Flame (malware

)
Introduction:
Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in
2012 that attacks computers running the Microsoft Windows operating system.
Flame is a backdoor and a Trojan with worm-like features. The initial point of entry for the virus is
unknown -- spearphishing or infected websites are possibilities -- but after the initial infection, the virus
can spread through USB sticks or local networks.
Components:
Flame is an large program for malware at 20 megabytes. It is written partly in the Lua scripting language
with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection.
The malware uses five different encryption methods and an SQLite database to store structured
information.
Operation :
The method used to inject code into various processes is stealthy, in that the malware modules do not
appear in a listing of the modules loaded into a process and malware memory pages are protected with
READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications.
The malware determines what antivirus software is installed, then customises its own behaviour (for
example, by changing the filename extensions it uses) to reduce the probability of detection by that
software. Additional indicators of compromise include mutex and registry activity, such as installation of
a fake audio driver which the malware uses to maintain persistence on the compromised system
Flame is not designed to deactivate automatically, but supports a "kill" function that makes it eliminate
all traces of its files and operation from a system on receipt of a module from its controllers.
The malware authors identified a Microsoft Terminal Server Licensing Service certificate that
inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm, then
produced a counterfeit copy of the certificate that they used to sign some components of the malware
to make them appear to have originated from Microsoft.
http://www.symantec.com/connect/blogs/flame-malware-exploits-microsofts-digital-certificate



Compromised Microsoft certificate using the weak MD5 algorithm, and the
unintended code-signing usage.
Version V3
Serial number 3a ab 11 de e5 2f 1b 19 d0 56
Signature algorithm md5RSA
Signature hash algorithm md5
Issuer
CN = Microsoft Root Authority,OU = Microsoft
Corporation,OU = Copyright (c) 1997 Microsoft
Corp.
Valid from Thursday,10 December 2009 11:55:35 AM
Valid to Sunday,23 October 2016 6:00:00 PM
Subject
CN = Microsoft Enforced Licensing Intermediate
PCA,OU = Copyright (c) 1999 Microsoft Corp.,O =
Microsoft Corporation,L = Redmond,S =
Washington,C = US

Malware can perform the below tasks:
 Scanning network resources
 Stealing information as specified
 Communicating to control servers over SSH and HTTPS protocols
 Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
 Using both kernel- and user-mode logic
 Employing complex internal functionality using Windows APC calls and and threads start
manipulation, and code injections to key processes
 Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
Capable of attacking new systems over USB flash memory and local network (spreading
slowly)
 Creating screen captures
 Recording voice conversations
 Running on Windows XP, Windows Vista, and Windows 7 systems
 Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
 Using SQLite database to store collected information
 Using a custom database for attack modules (this is very unusual, but shows the modularity
and extendability of the malware)
 Often located on nearby systems: a local network for both control and target infection
cases
 Using PE-encrypted resources

Symptoms:
Prescence of the afore mentioned Registry Keys and files.
On execution, malware injects its code into a running porcess and creates a Mutex with the name
"TH_POOL_SHD_PQOISNG_#PID#SYNCMTX" to identify is presence on the system.
Recommendation:
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup,
should be successfully removed by cleaning it with updated anti virus.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic
analysis and restore the computers using trusted media.
http://en.wikipedia.org/wiki/Flame_(malware)
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1195098
http://www.symantec.com/connect/blogs/flame-malware-exploits-microsofts-digital-certificate