Attack: "Flame"

What you need to know about the Skywiper threat

On May 27, 2012 industry and media outlets began reporting details on a complex targeted attack known as “Flame” or “Flamer”. In some cases, this same threat was previously described as “Viper” or “Wiper”. This, currently active, attack is multi-faceted and in many ways sets a new precedence for recon and data exfiltration within this attack genre.

Attack Details

Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

  • Scanning network resources
  • Stealing information as specified
  • Communicating with command and control (C&C) servers over SSH and HTTPS protocols
  • Detecting the presence of more than 100 security products (antivirus, antispyware, firewalls, etc.)
  • Using both kerneland user-mode logic
  • Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services
  • Concealing its presence as ~ named temp files, just as Stuxnet and Duqu
  • Attacking new systems via USB flash memory and local networks (spreading slowly)
  • Creating screen captures
  • Recording voice conversations
  • Running on Windows XP, Windows Vista, and Windows 7 systems
  • Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
  • Using SQLite database to store collected information
  • Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
  • Often located on nearby systems: a local network for both C&C and target infection cases
  • Uses multiple encryption methods (ex: XOR and RC4)

McAfee Solutions

Malware
AV / MWG Coverage is provided in the 6726 DATs released on May 29) as "Skywiper"
McAfee Network Security Platform A Network Security Emergency User Defined Signature (HTTP: W32/Skywiper Activity Detected) has been created to detect this threat. The UDS is available for download via McAfee Knowledge Base article KB55447
McAfee Vulnerability Manager Pending - Coverage will be provided via an upcoming
MVM/FSL release.
McAfee Firewall Enterprise Related domains and IP Addresses are detected via Products with GTI configured
McAfee Application Control Coverage is provided via Runtime Control
Vulnerability / Exploit-Specific
AV / MWG CVE-2010-2729 - N/A

CVE-2010-2568 - Covered as "Exploit-CVE2010-2568" in the current DAT set.
McAfee Network Security Platform CVE-2010-2729 - Coverage is provided via "NETBIOS-SS: Microsoft Windows Print Spooler Service Impersonation Vulnerability"

CVE-2010-2568 - Coverage is provided via the following signatures: SMTP: Suspicious .Lnk Attachment Found /  HTTP: Windows Shell Shortcut LNK File Parsing Vulnerability /  HTTP: lnk File Download Detected / NETBIOS-SS: lnk File Access Detected
McAfee Vulnerability Manager CVE-2010-2729 - Coverage is provided via the following MVM check: (MS10-061) Microsoft Windows Print Spooler Service Impersonation (2347290)

CVE-2010-2568 - Coverage is provided via the following MVM check: (MS10-046) Microsoft Windows Shortcut Icon Loading Remote Code Execution(2286198)
McAfee Firewall Enterprise Related domains and IP Addresses are detected via Products with GTI configured
McAfee Application Control Coverage is provided via Runtime Control
Microsoft Security Advisory (2718704)
AV / MWG Coverage is provided in the 6726 DATs released on May 29) as "Skywiper". Coverage is also provided via an updated Stinger tool.
McAfee Network Security Platform U/A
McAfee Vulnerability Manager Covered - Microsoft Windows Unauthorized Digital Certificates Spoofing (2718704)
McAfee Firewall Enterprise U/A
McAfee Application Control U/A

Resources