Flame / Flamer /Skywiper – Most complex/sophisticated malware ever found?


The malware called Flame has a lot of features that could, at first sight, qualify it as one of the most sophisticated malware samples found. With regards to it being the most complicated… this is subject to interpretation. It does not use obfuscation technique to hide its code nor does it have any real new malware behavior.

Flame is different in the sense that it is big in file size and complexity and it has many different possibilities, but none of the possibilities are overwhelming revolutionary or new: we have seen all these functions before. Furthermore, it is very difficult to determine how many computers have been infected and still are infected. Fact is: We will never know for sure, because Flame can erase itself from infected machines very efficiently.

Below is a short summary of our analysis:
After analyzing the malware, we have confirmed some of the findings made at the CrySyS Lab (Budapest University of Technology and Economics, Hungary) and Kaspersky Labs.

In most of the press releases you can read about the new recognized toolkit. They baptized it as the most “complex/sophisticated” as of now in the history of the malware industry. Due to the following capabilities it can definitely carry out many operations:

  • It has a multiple modular attack toolkit to perform all its malware intensions:
    Code Screenshot: Some of Flame's dropped component files

  • It creates a file in c:\program files\common files\microsoft shared\mssecuritymgr\, called “mscrypt.dat” – It is an encrypted file which includes code, data and some configuration parameters used for attacks. According to CrySyS, the file can be decrypted with the help of <link file:27981 flame>a table especially composed for DAT files, integrated in the malware code as well.

  • With a file size of almost 6MB, the main file, “mssecmgr.ocx”, is hard to debug.

  • It has features like a backdoor, a Trojan, a worm and especially data theft adds to its intentions (done with commands from the attacker).

  • It injects its code in the system files to stay alive in the infected machine (like explorer.exe (shell32.dll), services.exe, winlogon.exe):
    Code Screenshot: Some of Flame's code injections

  • It bypasses some AV products installed on the infected machine:
    Screenshot: Part of the list of AV vendors Flame bypasses

  • One of the strategies to make itself always present in the infected system is to manipulate the LSA registry entry, adding itself as an LSA Authentication Package.

  • It checks the Internet connection with the help of the Windows update function before proceeding with its execution.

  • The  backdoor functionality that may collect sensitive information uses C&C communication (HTTP protocol over SSL/SSH tunnel) technique to send and receive commands from several servers all over the world and to steal the following information:
  • Looks up information about the infected machine
  • Can get drive directory information
  • Can search information about available documents
  • Can take screenshots and can record audio by controlling the microphone (can therefore secretly record environment sounds, like top secret conversations)
  • Can use Bluetooth functionality to check on turned-on devices around the infected machine
  • Can list all filenames in a specific directory
  • Can do ‘basically anything’ the attacker wants, because he/she already has obtained all permissions in the infected machine.

  • The malware has its own database functionality to save all gathered information.

  • It also has the capacity to execute SQLite commands and has embedded Lua scripts to access the database. Using this technique is quite uncommon for other toolkits. With this scripting, attackers can easily embed malicious instruction:
    Code Screenshot: Some of Flame's scriptings
  • It may also capture network traffic.

  • One way of propagation in a local network is through printer vulnerabilities (e.g. CVE-2010-2729), remote jobs, and through removable storage drives (pen drives, mobile HDDs, etc.).

The main file, mssecmgr.ocx, has debug information embedded, which makes it a bit easier to analyze it. There is no obfuscation or packing employed to hide its malicious code. Nonetheless, Flame is too big to be fully analyzed in a short period of time.

Since the main intention of this malware is information stealing in many ways, researchers will have to identify where the gathered and stored information is sent to.
Who is behind this attack? What are the real intentions and what kind of confidential information they want to collect and for what reasons? Is it made to spy on governmental institutions, on industry’s big players, private industry? It is not entirely clear, yet. The malware we analyzed has a lot of functionality that has been used or can be used as a cyber-weapon against a specific organization, to perform a targeted attack. Most probably, it was designed to target selected computers/organizations, especially governmental organizations.

Another aspect to look at in the next months: Will the attackers and code programmers stop working on Flame now or will they continue with their project and improve the malware against renewed detections?

Like everybody, we will also keep an eye on this situation!