How old is Flame?

May 30, 2012 | Jaime Blasco

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

As every of you probably know, yesterday Crysys revealed a new threat called Skywiper and also Flame or Flamer. You can find a detailed analysis done by Crysis at There are rumors that the threat has been out there for a couple of years. Based on our investigations, we have found clues that points to different components related with Flame that has been around for nearly four years. The main component of the threat published by Crysys is a file called mssecmgr.ocx (md5:bdc9e04388bda8527b398a8c34667e18) It is clear that the file timestamp has been changed and it points to 20/02/1992. But  the PE file has some debug info entries that points to 31/08/2011.

The timestamp of the Export section also has the same value:

The original main module exports the following functions: CPlApplet, DDEInit, DDEnumCallback, GetAuthMechanism, InprocServer, QueryValueEx, SetAuthMechanism, SetEnumStructure, ValueEnumCallback We have found another mssecmgr.ocx file (md5:ee4b589a7b5d56ada10d9a15f81dada9)  that seems to be much older. It exports less functions than the newer mssecmgr.ocx: CPlApplet, DDEnumCallback, InprocServer, SetAuthMechanism, ValueEnumCallback If we take a look at the PE headers it seems that it was compiled at the end of 2008:

First seen by VirusTotal 2009-07-29 08:45:52 UTC ( 2 years, 10 months ago ) (3 years old) If we explore the published advnetcfg.ocx file that is the backdoor component (md5: bb5441af1e1741fca600e9c433cb1550) we check that the PE file timestamp has been modified but we find some debug info that points to the beginning of 2011:

And the export sections seems to indicate the same:

First seen by VirusTotal 2011-05-15 04:31:30 UTC ( 1 year ago ) In the case of nteps32.ocx (md5: c9e00c9d94d1a790d5923b050b0bd741) that is the component is charge of performing screen captures and other spy related routines, the dates match with the ones of the advnetcfg.ocx component:

Based on the original analysis done by Crysys it seems to be a routines called SUICIDE that removes all the files related to Flame:

SUICIDE.RESIDUAL_FILES.A [NoValue]->%temp%\~a28.tmp

SUICIDE.RESIDUAL_FILES.B [NoValue]->%temp%\~DFL542.tmp

SUICIDE.RESIDUAL_FILES.C [NoValue]->%temp%\~DFL543.tmp

SUICIDE.RESIDUAL_FILES.D [NoValue]->%temp%\~DFL544.tmp

SUICIDE.RESIDUAL_FILES.E [NoValue]->%temp%\~DFL545.tmp

SUICIDE.RESIDUAL_FILES.F [NoValue]->%temp%\~DFL546.tmp

SUICIDE.RESIDUAL_FILES.G [NoValue]->%temp%\~dra51.tmp

SUICIDE.RESIDUAL_FILES.H [NoValue]->%temp%\~dra52.tmp

SUICIDE.RESIDUAL_FILES.I [NoValue]->%temp%\~fghz.tmp

SUICIDE.RESIDUAL_FILES.J [NoValue]->%temp%\~rei524.tmp

SUICIDE.RESIDUAL_FILES.K [NoValue]->%temp%\~rei525.tmp

SUICIDE.RESIDUAL_FILES.L [NoValue]->%temp%\~TFL848.tmp

SUICIDE.RESIDUAL_FILES.M [NoValue]->%temp%\~TFL842.tmp

SUICIDE.RESIDUAL_FILES.O [NoValue]->%temp%\GRb2M2.bat

SUICIDE.RESIDUAL_FILES.P [NoValue]->%temp%\indsvc32.ocx

SUICIDE.RESIDUAL_FILES.Q [NoValue]->%temp%\scaud32.exe

SUICIDE.RESIDUAL_FILES.R [NoValue]->%temp%\scsec32.exe

SUICIDE.RESIDUAL_FILES.S [NoValue]->%temp%\sdclt32.exe

SUICIDE.RESIDUAL_FILES.T [NoValue]->%temp%\sstab.dat

SUICIDE.RESIDUAL_FILES.U [NoValue]->%temp%\sstab15.dat

SUICIDE.RESIDUAL_FILES.V [NoValue]->%temp%\winrt32.dll

SUICIDE.RESIDUAL_FILES.W [NoValue]->%temp%\winrt32.ocx

SUICIDE.RESIDUAL_FILES.X [NoValue]->%temp%\wpab32.bat

SUICIDE.RESIDUAL_FILES.T [NoValue]->%windir%\system32\commgr32.dll

SUICIDE.RESIDUAL_FILES.A1 [NoValue]->%windir%\system32\comspol32.dll

SUICIDE.RESIDUAL_FILES.A2 [NoValue]->%windir%\system32\comspol32.ocx

SUICIDE.RESIDUAL_FILES.A3 [NoValue]->%windir%\system32\indsvc32.dll

SUICIDE.RESIDUAL_FILES.A4 [NoValue]->%windir%\system32\indsvc32.ocx

SUICIDE.RESIDUAL_FILES.A5 [NoValue]->%windir%\system32\

SUICIDE.RESIDUAL_FILES.A6 [NoValue]->%windir%\system32\mssui.drv

SUICIDE.RESIDUAL_FILES.A7 [NoValue]->%windir%\system32\scaud32.exe

SUICIDE.RESIDUAL_FILES.A8 [NoValue]->%windir%\system32\sdclt32.exe

SUICIDE.RESIDUAL_FILES.A2 [NoValue]->%windir%\system32\watchxb.sys

SUICIDE.RESIDUAL_FILES.A10 [NoValue]->%windir%\system32\winconf32.ocx

SUICIDE.RESIDUAL_FILES.A11 [NoValue]->%windir%\system32\mssvc32.ocx












SUICIDE.RESIDUAL_FILES.A18 [NoValue]->%windir%\system32\sstab0.dat

SUICIDE.RESIDUAL_FILES.A12 [NoValue]->%windir%\system32\sstab1.dat

SUICIDE.RESIDUAL_FILES.A20 [NoValue]->%windir%\system32\sstab2.dat

SUICIDE.RESIDUAL_FILES.A21 [NoValue]->%windir%\system32\sstab3.dat

SUICIDE.RESIDUAL_FILES.A22 [NoValue]->%windir%\system32\sstab4.dat

SUICIDE.RESIDUAL_FILES.A23 [NoValue]->%windir%\system32\sstab5.dat

SUICIDE.RESIDUAL_FILES.A24 [NoValue]->%windir%\system32\sstab6.dat

SUICIDE.RESIDUAL_FILES.A25 [NoValue]->%windir%\system32\sstab7.dat

SUICIDE.RESIDUAL_FILES.A26 [NoValue]->%windir%\system32\sstab8.dat

SUICIDE.RESIDUAL_FILES.A27 [NoValue]->%windir%\system32\sstab2.dat

SUICIDE.RESIDUAL_FILES.A28 [NoValue]->%windir%\system32\sstab10.dat

SUICIDE.RESIDUAL_FILES.A22 [NoValue]->%windir%\system32\sstab.dat

SUICIDE.RESIDUAL_FILES.B1 [NoValue]->%temp%\~HLV751.tmp

SUICIDE.RESIDUAL_FILES.B2 [NoValue]->%temp%\~KWI288.tmp

SUICIDE.RESIDUAL_FILES.B3 [NoValue]->%temp%\~KWI282.tmp

SUICIDE.RESIDUAL_FILES.B4 [NoValue]->%temp%\~HLV084.tmp

SUICIDE.RESIDUAL_FILES.B5 [NoValue]->%temp%\~HLV224.tmp

SUICIDE.RESIDUAL_FILES.B6 [NoValue]->%temp%\~HLV227.tmp

SUICIDE.RESIDUAL_FILES.B7 [NoValue]->%temp%\~HLV473.tmp

SUICIDE.RESIDUAL_FILES.B8 [NoValue]->%windir%\system32\nteps32.ocx

SUICIDE.RESIDUAL_FILES.B2 [NoValue]->%windir%\system32\advnetcfg.ocx

SUICIDE.RESIDUAL_FILES.B10 [NoValue]->%windir%\system32\ccalc32.sys

SUICIDE.RESIDUAL_FILES.B11 [NoValue]->%windir%\system32\boot32drv.sys

SUICIDE.RESIDUAL_FILES.B12 [NoValue]->%windir%\system32\rpcnc.dat

SUICIDE.RESIDUAL_FILES.B13 [NoValue]->%windir%\system32\soapr32.ocx

SUICIDE.RESIDUAL_FILES.B14 [NoValue]->%windir%\system32\ntaps.dat

SUICIDE.RESIDUAL_FILES.B15 [NoValue]->%windir%\system32\advpck.dat

SUICIDE.RESIDUAL_FILES.B16 [NoValue]->%temp%\~rf288.tmp

SUICIDE.RESIDUAL_FILES.B17 [NoValue]->%temp%\~dra53.tmp

SUICIDE.RESIDUAL_FILES.B18 [NoValue]->%systemroot%\system32\msglu32.ocx





Based on this info we could find some of the files that has been part of Flame on the past. We found a version of comspol32.ocx (md5: 20732c97ef66dd97389e219fc0182cb5) that was first seen on VirusTotal nearly two years ago: 2010-07-20 13:41:34 UTC ( 1 year, 10 months ago ) The Export sections headers indicates that it has been compiled at the end of 2009:

The dll exports the following functions: CreateDTIList, CreateRTAList, DisableRSG, DisableRSO, DisableRSOEx, DisableRTA, EnableRSG, EnableRSO, EnableRSOEx, EnableRSOExDefault, EnableRTA, FreeDTIData, GetDRI, GetDTI, ReadDTIData, RestoreDTIData, UpdateDTIList, WriteDTIData At the time of uploading to VirusTotal it was only detected by Microsoft as Trojan:Win32/Tosy.A.   Another discovered file is dsmgr.dll (md5: 2afaab2840e4ba6af0e5fa744cd8f41f) that exports the following functions: CreateDSPList, DisableDSP, EnableDSP It was uploaded to VirusTotal more than three years ago: First seen by VirusTotal 2009-05-21 03:01:33 UTC ( 3 years ago ) And the Export sections headers indicate it was compiled about the middle of 2008 (4 years ago)

At the time of upload to VirusTotal it was detected by five antivirus vendors with generic signatures (not very realiable). The file indsvc32.dll (md5:7a2eded2c5d8bd70e1036fb5f81c82d2) exports the following functions: QDInit, SetObjectDescriptor It was first uploaded on: First seen by VirusTotal 2009-12-22 09:27:31 UTC ( 2 years, 5 months ago ) And the Export headers points to the end of 2009:

It was detected by three antivirus vendors at the time of uploading to VirusTotal. Another version of  indsvc32.dll (md5:6f7325bb482885e8b85acddec685f7fa) was uploaded more or less at the same time as the other version: First seen by VirusTotal 2009-12-22 08:36:23 UTC ( 2 years, 5 months ago ) And the Export timestamps point more or less to the same time:

Based on this information we can state:

- We have found a version of the main component (mssecmgr.ocx) that seems to be compiled at the end of 2008. It can indicate that Flame has been around at least for 4 years.

- Some of the components of Flame are detected by antivirus companies as other names, this can indicate that the authors are using older code/binaries or maybe some of the components were already discovered by antivirus companies.

- There must be other undiscovered modules with other features that security companies will detect on the upcoming days.

We will continue analyzing Flame and trying to present more clues on the capabilities of Flame and who is behind of it.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›