even replicate to other systems, unless it’s told to do so by its Command and Control servers. This combined with the fact that it uses many standard commercial modules has helped it get past behaviour and reputation-based detection systems (i.e., our commonly used antivirus systems).
It’s a live program that communicates back to its master. It asks, where should I go? What should I do now?
Experts say that Flamer is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, micro-phone, storage devices, network, wifi, Bluetooth, USB and system processes.
To state simply, once a system is infected, Flamer begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on so forth.
Sounds just like a cold war (fiction) scenario — where highly trained, deep cover ‘sleeper’ agents were inserted deep inside enemy territory to attack the enemy from within. Takes me back to some of my favourite movies……..Salt, Killers, The impossible spy…….
Readers who are interested in more technical information may also look up the following:
- http://www.symantec.com/security_respons/writeup.jsp?docid=2012-053007-0702-99&om_ rssid=sr-mixed30days
- http://blogs.mcafee.com/mcafee-labs/jumping-in-to-the-flames-of-skywiper
- http://www.mcafee.com/threat-intelligence/mal-ware/default.aspx?id=1195098
- h t t p : / / w w w . f – s e c u r e . c o m / w e b l o g / archives/00002371.html
