Flamer Indicators Of Compromise (OpenIOC)

June 4, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Since CrySyS Lab and Kaspersky disclosed the existence of a new malware called Flamer, everyone has been analyzing and discovering new information about its behavior.

We will try to summarize some of the Indicators Of Compromise (IOCs) that we can use to detect the presence of the Flamer framework using OpenIOC. Created by Mandiant, OpenIOC is an extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.

It has a very flexible schema and thanks to it we can describe every component of an attack/compromise. We will try to include most of the indicators which will detect the presence of Flamer. Note that OpenIOC is new for me so if someone wants to comment and add value to the IOC feel free to do it.

Mandiant released a graphical tool called IOC Editor that allows creating and editing IOCs. I often use that tool and some Python scripting when working with large IOCs.

We will first include some IOCs describing the registry changes that Flame performs on a compromised machine. It includes the addition of the DLL mssecmgr.ocx on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Autenthication that Flamer uses to maintain persistence. The other registry modifications are related to the Audio driver.

Then we can easily include the different mutexes created by the Flamer components during execution (I updated my list with some information published by FireEye)

The next step is including the list of files belonging to Flame and his components:

And the associated domains:

 

Lets add the export functions of some of the modules used by the framework:

You can download the file containing all the IOCs here http://alienvault-labs-garage.googlecode.com/files/af2e8c80-13db-4a57-99ac-460ccd192333.ioc [no longer available].

To look for the IOCs we just wrote, you can use the tool IOCFinder, first you have to collect the information required to perform the checks:

C:\>mandiant_ioc_finder.exe collect -o e:\flamer\iocs\ -d c:

06-04-2012 14:32:27 Setting up dependencies…

06-04-2012 14:32:27 Starting collection…

06-04-2012 14:32:27 Running built-in collection script at ./lib/script.xml…

06-04-2012 14:32:27 Auditing (w32system) started at 06-04-2012 14:32:27

06-04-2012 14:32:27 Auditing (w32system) finished. (Took 0.11 seconds)

06-04-2012 14:32:27 Auditing (w32disks) started at 06-04-2012 14:32:27

....

And then look for the IOCs:

C:\>mandiant_ioc_finder.exe report -s e:\flamer\iocs\ -i c:\iocs\ -t doc -w verb

ose

06-04-2012 23:08:12 Loading *.ioc from=c:\iocs\

06-04-2012 23:08:12 1 iocs were loaded.

06-04-2012 23:08:13 No Word Doc XML output path selected. Using report_20120604

210812.doc.xml.

06-04-2012 23:08:13 Beginning search of audit bundle at path=e:\flamer\iocs\XXXXX\20120604180114 (1 of 1). Total size=708.88 MB.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL