sKyWIper (aka Flame aka Flamer): A complex malware for targeted attacks

Abstract

http://www.bme.hu/ This report contains information provided by anonymous parties and hence references were edited to preserve their anonymity sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks v1.05 (May 31, 2012) – It's a live document modified all the time Authors: sKyWIper Analysis Team In May 2012, our team participated in the analysis of an as yet unknown malware, which we internally call sKyWIper. Based on the information initially received, we understood that the malware is an important piece of a targeted attack. When we started the analysis, we did not know how many countries were affected, but we suspected that it was not limited to a single country. Our suspicion was based on indications that pieces of the malware was probably identified and uploaded from European parties onto binary analysis sites in the past. During the investigation, we received information about systems infected by sKyWIper in other countries, including Hungary, our home country. Hence, the suspicion became evidence, and this made it clear for us that our findings must be disclosed by publishing this report. It is obvious from the list of its files that sKyWIper must be identical to the malware described in the post http://www.certcc.ir/index.php?name=news&file=article&sid=1894 (from Iran National CERT (MAHER)) where it is called Flamer. For convenience, we keep our naming of the malware and call it sKyWIper based on one of the filenames (~KWI) it uses for temporary files. sKyWIper's constitution is quite complex with a large number of components and the substantial size of some of its files. Therefore, providing its full analysis in a limited amount of time was infeasible with our current resources. Our goal was to get a quick understanding of the malware's purpose, and to identify its main modules, storage formats, encryption algorithms, injection mechanisms and activity in general. This report contains the results of our analysis, which should help other researchers with more resources to get started and continue the analysis producing more detailed results.