The Laboratory of Cryptography and System Security (CrySyS Lab) calls the massively multifaceted spying malware "sKyWIper," while Kaspersky calls it "Flame" and Iran National CERT (MAHER) calls it "Flamer." Although security researchers are only beginning to unravel the mysterious malware, all signs point toward it being a nation state product created by an unknown government agency. Whatever you choose to call it, the functionality of the malware is fierce and fascinating.
Kaspersky said the malware targets and "systematically" collects data on various organizations in the Middle East such as Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. However, CrySyS spotted the malware in European countries like its home country of Hungary.
CrySyS Lab reported [PDF], "sKyWIper may have been active for as long as five to eight years, or even more." This incredibly complex, info-stealing malware uses five different encryption methods, three different compression techniques, and five or more different file formats. sKyWIper stores info from infected machines in "highly structured" SQLite databases as well as using the programming language Lua which is a peculiar choice for writing malware. It whitelists its own files and even has "suicide" files to kill the malware and remove all traces of infection.
According to the CrySyS Lab technical report [PDF]:
sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers' functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.
It seems plausible that sKyWIper was not made by the same developer team as that of Duqu/Stuxnet/~D. However, we cannot exclude the possibility that the attackers hired multiple independent development teams for the same purpose, and sKyWIper and Duqu are two independent implementations developed for the same requirement specifications. This may be an approach to increase the robustness of an operation, which can persist even if one of the two (or more?) implementations is uncovered.
The malware authors went to great lengths to evade detection such as choosing specific extensions based on whichever security products are installed. "We found that the malware usually uses the .ocx extension, but this decision is based on how to get best under the radar." If, for example, McAfee McShield is installed, the malware morphs to the "preferred extension" of .tmp. CrySyS does not want to aid copycat malware writers, but compared the comprehensive list used to avoid discovery by security products to another (ccalc32drv.sys) file "where table DangerousProcesses contains 346 items."
Symantec sticks with the name "Flamer" while reporting that like Stuxnet and Duqu, the Flamer "code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives." A Symantec spokesman told Computerworld, "Examination of the code also leads Symantec to believe the malware was developed by a natively English speaking set of developers." Richi Jennings pointed out that the Iranian CERT created a "Flamer" detection tool since "none of the 43 tested antiviruses could detect it."
From here on out, let's use Flame as the malware name. According to Kaspersky, Flame has about 20 plugins to perform various functions and it is quite the info-stealing thief; it can "hear" via the microphone and "see" via taking screenshots of interesting applications like IM's or email and then "talks" via command-and-control communications. It can "smell" via sniffing network traffic and the malware writers can probably almost taste the fear of those people who discovered their machines are infected. Kaspersky said the malware can connect to 80 different C&C domains, but that can easily be modified via the "updateable list" of C&C servers that receive the compressed screenshots, audio recordings and keystroke logs.
According to Wired, "The screenshot module grabs desktop images every 15 seconds when a high-value communication application is being used, such as instant messaging or Outlook, and once every 60 seconds when other applications are being used."
Lucian Constantin reported on Kaspersky's analysis of Flame which is much bigger than both Duqu and Stuxnet. "The size of all Flame components combined adds up to over 20MB and one file in particular measures over 6MB alone. Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet." However Kaspersky added that Flame can infect fully patched Windows 7 machines; this seems to lend credibility to the idea of a zero-day floating around and being exploited.
Kaspersky has seen multiple versions of the Flame attack toolkit in the wild and called Flame "the most sophisticated cyber weapon yet unleashed." If it's been floating around for a couple years at least before discovery, it would seem possible there are even more advanced attack toolkits, more sophisticated cyber weapons lurking, working and awaiting discovery.