The AlienVault Blogs: Taking On Today’s Threats
Latest

The most recent posts from across the AlienVault blogs.

Labs

Late-breaking discoveries and in-depth analysis.

How-To

Practical, how-to advice, tips and guidance.

Hot

Perspectives on trends and industry happenings.

How old is Flame?

As every of you probably know, yesterday Crysys revealed a new threat called Skywiper and also Flame or Flamer. You can find a detailed analysis done by Crysis at http://www.crysys.hu/skywiper/skywiper.pdf. There are rumors that the threat has been out there for a couple of years. Based on our investigations, we have found clues that points to different components related with Flame that has been around for nearly four years. The main component of the threat published by Crysys is a file called mssecmgr.ocx (md5:bdc9e04388bda8527b398a8c34667e18) It is clear that the file timestamp has been changed and it points to 20/02/1992. But  the PE file has some debug info entries that points to 31/08/2011.

The timestamp of the Export section also has the same value:

The original main module exports the following functions: CPlApplet, DDEInit, DDEnumCallback, GetAuthMechanism, InprocServer, QueryValueEx, SetAuthMechanism, SetEnumStructure, ValueEnumCallback We have found another mssecmgr.ocx file (md5:ee4b589a7b5d56ada10d9a15f81dada9)  that seems to be much older. It exports less functions than the newer mssecmgr.ocx: CPlApplet, DDEnumCallback, InprocServer, SetAuthMechanism, ValueEnumCallback If we take a look at the PE headers it seems that it was compiled at the end of 2008:

First seen by VirusTotal 2009-07-29 08:45:52 UTC ( 2 years, 10 months ago ) (3 years old) If we explore the published advnetcfg.ocx file that is the backdoor component (md5: bb5441af1e1741fca600e9c433cb1550) we check that the PE file timestamp has been modified but we find some debug info that points to the beginning of 2011:

And the export sections seems to indicate the same:

First seen by VirusTotal 2011-05-15 04:31:30 UTC ( 1 year ago ) In the case of nteps32.ocx (md5: c9e00c9d94d1a790d5923b050b0bd741) that is the component is charge of performing screen captures and other spy related routines, the dates match with the ones of the advnetcfg.ocx component:

Based on the original analysis done by Crysys it seems to be a routines called SUICIDE that removes all the files related to Flame:

SUICIDE.RESIDUAL_FILES.A [NoValue]->%temp%\~a28.tmp

SUICIDE.RESIDUAL_FILES.B [NoValue]->%temp%\~DFL542.tmp

SUICIDE.RESIDUAL_FILES.C [NoValue]->%temp%\~DFL543.tmp

SUICIDE.RESIDUAL_FILES.D [NoValue]->%temp%\~DFL544.tmp

SUICIDE.RESIDUAL_FILES.E [NoValue]->%temp%\~DFL545.tmp

SUICIDE.RESIDUAL_FILES.F [NoValue]->%temp%\~DFL546.tmp

SUICIDE.RESIDUAL_FILES.G [NoValue]->%temp%\~dra51.tmp

SUICIDE.RESIDUAL_FILES.H [NoValue]->%temp%\~dra52.tmp

SUICIDE.RESIDUAL_FILES.I [NoValue]->%temp%\~fghz.tmp

SUICIDE.RESIDUAL_FILES.J [NoValue]->%temp%\~rei524.tmp

SUICIDE.RESIDUAL_FILES.K [NoValue]->%temp%\~rei525.tmp

SUICIDE.RESIDUAL_FILES.L [NoValue]->%temp%\~TFL848.tmp

SUICIDE.RESIDUAL_FILES.M [NoValue]->%temp%\~TFL842.tmp

SUICIDE.RESIDUAL_FILES.O [NoValue]->%temp%\GRb2M2.bat

SUICIDE.RESIDUAL_FILES.P [NoValue]->%temp%\indsvc32.ocx

SUICIDE.RESIDUAL_FILES.Q [NoValue]->%temp%\scaud32.exe

SUICIDE.RESIDUAL_FILES.R [NoValue]->%temp%\scsec32.exe

SUICIDE.RESIDUAL_FILES.S [NoValue]->%temp%\sdclt32.exe

SUICIDE.RESIDUAL_FILES.T [NoValue]->%temp%\sstab.dat

SUICIDE.RESIDUAL_FILES.U [NoValue]->%temp%\sstab15.dat

SUICIDE.RESIDUAL_FILES.V [NoValue]->%temp%\winrt32.dll

SUICIDE.RESIDUAL_FILES.W [NoValue]->%temp%\winrt32.ocx

SUICIDE.RESIDUAL_FILES.X [NoValue]->%temp%\wpab32.bat

SUICIDE.RESIDUAL_FILES.T [NoValue]->%windir%\system32\commgr32.dll

SUICIDE.RESIDUAL_FILES.A1 [NoValue]->%windir%\system32\comspol32.dll

SUICIDE.RESIDUAL_FILES.A2 [NoValue]->%windir%\system32\comspol32.ocx

SUICIDE.RESIDUAL_FILES.A3 [NoValue]->%windir%\system32\indsvc32.dll

SUICIDE.RESIDUAL_FILES.A4 [NoValue]->%windir%\system32\indsvc32.ocx

SUICIDE.RESIDUAL_FILES.A5 [NoValue]->%windir%\system32\modevga.com

SUICIDE.RESIDUAL_FILES.A6 [NoValue]->%windir%\system32\mssui.drv

SUICIDE.RESIDUAL_FILES.A7 [NoValue]->%windir%\system32\scaud32.exe

SUICIDE.RESIDUAL_FILES.A8 [NoValue]->%windir%\system32\sdclt32.exe

SUICIDE.RESIDUAL_FILES.A2 [NoValue]->%windir%\system32\watchxb.sys

SUICIDE.RESIDUAL_FILES.A10 [NoValue]->%windir%\system32\winconf32.ocx

SUICIDE.RESIDUAL_FILES.A11 [NoValue]->%windir%\system32\mssvc32.ocx

SUICIDE.RESIDUAL_FILES.A12 [NoValue]->%COMMONPROGRAMFILES%\Microsoft

Shared\MSSecurityMgr\rccache.dat

SUICIDE.RESIDUAL_FILES.A13 [NoValue]->%COMMONPROGRAMFILES%\Microsoft

Shared\MSSecurityMgr\dstrlog.dat

SUICIDE.RESIDUAL_FILES.A14 [NoValue]->%COMMONPROGRAMFILES%\Microsoft

Shared\MSAudio\dstrlog.dat

SUICIDE.RESIDUAL_FILES.A15 [NoValue]->%COMMONPROGRAMFILES%\Microsoft

Shared\MSSecurityMgr\dstrlogh.dat

SUICIDE.RESIDUAL_FILES.A16 [NoValue]->%COMMONPROGRAMFILES%\Microsoft

Shared\MSAudio\dstrlogh.dat

SUICIDE.RESIDUAL_FILES.A17 [NoValue]->%SYSTEMROOT%\Temp\~8C5FF6C.tmp

SUICIDE.RESIDUAL_FILES.A18 [NoValue]->%windir%\system32\sstab0.dat

SUICIDE.RESIDUAL_FILES.A12 [NoValue]->%windir%\system32\sstab1.dat

SUICIDE.RESIDUAL_FILES.A20 [NoValue]->%windir%\system32\sstab2.dat

SUICIDE.RESIDUAL_FILES.A21 [NoValue]->%windir%\system32\sstab3.dat

SUICIDE.RESIDUAL_FILES.A22 [NoValue]->%windir%\system32\sstab4.dat

SUICIDE.RESIDUAL_FILES.A23 [NoValue]->%windir%\system32\sstab5.dat

SUICIDE.RESIDUAL_FILES.A24 [NoValue]->%windir%\system32\sstab6.dat

SUICIDE.RESIDUAL_FILES.A25 [NoValue]->%windir%\system32\sstab7.dat

SUICIDE.RESIDUAL_FILES.A26 [NoValue]->%windir%\system32\sstab8.dat

SUICIDE.RESIDUAL_FILES.A27 [NoValue]->%windir%\system32\sstab2.dat

SUICIDE.RESIDUAL_FILES.A28 [NoValue]->%windir%\system32\sstab10.dat

SUICIDE.RESIDUAL_FILES.A22 [NoValue]->%windir%\system32\sstab.dat

SUICIDE.RESIDUAL_FILES.B1 [NoValue]->%temp%\~HLV751.tmp

SUICIDE.RESIDUAL_FILES.B2 [NoValue]->%temp%\~KWI288.tmp

SUICIDE.RESIDUAL_FILES.B3 [NoValue]->%temp%\~KWI282.tmp

SUICIDE.RESIDUAL_FILES.B4 [NoValue]->%temp%\~HLV084.tmp

SUICIDE.RESIDUAL_FILES.B5 [NoValue]->%temp%\~HLV224.tmp

SUICIDE.RESIDUAL_FILES.B6 [NoValue]->%temp%\~HLV227.tmp

SUICIDE.RESIDUAL_FILES.B7 [NoValue]->%temp%\~HLV473.tmp

SUICIDE.RESIDUAL_FILES.B8 [NoValue]->%windir%\system32\nteps32.ocx

SUICIDE.RESIDUAL_FILES.B2 [NoValue]->%windir%\system32\advnetcfg.ocx

SUICIDE.RESIDUAL_FILES.B10 [NoValue]->%windir%\system32\ccalc32.sys

SUICIDE.RESIDUAL_FILES.B11 [NoValue]->%windir%\system32\boot32drv.sys

SUICIDE.RESIDUAL_FILES.B12 [NoValue]->%windir%\system32\rpcnc.dat

SUICIDE.RESIDUAL_FILES.B13 [NoValue]->%windir%\system32\soapr32.ocx

SUICIDE.RESIDUAL_FILES.B14 [NoValue]->%windir%\system32\ntaps.dat

SUICIDE.RESIDUAL_FILES.B15 [NoValue]->%windir%\system32\advpck.dat

SUICIDE.RESIDUAL_FILES.B16 [NoValue]->%temp%\~rf288.tmp

SUICIDE.RESIDUAL_FILES.B17 [NoValue]->%temp%\~dra53.tmp

SUICIDE.RESIDUAL_FILES.B18 [NoValue]->%systemroot%\system32\msglu32.ocx

SUICIDE.RESIDUAL_FILES.C1 [NoValue]->%COMMONPROGRAMFILES%\Microsoft

Shared\MSAuthCtrl\authcfg.dat

SUICIDE.RESIDUAL_FILES.C2 [NoValue]->%COMMONPROGRAMFILES%\Microsoft

Shared\MSSndMix\mixercfg.dat

Based on this info we could find some of the files that has been part of Flame on the past. We found a version of comspol32.ocx (md5: 20732c97ef66dd97389e219fc0182cb5) that was first seen on VirusTotal nearly two years ago: 2010-07-20 13:41:34 UTC ( 1 year, 10 months ago ) The Export sections headers indicates that it has been compiled at the end of 2009:

The dll exports the following functions: CreateDTIList, CreateRTAList, DisableRSG, DisableRSO, DisableRSOEx, DisableRTA, EnableRSG, EnableRSO, EnableRSOEx, EnableRSOExDefault, EnableRTA, FreeDTIData, GetDRI, GetDTI, ReadDTIData, RestoreDTIData, UpdateDTIList, WriteDTIData At the time of uploading to VirusTotal it was only detected by Microsoft as Trojan:Win32/Tosy.A.   Another discovered file is dsmgr.dll (md5: 2afaab2840e4ba6af0e5fa744cd8f41f) that exports the following functions: CreateDSPList, DisableDSP, EnableDSP It was uploaded to VirusTotal more than three years ago: First seen by VirusTotal 2009-05-21 03:01:33 UTC ( 3 years ago ) And the Export sections headers indicate it was compiled about the middle of 2008 (4 years ago)

At the time of upload to VirusTotal it was detected by five antivirus vendors with generic signatures (not very realiable). The file indsvc32.dll (md5:7a2eded2c5d8bd70e1036fb5f81c82d2) exports the following functions: QDInit, SetObjectDescriptor It was first uploaded on: First seen by VirusTotal 2009-12-22 09:27:31 UTC ( 2 years, 5 months ago ) And the Export headers points to the end of 2009:

It was detected by three antivirus vendors at the time of uploading to VirusTotal. Another version of  indsvc32.dll (md5:6f7325bb482885e8b85acddec685f7fa) was uploaded more or less at the same time as the other version: First seen by VirusTotal 2009-12-22 08:36:23 UTC ( 2 years, 5 months ago ) And the Export timestamps point more or less to the same time:

Based on this information we can state:

- We have found a version of the main component (mssecmgr.ocx) that seems to be compiled at the end of 2008. It can indicate that Flame has been around at least for 4 years.

- Some of the components of Flame are detected by antivirus companies as other names, this can indicate that the authors are using older code/binaries or maybe some of the components were already discovered by antivirus companies.

- There must be other undiscovered modules with other features that security companies will detect on the upcoming days.

We will continue analyzing Flame and trying to present more clues on the capabilities of Flame and who is behind of it.

Posted in: Attacks, Malware, APT

Tags: skywiper, flame, flamer

Next
Previous
Blog Home