Over the past few days, we have been analyzing a potential new threat that has been operating discreetly for at least two years. We were contacted about this threat by Crysys who have released their own analysis. (The threat is referred to by CrySys as 'Skywiper'). There are indications that W32.Flamer is also the same threat as described recently by the Iranian national cert. Our analysis of the retrieved samples reveals complex code that utilizes several components. At first glance, the executable appears to be benign but further inspection reveals cleverly concealed malicious functionality.
The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry.
While our analysis is currently ongoing, the primary functionality is to obtain information and data. Initial telemetry indicates that the targets of this threat are located primarily in Eastern Europe and the Middle East. The industry sectors or affiliations of the individuals targeted are currently unclear. However, initial evidence indicates that the victims may not all be targeted for the same reason. Many appear to be targeted for individual personal activities rather than the company they are employed by. Symantec detects this threat as W32.Flamer.
By examining infection reports of one the main components and its configuration file, we can determine the targets of W32.Flamer and also a partial timeline. The timeline and targets will likely change, however, as we uncover more infection reports. Several component files have been identified. These are:
Two variants of the advnetcfg.ocx file have been discovered. The first variant dates back to September 2010. The second variant appeared in February 2011. The configuration file ccalc32.sys also has two variants, both of which appear around the same time as the advnetcfg.ocx file.
Figure 1. Timeline of threat activity
In addition to our initial telemetry, there are unconfirmed reports of infections dating back to 2007 as well. We expect to be able to confirm these reports in the coming days.
Figure 2. Distribution of the threat
Based on the number of compromised computers, the primary targets of this threat are located in the Palestinian West Bank, Hungary, Iran, and Lebanon. However, we have additional reports in Austria, Russia, Hong Kong, and the United Arab Emirates. These additional reports may represent a targeted computer that was temporarily taken to another region—for example, a laptop. Interestingly, in addition to particular organizations being targeted, many of the compromised computers appear to be personal computers being used from home Internet connections.
A number of components of the threat have been retrieved and are currently being analyzed. Several of the components have been written in such a way that they do not appear overtly malicious. There is no high-entropy data and no obviously suspicious strings. The code itself is complex, which hampers analysis. The overall functionality includes the ability to steal documents, take screenshots of users' desktops, spread through removable drives, and disable security products. Additionally, under certain conditions, the threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows in order to spread across a network.
Figure 3 describes the interaction of the various threat components identified so far. Note that in other infections, the file names may change.
Figure 3. Threat components
The advnetcfg.ocx file loads and decrypts configuration data from a file called ccalc32.sys. The ccalc32.sys file is RC4-encrypted with a 128-bit key. When the threat creates the ccalc32.sys file, it retroactively modifies the timestamp on it to be the same as kernel32.dll, a Windows system file, in an attempt to prevent the user from noticing the file. The advnetcfg.ocx file is also responsible for handling commands issued by a third component. Analysis of the remaining components has not yet identified which component is responsible for communicating with advnetcfg.ocx.
The file uses a complex method to inject itself into winlogon.exe, security products processes, or other selected processes. Multiple code blocks will be injected and called as necessary. In addition, it may also load shell32.dll (a clean Windows system DLL), but once loaded, replace the DLL in memory with a malicious DLL. The advnetcfg.ocx file also has the ability to capture screenshots and perform certain anti-debugging tricks.
The mssecmgr.ocx file is large and contains substantial functionality as shown in Figure 4.
Figure 4. mssecmgr.ocx identified components
It contains an LUA interpreter, SSH code, and SQL functionality. The implementation of an LUA interpreter makes this component highly flexible and configurable. It allows attackers to deploy updated commands and functionality very quickly and efficiently. This file may also be referenced in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Authentication Packages" = "mssecmgr.ocx"
Several additional modules are also contained in mssecmgr.ocx as shown in the diagram.
The mssecmgr.ocx file is especially interesting since its functionality references a file named ~DEB93D.tmp. The ~DEB93D.tmp file has been publicly associated by third-party researchers with a 'wiper' virus that caused several oil terminals in Iran to be disconnected from the Internet. The 'wiper' virus was named as such since it reportedly erased information from hard disks.
The nteps32.ocx file is primarily responsible for capturing screenshots. It retrieves configuration information from boot32drv.sys. This configuration data, encrypted with 0xFF, defines how the functionality operates. For example, it specifies how often to capture screenshots.
The msglu32.sys file contains code that allows it to open and steal data from various types of documents, images, images with GPS data, presentations, project files, and technical drawings. Similar to mssecmgr.sys, it also contains SQL functionality. Interestingly, this module contains multiple references to the string 'JIMMY', with messages such as 'Jimmy Notice: failed to convert error string to unicode'. Jimmy may be the codename of this module.
Within the code that we have analyzed so far, there are multiple references to the string 'FLAME'. This may be a reference to certain attacks made by various parts of the code (injections, exploits, etc.), or it may be an indication of the malware's developmental project name. No further observations have been made that could assist in locating the origin of the malware.
The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware. The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products.
Analysis and investigation into the various components is ongoing and additional more in-depth technical details as well as attack information will be published soon.