As every of you probably know, yesterday Crysys revealed a new threat called Skywiper and also Flame or Flamer. There are rumors that the threat has been out there for a couple of years. Based on our investigations, we have found clues that points to different components related with Flame that has been around for nearly four years. The main component of the threat published by Crysys is a file called mssecmgr.ocx (md5:bdc9e04388bda8527b398a8c34667e18) It is clear that the file timestamp has been changed and it points to 20/02/1992. But the PE file has some debug info entries that points to 31/08/2011.
The timestamp of the Export section also has the same value:
The original main module exports the following functions: CPlApplet, DDEInit, DDEnumCallback, GetAuthMechanism, InprocServer, QueryValueEx, SetAuthMechanism, SetEnumStructure, ValueEnumCallback We have found another mssecmgr.ocx file (md5:ee4b589a7b5d56ada10d9a15f81dada9) that seems to be much older. It exports less functions than the newer mssecmgr.ocx: CPlApplet, DDEnumCallback, InprocServer, SetAuthMechanism, ValueEnumCallback If we take a look at the PE headers it seems that it was compiled at the end of 2008:
First seen by VirusTotal 2009-07-29 08:45:52 UTC ( 2 years, 10 months ago ) (3 years old) If we explore the published advnetcfg.ocx file that is the backdoor component (md5: bb5441af1e1741fca600e9c433cb1550) we check that the PE file timestamp has been modified but we find some debug info that points to the beginning of 2011:
And the export sections seems to indicate the same:
First seen by VirusTotal 2011-05-15 04:31:30 UTC ( 1 year ago ) In the case of nteps32.ocx (md5: c9e00c9d94d1a790d5923b050b0bd741) that is the component is charge of performing screen captures and other spy related routines, the dates match with the ones of the advnetcfg.ocx component:
Based on the original analysis done by Crysys http://www.crysys.hu/skywiper/skywiper.pdf it seems to be a routines called SUICIDE that removes all the files related to Flame:
SUICIDE.RESIDUAL_FILES.A [NoValue]->%temp%~a28.tmp
SUICIDE.RESIDUAL_FILES.B [NoValue]->%temp%~DFL542.tmp
SUICIDE.RESIDUAL_FILES.C [NoValue]->%temp%~DFL543.tmp
SUICIDE.RESIDUAL_FILES.D [NoValue]->%temp%~DFL544.tmp
SUICIDE.RESIDUAL_FILES.E [NoValue]->%temp%~DFL545.tmp
SUICIDE.RESIDUAL_FILES.F [NoValue]->%temp%~DFL546.tmp
SUICIDE.RESIDUAL_FILES.G [NoValue]->%temp%~dra51.tmp
SUICIDE.RESIDUAL_FILES.H [NoValue]->%temp%~dra52.tmp
SUICIDE.RESIDUAL_FILES.I [NoValue]->%temp%~fghz.tmp
SUICIDE.RESIDUAL_FILES.J [NoValue]->%temp%~rei524.tmp
SUICIDE.RESIDUAL_FILES.K [NoValue]->%temp%~rei525.tmp
SUICIDE.RESIDUAL_FILES.L [NoValue]->%temp%~TFL848.tmp
SUICIDE.RESIDUAL_FILES.M [NoValue]->%temp%~TFL842.tmp
SUICIDE.RESIDUAL_FILES.O [NoValue]->%temp%GRb2M2.bat
SUICIDE.RESIDUAL_FILES.P [NoValue]->%temp%indsvc32.ocx
SUICIDE.RESIDUAL_FILES.Q [NoValue]->%temp%scaud32.exe
SUICIDE.RESIDUAL_FILES.R [NoValue]->%temp%scsec32.exe
SUICIDE.RESIDUAL_FILES.S [NoValue]->%temp%sdclt32.exe
SUICIDE.RESIDUAL_FILES.T [NoValue]->%temp%sstab.dat
SUICIDE.RESIDUAL_FILES.U [NoValue]->%temp%sstab15.dat
SUICIDE.RESIDUAL_FILES.V [NoValue]->%temp%winrt32.dll
SUICIDE.RESIDUAL_FILES.W [NoValue]->%temp%winrt32.ocx
SUICIDE.RESIDUAL_FILES.X [NoValue]->%temp%wpab32.bat
SUICIDE.RESIDUAL_FILES.T [NoValue]->%windir%system32commgr32.dll
SUICIDE.RESIDUAL_FILES.A1 [NoValue]->%windir%system32comspol32.dll
SUICIDE.RESIDUAL_FILES.A2 [NoValue]->%windir%system32comspol32.ocx
SUICIDE.RESIDUAL_FILES.A3 [NoValue]->%windir%system32indsvc32.dll
SUICIDE.RESIDUAL_FILES.A4 [NoValue]->%windir%system32indsvc32.ocx
SUICIDE.RESIDUAL_FILES.A5 [NoValue]->%windir%system32modevga.com
SUICIDE.RESIDUAL_FILES.A6 [NoValue]->%windir%system32mssui.drv
SUICIDE.RESIDUAL_FILES.A7 [NoValue]->%windir%system32scaud32.exe
SUICIDE.RESIDUAL_FILES.A8 [NoValue]->%windir%system32sdclt32.exe
SUICIDE.RESIDUAL_FILES.A2 [NoValue]->%windir%system32watchxb.sys
SUICIDE.RESIDUAL_FILES.A10 [NoValue]->%windir%system32winconf32.ocx
SUICIDE.RESIDUAL_FILES.A11 [NoValue]->%windir%system32mssvc32.ocx
SUICIDE.RESIDUAL_FILES.A12 [NoValue]->%COMMONPROGRAMFILES%Microsoft
SharedMSSecurityMgr ccache.dat
SUICIDE.RESIDUAL_FILES.A13 [NoValue]->%COMMONPROGRAMFILES%Microsoft
SharedMSSecurityMgrdstrlog.dat
SUICIDE.RESIDUAL_FILES.A14 [NoValue]->%COMMONPROGRAMFILES%Microsoft
SharedMSAudiodstrlog.dat
SUICIDE.RESIDUAL_FILES.A15 [NoValue]->%COMMONPROGRAMFILES%Microsoft
SharedMSSecurityMgrdstrlogh.dat
SUICIDE.RESIDUAL_FILES.A16 [NoValue]->%COMMONPROGRAMFILES%Microsoft
SharedMSAudiodstrlogh.dat
SUICIDE.RESIDUAL_FILES.A17 [NoValue]->%SYSTEMROOT%Temp~8C5FF6C.tmp
SUICIDE.RESIDUAL_FILES.A18 [NoValue]->%windir%system32sstab0.dat
SUICIDE.RESIDUAL_FILES.A12 [NoValue]->%windir%system32sstab1.dat
SUICIDE.RESIDUAL_FILES.A20 [NoValue]->%windir%system32sstab2.dat
SUICIDE.RESIDUAL_FILES.A21 [NoValue]->%windir%system32sstab3.dat
SUICIDE.RESIDUAL_FILES.A22 [NoValue]->%windir%system32sstab4.dat
SUICIDE.RESIDUAL_FILES.A23 [NoValue]->%windir%system32sstab5.dat
SUICIDE.RESIDUAL_FILES.A24 [NoValue]->%windir%system32sstab6.dat
SUICIDE.RESIDUAL_FILES.A25 [NoValue]->%windir%system32sstab7.dat
SUICIDE.RESIDUAL_FILES.A26 [NoValue]->%windir%system32sstab8.dat
SUICIDE.RESIDUAL_FILES.A27 [NoValue]->%windir%system32sstab2.dat
SUICIDE.RESIDUAL_FILES.A28 [NoValue]->%windir%system32sstab10.dat
SUICIDE.RESIDUAL_FILES.A22 [NoValue]->%windir%system32sstab.dat
SUICIDE.RESIDUAL_FILES.B1 [NoValue]->%temp%~HLV751.tmp
SUICIDE.RESIDUAL_FILES.B2 [NoValue]->%temp%~KWI288.tmp
SUICIDE.RESIDUAL_FILES.B3 [NoValue]->%temp%~KWI282.tmp
SUICIDE.RESIDUAL_FILES.B4 [NoValue]->%temp%~HLV084.tmp
SUICIDE.RESIDUAL_FILES.B5 [NoValue]->%temp%~HLV224.tmp
SUICIDE.RESIDUAL_FILES.B6 [NoValue]->%temp%~HLV227.tmp
SUICIDE.RESIDUAL_FILES.B7 [NoValue]->%temp%~HLV473.tmp
SUICIDE.RESIDUAL_FILES.B8 [NoValue]->%windir%system32 teps32.ocx
SUICIDE.RESIDUAL_FILES.B2 [NoValue]->%windir%system32dvnetcfg.ocx
SUICIDE.RESIDUAL_FILES.B10 [NoValue]->%windir%system32ccalc32.sys
SUICIDE.RESIDUAL_FILES.B11 [NoValue]->%windir%system32oot32drv.sys
SUICIDE.RESIDUAL_FILES.B12 [NoValue]->%windir%system32 pcnc.dat
SUICIDE.RESIDUAL_FILES.B13 [NoValue]->%windir%system32soapr32.ocx
SUICIDE.RESIDUAL_FILES.B14 [NoValue]->%windir%system32 taps.dat
SUICIDE.RESIDUAL_FILES.B15 [NoValue]->%windir%system32dvpck.dat
SUICIDE.RESIDUAL_FILES.B16 [NoValue]->%temp%~rf288.tmp
SUICIDE.RESIDUAL_FILES.B17 [NoValue]->%temp%~dra53.tmp
SUICIDE.RESIDUAL_FILES.B18 [NoValue]->%systemroot%system32msglu32.ocx
SUICIDE.RESIDUAL_FILES.C1 [NoValue]->%COMMONPROGRAMFILES%Microsoft
SharedMSAuthCtrluthcfg.dat
SUICIDE.RESIDUAL_FILES.C2 [NoValue]->%COMMONPROGRAMFILES%Microsoft
SharedMSSndMixmixercfg.dat
Based on this info we could find some of the files that has been part of Flame on the past. We found a version of comspol32.ocx (md5: 20732c97ef66dd97389e219fc0182cb5) that was first seen on VirusTotal nearly two years ago: 2010-07-20 13:41:34 UTC ( 1 year, 10 months ago ) The Export sections headers indicates that it has been compiled at the end of 2009:
The dll exports the following functions: CreateDTIList, CreateRTAList, DisableRSG, DisableRSO, DisableRSOEx, DisableRTA, EnableRSG, EnableRSO, EnableRSOEx, EnableRSOExDefault, EnableRTA, FreeDTIData, GetDRI, GetDTI, ReadDTIData, RestoreDTIData, UpdateDTIList, WriteDTIData At the time of uploading to VirusTotal it was only detected by Microsoft as Trojan:Win32/Tosy.A. Another discovered file is dsmgr.dll (md5: 2afaab2840e4ba6af0e5fa744cd8f41f) that exports the following functions: CreateDSPList, DisableDSP, EnableDSP It was uploaded to VirusTotal more than three years ago: First seen by VirusTotal 2009-05-21 03:01:33 UTC ( 3 years ago ) And the Export sections headers indicate it was compiled about the middle of 2008 (4 years ago)
At the time of upload to VirusTotal it was detected by five antivirus vendors with generic signatures (not very realiable). The file indsvc32.dll (md5:7a2eded2c5d8bd70e1036fb5f81c82d2) exports the following functions: QDInit, SetObjectDescriptor It was first uploaded on: First seen by VirusTotal 2009-12-22 09:27:31 UTC ( 2 years, 5 months ago ) And the Export headers points to the end of 2009:
It was detected by three antivirus vendors at the time of uploading to VirusTotal. Another version of indsvc32.dll (md5:6f7325bb482885e8b85acddec685f7fa) was uploaded more or less at the same time as the other version: First seen by VirusTotal 2009-12-22 08:36:23 UTC ( 2 years, 5 months ago ) And the Export timestamps point more or less to the same time:
Based on this information we can state:
- We have found a version of the main component (mssecmgr.ocx) that seems to be compiled at the end of 2008. It can indicate that Flame has been around at least for 4 years.
- Some of the components of Flame are detected by antivirus companies as other names, this can indicate that the authors are using older code/binaries or maybe some of the components were already discovered by antivirus companies.
- There must be other undiscovered modules with other features that security companies will detect on the upcoming days.
We will continue analyzing Flame and trying to present more clues on the capabilities of Flame and who is behind of it.