Flame On! New Advanced Stuxnet-Type Worm Infects Middle East

Who’s up for more Stuxnet-style cyber attacks against Persia? Me, that’s who.


From FoxNews here:

Computer malware described as “the most sophisticated cyber weapon yet unleashed” has been uncovered in computers in the Middle East and may have infected machines in Europe, according to reports from antivirus researchers and software makers in Russia, Hungary and Ireland.

The malware, dubbed Worm.Win32.Flame, is unusual in its complexity, size and the multitude of ways it has of harvesting information from an infected computer including keyboard, screen, microphone, storage devices, network, Wi-Fi, Bluetooth, USB and system processes.

The malware is called “Flame” by Kaspersky Labs, but also known as sKyWIper by the Hungarian Laboratory of Cryptography and System Security (CrySyS Lab). Both Kaspersky Labs and CrySyS Lab said it was likely the malware was developed by a government-sponsored entity.

Although the virus has just been detected, there was evidence that it may have been in operation for at least two years.

Vitaly Kamluk, chief malware expert for Kaspersky Labs, said there were many pointers to it being a weapon, not the least of which was how highly-targeted it was. According to their investigations, only 382 infections have been reported, 189 of which were in Iran, and the malware targeted individuals rather than organizations.

Kamluk said the malware was most likely introduced by a USB stick or other removable drive. Once injected, the malware would contact one of the many command and control servers around the world and download additional modules as needed.

Whee! I haven’t seen the code snippets, but McAfee’s blog lists its capabilities here.

Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:
- Scanning network resources
- Stealing information as specified
- Communicate to C&C Servers over SSH and HTTPS protocols
- Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc)
- Both kernel and user mode logic is used
- Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes
- It loads as part of Winlogon.exe then injects to Explorer and Services
- Conceals its present as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB Flash Memory and local network (slowly spreads)
- Creates screen captures
- Records voice conversations
- Runs on Windows XP, Windows Vista and Windows 7 systems
- Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet
- Uses SQLite Database to store collected information
- Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware)
- Often located on nearby systems: a local network for both C&C and target infection cases
- Utilizes PE encrypted resources

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>