New Flamer Worm seen in targeted attacks (May 29, 2012)

Dell SonicWALL Threats Research team received reports of a new sophisticated Worm that was employed in targetted attacks in the Middle East. This Worm dubbed Flamer/SkyWiper was found to contain multiple modules and has the ability to steal user information and propagate further.

The components of the Worm were found to be written in Visual C++ (.OCX files) and Lua Scripting language. It was also found using SQLLite to store information. The combined size of the modules of the Flamer Worm was found to be approximately 17MB which shows that a significant amount of code and features were implemented as a part of the Worm. The main module of the worm “mssecmgr.ocx” contains the following exported functions:

The Worm when activated using the export function “DDEnumCallback” performs the following activities:

• It injects code in to services.exe, winlogon.exe and iexplorer.exe
• It creates the following files:
  
  • %windir%system32mssecmgr.ocx (Copy of itself) [Detected as GAV: Flamer.A (Worm)]
  • %windir%system32advnetcfg.ocx [Detected as GAV: Flamer.A (Worm)]
  • %windir%system32msglu32.ocx [Detected as GAV: Flamer.A (Worm)]
  • %windir%system32 nteps32.ocx [Detected as GAV: Flamer.A (Worm)]
  • %windir%system32boot32drv.sys (Encrypted Data)
  • %windir%system32ccalc32.sys (Encrypted Data)
  • %windir%Ef_trace.log (Encrypted Data)
  • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrdstrlog.dat (Encrypted Data)
  • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrmscrypt.dat (Encrypted Data)
  • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgr ntcache.dat (Encrypted Data)
  • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrssitable (Encrypted Data)
  • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrrccache.dat (Empty file )
  • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrlmcache.dat (Empty file)
  • %ProgramFiles%Common FilesMicrosoft SharedMSAudio (Encrypted Data)
  • %ProgramFiles%Common FilesMicrosoft SharedMSAudiowavesup3.drv (Copy of itself) [Detected as GAV: Flamer.A (Worm)]
  • %ProgramFiles%Common FilesMicrosoft SharedMSAudiowpgfilter.dat (Encrypted Data)
  • %ProgramFiles%Common FilesMicrosoft SharedMSAudioaudfilter.dat (Empty file)
• It modifies the following registry keys to ensure infection after reboot:
  
  • HKLMSYSTEMControlSet001ControlLsaAuthentication Packages:”msv1_0 mssecmgr.ocx”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32:wave9:”%ProgramFiles%Common FilesMicrosoft SharedMSAudiowavesup3.drv”
• It creates the following mutexes:
  
  • TH_POOL_SHD_PQOISNG_{PID}SYNCMTX
  • TH_POOL_SHD_MTX_FSW95XQ_{PID}
  • {DRIVE}__program files_common files_microsoft shared_mssecuritymgr_mscrypt.dat
  • {DRIVE}__program files_common files_microsoft shared_mssecuritymgr_ssitable
• Some of the commmands and functions used by the worm are shown below:

  

• In our analysis, it was seen contacting the following command and control servers:

  

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

• GAV: Flamer.A (Worm)
• GAV: Malicious Certificate 1 (Exploit)
• GAV: Malicious Certificate 2 (Exploit)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.