UPDATED: Cyber Espionage Reaches New Levels with FlamerDownload the 32-bit or the 64-bit removal tools and find out if you’re infected with Flamer, the world’s most discrete and dangerous piece of malware ever. If you are already protected by a Bitdefender security solution, you do not need to run the removal tool.
Update 1: We have just discovered that Trojan.Flamer.A comes with yet another controversial component, suggestively named SUICIDE. This component is used to automatically clean up the system when the appropriate command is issued by remote attackers. The SUICIDE module references more than 70 files (part of the Flamer framework) that should be wiped out from the system in order to deter any forensics analysis on the system. The referenced files are listed below:
SUICIDE.RESIDUAL_FILES.A string %temp%\~a28.tmp
SUICIDE.RESIDUAL_FILES.B string %temp%\~DFL542.tmp
SUICIDE.RESIDUAL_FILES.C string %temp%\~DFL543.tmp
SUICIDE.RESIDUAL_FILES.D string %temp%\~DFL544.tmp
SUICIDE.RESIDUAL_FILES.E string %temp%\~DFL545.tmp
SUICIDE.RESIDUAL_FILES.F string %temp%\~DFL546.tmp
SUICIDE.RESIDUAL_FILES.G string %temp%\~dra51.tmp
SUICIDE.RESIDUAL_FILES.H string %temp%\~dra52.tmp
SUICIDE.RESIDUAL_FILES.I string %temp%\~fghz.tmp
SUICIDE.RESIDUAL_FILES.J string %temp%\~rei524.tmp
SUICIDE.RESIDUAL_FILES.K string %temp%\~rei525.tmp
SUICIDE.RESIDUAL_FILES.L string %temp%\~TFL848.tmp
SUICIDE.RESIDUAL_FILES.M string %temp%\~TFL849.tmp
SUICIDE.RESIDUAL_FILES.N string %temp%\~ZFF042.tmp
SUICIDE.RESIDUAL_FILES.O string %temp%\GRb9M2.bat
SUICIDE.RESIDUAL_FILES.P string %temp%\indsvc32.ocx
SUICIDE.RESIDUAL_FILES.Q string %temp%\scaud32.exe
SUICIDE.RESIDUAL_FILES.R string %temp%\scsec32.exe
SUICIDE.RESIDUAL_FILES.S string %temp%\sdclt32.exe
SUICIDE.RESIDUAL_FILES.T string %temp%\sstab.dat
SUICIDE.RESIDUAL_FILES.U string %temp%\sstab15.dat
SUICIDE.RESIDUAL_FILES.V string %temp%\winrt32.dll
SUICIDE.RESIDUAL_FILES.W string %temp%\winrt32.ocx
SUICIDE.RESIDUAL_FILES.X string %temp%\wpab32.bat
SUICIDE.RESIDUAL_FILES.Z string %windir%\system32\commgr32.dll
SUICIDE.RESIDUAL_FILES.A1 string %windir%\system32\comspol32.dll
SUICIDE.RESIDUAL_FILES.A2 string %windir%\system32\comspol32.ocx
SUICIDE.RESIDUAL_FILES.A3 string %windir%\system32\indsvc32.dll
SUICIDE.RESIDUAL_FILES.A4 string %windir%\system32\indsvc32.ocx
SUICIDE.RESIDUAL_FILES.A5 string %windir%\system32\modevga.com
SUICIDE.RESIDUAL_FILES.A6 string %windir%\system32\mssui.drv
SUICIDE.RESIDUAL_FILES.A7 string %windir%\system32\scaud32.exe
SUICIDE.RESIDUAL_FILES.A8 string %windir%\system32\sdclt32.exe
SUICIDE.RESIDUAL_FILES.A9 string %windir%\system32\watchxb.sys
SUICIDE.RESIDUAL_FILES.A10 string %windir%\system32\winconf32.ocx
SUICIDE.RESIDUAL_FILES.A11 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\rccache.dat
SUICIDE.RESIDUAL_FILES.A12 string %windir%\system32\mssvc32.ocx
SUICIDE.RESIDUAL_FILES.A13 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\dstrlog.dat
SUICIDE.RESIDUAL_FILES.A14 string %COMMONPROGRAMFILES%\Microsoft Shared\MSAudio\dstrlog.dat
SUICIDE.RESIDUAL_FILES.A15 string %COMMONPROGRAMFILES%\Microsoft Shared\MSSecurityMgr\dstrlogh.dat
SUICIDE.RESIDUAL_FILES.A16 string %COMMONPROGRAMFILES%\Microsoft Shared\MSAudio\dstrlogh.dat
SUICIDE.RESIDUAL_FILES.A17 string %SYSTEMROOT%\Temp\~8C5FF6C.tmp
SUICIDE.RESIDUAL_FILES.A18 string %windir%\system32\sstab0.dat
SUICIDE.RESIDUAL_FILES.A19 string %windir%\system32\sstab1.dat
SUICIDE.RESIDUAL_FILES.A20 string %windir%\system32\sstab2.dat
SUICIDE.RESIDUAL_FILES.A21 string %windir%\system32\sstab3.dat
SUICIDE.RESIDUAL_FILES.A22 string %windir%\system32\sstab4.dat
SUICIDE.RESIDUAL_FILES.A23 string %windir%\system32\sstab5.dat
SUICIDE.RESIDUAL_FILES.A24 string %windir%\system32\sstab6.dat
SUICIDE.RESIDUAL_FILES.A25 string %windir%\system32\sstab7.dat
SUICIDE.RESIDUAL_FILES.A26 string %windir%\system32\sstab8.dat
SUICIDE.RESIDUAL_FILES.A27 string %windir%\system32\sstab9.dat
SUICIDE.RESIDUAL_FILES.A28 string %windir%\system32\sstab10.dat
SUICIDE.RESIDUAL_FILES.A29 string %windir%\system32\sstab.dat
SUICIDE.RESIDUAL_FILES.B1 string %temp%\~HLV751.tmp
SUICIDE.RESIDUAL_FILES.B2 string %temp%\~KWI988.tmp
SUICIDE.RESIDUAL_FILES.B3 string %temp%\~KWI989.tmp
SUICIDE.RESIDUAL_FILES.B4 string %temp%\~HLV084.tmp
SUICIDE.RESIDUAL_FILES.B5 string %temp%\~HLV294.tmp
SUICIDE.RESIDUAL_FILES.B6 string %temp%\~HLV927.tmp
SUICIDE.RESIDUAL_FILES.B7 string %temp%\~HLV473.tmp
SUICIDE.RESIDUAL_FILES.B8 string %windir%\system32\nteps32.ocx
SUICIDE.RESIDUAL_FILES.B9 string %windir%\system32\advnetcfg.ocx
SUICIDE.RESIDUAL_FILES.B10 string %windir%\system32\ccalc32.sys
SUICIDE.RESIDUAL_FILES.B11 string %windir%\system32\boot32drv.sys
SUICIDE.RESIDUAL_FILES.B12 string %windir%\system32\soapr32.ocx
SUICIDE.RESIDUAL_FILES.B13 string %temp%\~rf288.tmp
SUICIDE.RESIDUAL_FILES.B14 string %temp%\~dra53.tmp
SUICIDE.RESIDUAL_FILES.B15 string %systemroot%\system32\msglu32.ocx
The discovery of Stuxnet back in 2010 sparked intense debate on the state of security in cyber-space. But, even though Stuxnet has been successfully identified, isolated and dealt with, its predecessor (and companion, as well) has managed to remain undetected all this time by employing stunning tactics that likely make it the most advanced e-threat in the world to date.
When state-of-the-art malware detection works against intelligence gathering
This new e-threat, identified by Bitdefender as Trojan.Flamer.A appears to have emerged before Stuxnet and Duqu hit. All this time, it has operated discreetly, and even if it some of its components were detected when Stuxnet was discovered, the AV industry couldn’t see how deep the operation ran.
On average, between 15,000 and 35,000 unique malware samples appear daily, which makes manual analysis or individual identification technically unfeasible. Most antivirus vendors rely on generic detections and heuristics to cover as much as possible of this malicious pool. Subsequently, the features Flamer.A shared with Stuxnet made antivirus products detect it as a generic Stuxnet sample. This, along with some other technical features allowed it stay hidden, although its operation was impacted.
At a glance, the Flamer.A Trojan appears much more advanced than Stuxnet. This complex and flexible piece of malware was built using a variety of technologies ranging from LUA scripting to assembly language. Its modular structure makes it extremely flexible and apparently able to carry out any task for its attackers.
The Flamer Trojan includes a spying component, called nteps32.ocx. This component, named REAR_WINDOW has an earlier version called comspol32.ocx that has definitely been around since the end of 2010 and is well detected by antivirus vendors with miscellaneous signatures.
Bitdefender also managed to isolate a new component called atmpsvcn.ocx that dates approximately in October 2010 and that is also detected as Stuxnet. Its purpose is unknown yet, as it is pending analysis, but preliminary data point to it being used for USB drive spreading and detection of AV solutions installed on the PC.
We mentioned that Flamer.A makes heavy use of LUA scripts. Bitdefender identified 62 such scripts used by the malware to control everything, from loading the OCX modules to regulating data exchange between these components. Among others, these highly specialized LUA modules can circumvent some antivirus solutions, control the theft of information from the infected PC or download new malicious components as they get updated. Combined, these LUA scripts are built of more than 6500 lines of code.
SSL encryption working against the user
If encrypting data as it gets sent over the web is usually beneficial for the user, Flamer.A uses it against them. The infected PCs connect to an array of servers to which they send encrypted data over HTTPS. The data packages we intercepted and decrypted were buffers of about 100 kilobytes that apparently carry files with various sizes. The one we intercepted was 108.116 bytes and was encrypted with the “LifeStyle2” password, but using a currently unknown algorithm. This might be either a file leaked from the infected PC or an activity log file sent to the C&C. It also appears that the file was sent by the leak_app.lua script.
Fuente:
http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/
Autor
En línea
