This week, a new complex malware, known as Flame or Skywyper, was uncovered and has reportedly affected Iran’s energy sector. Currently, this form of cyber warfare appears to only target select businesses and governments. In the chance that cyber criminals change its focus, the McAfee Labs team is actively monitoring any threats to consumers.
The Target (as of June 3):
Businesses and governments in the U.S. and the Middle East.
The cyber criminals are using command servers to control this form of malware. It is capable of, but not limited to, the following key espionage functions:
– Scanning network resources
– Stealing information as specified
– Communicating to control servers over SSH and HTTPS protocols
– Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
– Using both kernel- and user-mode logic
– Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
– Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
– Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
– Capable of attacking new systems over USB flash memory and local network (spreading slowly)
– Creating screen captures
– Recording voice conversations
– Running on Windows XP, Windows Vista, and Windows 7 systems
– Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
– Using SQLite database to store collected information
– Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
– Often located on nearby systems: a local network for both control and target infection cases
– Using PE-encrypted resources
Tips to Avoid Being a Victim:
- For businesses, governments and consumers, McAfee antivirus products will detect and clean the threat as W32/Skywiper from infected systems.
- Consumers should be aware that most malware infections start the same way as Flame/Skywiper, basically someone clicks on something they shouldn’t have. It is important for them to exercise caution and common sense before they click.
- Even though this attack is not targeted at consumers, it’s an important reminder to practice good habits and stay on guard. As with other malware infections, McAfee has software that can help protect them if they make a mistake.