Since CrySyS Lab and Kaspersky disclosed the existence of a new malware called Flamer, everyone has been analyzing and discovering new information about its behavior.
We will try to summarize some of the Indicators Of Compromise (IOCs) that we can use to detect the presence of the Flamer framework using OpenIOC. Created by Mandiant, OpenIOC is an extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.
It has a very flexible schema and thanks to it we can describe every component of an attack/compromise. We will try to include most of the indicators which will detect the presence of Flamer. Note that OpenIOC is new for me so if someone wants to comment and add value to the IOC feel free to do it.
Mandiant released a graphical tool called IOC Editor that allows creating and editing IOCs. I often use that tool and some Python scripting when working with large IOCs.
We will first include some IOCs describing the registry changes that Flame performs on a compromised machine. It includes the addition of the DLL mssecmgr.ocx on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Autenthication that Flamer uses to maintain persistence. The other registry modifications are related to the Audio driver.
Then we can easily include the different mutexes created by the Flamer components during execution (I updated my list with some information published by FireEye)
The next step is including the list of files belonging to Flame and his components:
And the associated domains:
Lets add the export functions of some of the modules used by the framework:
You can download the file containing all the IOCs here http://alienvault-labs-garage.googlecode.com/files/af2e8c80-13db-4a57-99ac-460ccd192333.ioc [no longer available].
To look for the IOCs we just wrote, you can use the tool IOCFinder, first you have to collect the information required to perform the checks:
C:\>mandiant_ioc_finder.exe collect -o e:\flamer\iocs\ -d c:
06-04-2012 14:32:27 Setting up dependencies…
06-04-2012 14:32:27 Starting collection…
06-04-2012 14:32:27 Running built-in collection script at ./lib/script.xml…
06-04-2012 14:32:27 Auditing (w32system) started at 06-04-2012 14:32:27
06-04-2012 14:32:27 Auditing (w32system) finished. (Took 0.11 seconds)
06-04-2012 14:32:27 Auditing (w32disks) started at 06-04-2012 14:32:27
....
And then look for the IOCs:
C:\>mandiant_ioc_finder.exe report -s e:\flamer\iocs\ -i c:\iocs\ -t doc -w verb
ose
06-04-2012 23:08:12 Loading *.ioc from=c:\iocs\
06-04-2012 23:08:12 1 iocs were loaded.
06-04-2012 23:08:13 No Word Doc XML output path selected. Using report_20120604
210812.doc.xml.
06-04-2012 23:08:13 Beginning search of audit bundle at path=e:\flamer\iocs\XXXXX\20120604180114 (1 of 1). Total size=708.88 MB.
