After
reading many articles and expert reviews about the Flame
Virus I came up with the following summary
What is the
Flame: Worm or Trojan
Flame is a complex attack toolkit, it is a TROJAN
modified to have WORM like features, allowing it to replicate within local
networks and removable media.
The initial entry point of Flame is still unknown
– but once a system is infected, sKyWIper, another name for Flame virus, begins a sophisticated set of
operations, including:
- Running on Windows XP, Windows Vista and Windows 7 systems;
- Scanning network resources;
- Stealing information as specified;
- Communicating to Control Servers over SSH and HTTPS protocols;
- Detecting the presence of over 100 security products (AV, Anti-Spyware, FW, etc);
- loading itself as a part of Winlogon.exe then injects to Explorer and Services;
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu;
- Attacking new systems over USB Flash Memory and local network;
- Creating screen captures, Recording voice conversations;
- Using SQLite Database to store collected information;
- Utilizing PE encrypted resources;
Flame Complexity:
Master Piece
Flame is a huge package of modules accumulating
up to 20 MB in size when fully deployed. Because of this, antivirus companies
state that it is an extremely difficult piece of malware to analyze.
The reason why Flame is so big is because it
includes many different libraries, such as for compression (zlib, libbz2, ppmd)
and database manipulation (sqlite3).
Flame
creation date: unknown
The developers of Flame were able to change
the dates of creation of the files associated with this virus to 1992, 1994,
1995 and so on, but it’s very obvious that these dates are incorrect and they
aim only to give false data to investigators.
Analyzers believe that the main Flame
project was created in 2010, but is still undergoing active development to
date. But there is big possibility that an earlier version of this virus existed
before 2010.
Why the
Name: Flame
Flame aka Flamer aka SKyWIper all different call signs for the same malware. The Flame virus consists of multiple modules,
one main module is called Flame – as the picture indicates – The flame module is responsible for
attacking and infecting additional computers, and this is mainly the reason behind this malware naming.
No one to
claim the spoils
Although, no party has claimed responsibility
for the creation and usage of this malware, but it is so obvious that it was
not created by a group of hacktivists to send a certain message or anonymous hackers just
for the lulz.
The complex anatomy of this malware along
with the geographic spread of the targets leaves no doubt that great deal of
resources were invested in the creation of this virus and that it was
created by nation state in order to collect info on the operations of certain countries
in the Middle East, including Iran, Lebanon, Syria, and so on.
Here’s a map of
the top 7 affected countries:
Stop the Flame: Update your Antivirus
In general, most of the recent malware are small in size
to be easily hidden, usually between 100k and 700K, but in Flame's case things are totally different. The large size of the Flame malware is precisely why it wasn’t
discovered two years ago. For who would doubt a nine megabytes ~ named temp file to
be a malware database file.
Finally In order
to remove this Malware follow one of the following links and install the
appropriate removal tool / Antivirus:
No comments:
Post a Comment