The Latest in IT Security

Skywiper – Fanning the “flames” of cyber warfare

29
May
2012

A few weeks ago, Iran reported intensified cyber attacks on its energy sector, which they observed as a direct continuation of the Stuxnet and Duqu attacks.

Over the weekend, the IR Cert (Iran’s emergency response team) published a new report, which describes this attack as “Flame” and/or “Flamer”. Some other news agencies also reported the attack as “Viper. The complex functionality of the malware is controlled over Command and Control (C&C) servers, from which there are possibly dozens. The malware is also capable of slowly spreading over USB drives.

CrySys Lab, a Hungarian security team, noticed that a complex threat that they were already analyzing for weeks was clearly the same threat as “Flamer”. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done, to analyze the full details of this malware as it has some extraordinary complexity.

Previously, other cyber threats such as Stuxnet and Duqu both required months of analysis and this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smaller encrypted module is over 70000 lines of C decompiled code, which contains over 170 encrypted “strings”!

Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.

We found publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example: March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.

Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

– Scanning network resources
– Stealing information as specified
– Communicate to C&C Servers over SSH and HTTPS protocols
– Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc)
– Both kernel and user mode logic is used
– Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes
– It loads as part of Winlogon.exe then injects to Explorer and Services
– Conceals its present as ~ named temp files, just like Stuxnet and Duqu
– Capable of attacking new systems over USB Flash Memory and local network (slowly spreads)
– Creates screen captures
– Records voice conversations
– Runs on Windows XP, Windows Vista and Windows 7 systems
– Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet
– Uses SQLite Database to store collected information
– Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware)
– Often located on nearby systems: a local network for both C&C and target infection cases
– Utilizes PE encrypted resources

To summarize, the threat shows great similarity to Stuxnet and Duqu in some of its ways of operation yet its code base and implementation are very different, and much more complex, and robust in its basic structure.

Skywiper’s main executable files

Windows\System32\mssecmgr.ocx – Main module
Windows\System32\msglu32.ocx
Windows\System32\nteps32.ocx
Windows\System32\advnetcfg.ocx
Windows\System32\soapr32.ocx

Misleading Program Information Blocks

According to its program information block, the main module pretends to be written by Microsoft Corporation. It is claimed to be a “Windows Authentication Client” for Microsoft Windows Version 5.1 (2600 Build). Several other modules also claim to be Microsoft Windows components. However, non of the files analyzed so far are signed with a valid (or even possibly stolen) key, as it was the case with Duqu and Stuxnet.

Further key file names of the threat can include

~dra52.tmp
target.lnk
zff042
urpd.ocx
ccalc32.sys
boot32drv.sys
Pcldrvx.ocx
~KWI
guninst32
~HLV
~DEB93D.tmp
~DEB83C.tmp
~dra53.tmp
cmutlcfg.ocx
~DFL983.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~a29.tmp
dsmgr.ocx
~f28.tmp
~dra51k.tmp
~d43a37b.tmp
~dfc855.tmp
Ef_trace.log
contents.btr
wrm3f0
scrcons.exe
wmiprvse.exe
wlndh32
mprhlp
kbdinai
~ZLM0D1.ocx
~ZLM0D2.ocx
sstab
~rcf0
~rcj0

Mutex usage

The threat files also utilize the TH_POOL_SHD_PQOISNG_#PID#SYNCMTX Mutex name to identify already infected systems, a common technique in modern malware. The #PID# is the process ID of the process in which the injection of the threat occurred.

I change my name. I change my extension.

The threat files can change both filename and extensions, according to specific C&C requests, and configuration usage. In some cases, Skywiper detects specific Antivirus software, it might then change the extension of the executable files (DLL-s) from OCX, to TMP for example. However, this functionality has not always observed on affected systems, especially if the threat has been installed prior to the security product in question.

SkyWiper’s main module is over 6MB-s in size, while the completely deployed set is close to 20MB-s. Yes, this is a lot of code for malware but this is necessary to carry the complex libraries such as Zlib, LUA interpreter, SQLite support, Custom DB support code, and so on.

Encryption includes simple obfuscation like XOR with a byte value. The XOR key, 0xAE has been utilized at least in some other cases showing some potential relationship to Duqu and Stuxnet as they also utilized this value. However, Stuxnet and Duqu always used other values in conjunction with this byte which included dates of possible meaning.

Other than the above, SkyWiper does not show direct relationship in its code to Stuxnet or Duqu at this point. It uses a similar yet more complex structure, which in many ways reminds researchers of these attacks. In some ways it could be a parallel project as the early date may suggest. The attack files showed recent development in January and August 2011, according to some of the left over date values in files. The dates in the file headers have been purposefully changed (claiming to be from 1994, etc), but export table date values and dates elsewhere in the files indicate a 2011 time frame.

The main module of Skywiper starts via the registry, over an exported function:

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages
– mssecmgr.ocx

Initial infections from our network telespcopes shown on the map below:

Generally, attackers try to conceal their presence by infecting locations unrelated to the main targets, possibly to further conceal their identity, and then use these locations as C&C servers. Continuing research will certainly need to take this into consideration.

McAfee Anti Virus products will detect and clean the threat as W32/SkyWiper from infected systems. Our intital data indicates, that there are multiple variants of this threat in the field.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments