Flamer Analysis and Detection with ECAT

The Internet is currently aflame about the discovery of the w32.Flamer malware (a.k.a. SkyWIper, Flame and Flamer). That this malware is potentially a “son of Stuxnet and Duqu” and was probably state sponsored shouldn’t mitigate the fact that it went undetected for at least a year or more.

Antivirus and inline monitoring devices were easily fooled by Flamer, there was essentially no vendor detection. Mikko Hyponnen went so far as to state on F-Secure’s blog that “Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed. All of these cases were spreading undetected for extended periods of time.”

Flamer has a very good automated propagation method and uses more than 80 different command and control (C&C) servers. We are not talking about a low distribution, highly targeted attack but about a widespread deployment on thousands of hosts in multiple countries. The whole package is close to 20MB, generates multiple connections and can use 90% or more of the system’s CPU resources. That’s not exactly flying under the radar………….

We ran a sample of Flamer through our signature-less malware detection system, ECAT. Unfortunately, the sample we used is configured to connect to a C&C server that has been taken down. Nevertheless, ECAT flags the machine with a Machine Suspect Level (MSL) of 34, showing that something is definitely wrong with it (we started with a clean machine and baseline MSL of 0 prior to infection):

Digging deeper, ECAT reports that a system DLL, shell32.dll, part of the OS, is loaded multiple times in services.exe, winlogon.exe and explorer.exe. This DLL has the “Image Mismatch” suspect reason – this means Flamer replaced the legitimate shell32.dll code in memory with its own code. Analyzing the system’s memory with regular tools will miss the injected code and show that these 3 processes are normal. Using this technique, the malware can run stealthily and bypass personal firewalls and AV systems. For the assembler code related to this operation, please refer to the corresponding section at the end of this post.

Now, let’s look at the Network Connections section. We see the injected shell32.dll connecting to different addresses on the Internet over HTTP and HTTPS. As you can see, ECAT can discriminate between connections made by the malware (shell32.dll) and those made by the regular browsing sessions (shlwapi.dll). The Properties section also shows the statistical information gathered about the connections like the number of bytes transfered and time between connections.

Flamer loads using a LSA Authentication package startup key:

Conclusion

To conclude, as sophisticated as Flamer is, in order to be effective and achieve its goals it must inevitably change the state of its target and try to hide itself. These behaviors are caught by ECAT, even though virtually every other security solution missed it. Regrettably for those planning or currently running covert nuclear weapons programs, we are prohibited from providing an ECAT license to you. For the rest of the world, we believe this once again demonstrates the importance of not relying on signature-based security for protecting critical IT infrastructure.

We’ll be following up in future posts with more analyses using ECAT and posting videos on our Youtube channel that you can subscribe to here.

For a whitepaper on ECAT or to request more information, please click here

Flamer Assembly Code View

Using ECAT’s built-in live memory analysis, we can view the process memory dump and see the unencrypted assembly code that was injected into Shell32.dll: