There has been quite a bit of analysis and speculation about the Flamer/SkyWiper threat. As we started to analyze this threat we instantly knew from the very beginning that this is going to be a giant undertaking and potentially very long term. We wanted to pause to help the people we protect visualize the kind of task at hand when dealing with the level of complexity and encryption that this threat presents.
Here are some quick facts about this threat: The main module has been decompiled to ~650,000 lines of C code.
Yes, you read that number right.
All indications are that this is not all the code in the malware and that it possibly extends to a good ~750.000 lines of C code. It is fair to say that we are looking at long term analysis to determine the “full” set of functionality and features..
Here is a diagram that illustrates the relationships of the code up to this point of analysis:
(Note: If you see, a Twister hovering, your eyes are not deceiving you! This threat has some complex relationships.)
There is a LOT of code to this threat, and IDA (a pro disassembler and decompiler we use) does a decent job of keeping up, and helped us create the graph above. And this is not all the code but simply the main module! This module alone has about 4400+ calls to string deobfuscator routines. Essentially, when the code has an interesting string such as “flame::beetlejuice::BeetleJuiceDataCollector”, or “flame::gator::GatorCmdFetcher” it encapsulates the information in a sealed function. This adds extra “Fat” to the already monstrous code, and makes it a lot more challenging to read. Not that it wasn’t big enough already!
The extraordinary amount of obfuscation of the code ensures that the functionality of the executables is not only hard to understand but also helps reduce the risk that one could capture the code and easily utilize it for their own needs.
The code carries all the library code it needs: SSH, ZLib routines, Webserver code, etc. At this point, there are over two dozen encryption functions such as Blowfish routines, MD5/MD4 and others.
Skywiper seems to focus on to accessing information, certainly meaningful to professional surveillance needs and operations. Some of these functions include::
– It has low level disk access parsing, for file system parsing and access.
– It supports ZIP file parsing.
– It supports parsing multiple documents formats such as PDF, Microsoft World, and other office formats.
– It is interested in notes and searches even hidden places within the OS.
– It is also curious of what is on the targets desktop.
– It has functionality to remotely spread itself within a domain.
– The malware is also very careful to get this information back to the C&C: It does this by silently firing up extra instances of Explorer, and injects code into them. This way it can be part of a “trusted” process on the machine allowing it to circumvent personal firewalls.
– But interestingly and maybe most importantly it is also interested in mobile devices. This is what the “Beetlejuice” module does. This “ghost in the machine” discovers Bluetooth devices, and shows interest in the target’s “social network”, by looking for contacts. It also does this locally, as device information can be found in files, or on the host when the information is synched to it. As of this analysis, it targets Sony and Nokia device contacts. And certainly there could be more here than quickly meets the eye!
Other routines and calls include:
FLAME – Handles Autorun Infection routines
WEASEL – Handles disk parsing routines
JIMMY – File parsing support
TELEMETRY – C&C Reporting and handling
SUICIDE – Self-termination routine
EUPHORIA – Various exploit modules
BEETLEJUICE – Interface and control for Bluetooth devices
BUNNY – research continues..
PLATYPUS – research continues..
CLAN – Lua Module – possibly related to remote target exploits
FROG – Password-stealer module
CRUISE – Handles NT Domain parsing routines
DRILLER – research continues..
AUDITION – Process termination – AV/Security product processes
GATOR – Handles C&C communication
LIMBO – research continues..
MICROBE – Microphone/Audio capture and recording
SNACK – research continues..
MUNCH – Handles Network related tasks, appears to be sniffing
VIPER – Screenshot module
HEADACHE – research continues..
That is a long list, and there is still more to come. Certainly, Skywiper had a significant development put into it. We still need to dig into these modules some more, but one thing is sure, this analysis will be long term.
In the early 90s virus analysis became a “100 meter tournament”, as we jokingly used to call it. Meaning: looking at “assembly printouts” of the actual code took about 100 meters of printer paper. In the case of Flamer/SkyWiper, this would be a mile long walk!
This will keep us in shape for some time.
Leave a reply