English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Flame: Bunny, Frog, Munch and BeetleJuice…

Aleks
Kaspersky Lab Expert
Posted May 29, 20:30  GMT
Tags: Flame, Cyber weapon, Cyber espionage
0.9
 

As already mentioned in the previous blog post about Flame, the volume of its code and functionality are so great that it will take several months for a complete analysis. We’re planning on continually disclosing in our publications the most important and interesting details of its functionality as we reveal them.

At the moment we are receiving many inquiries about how to check systems for a Flame infection. Of course the simplest answer, for us, is to advise to use Kaspersky Lab Antivirus or Internet Security. We successfully detect and delete all possible modifications of the main module and extra components of Flame.

However, for those who want to carry out a detailed check themselves, at the end of this article we will give the necessary recommendations and advice.

MSSECMGR.OCX

The main module of Flame is a DLL file called mssecmgr.ocx. We’ve discovered two modifications of this module. Most of the infected machines contained its “big” version, 6 Mb in size, and carrying and deploying additional modules. The smaller version’s size is only 900 Kb and contains no additional modules. After installation, the small module connects to one of the C&C servers and tries to download and install the remaining components from there.

Mssecmgr may be called different names on actual infected machines, depending on the method of infection and the current internal state of the malware (installation, replication, upgrade), e.g., wavesup3.drv, ~zff042.ocx, msdclr64.ocx, etc.

Complete analysis of the mssecmgr module will follow in our upcoming blog posts.

The first activation of this file is initiated by one of the external features - either Windows WMI tools using a MOF file if the MS10-061 exploit is used, or using a BAT file:

s1 = new ActiveXObject("Wscript.Shell");
s1.Run("%SYSTEMROOT%\\system32\\rundll32.exe msdclr64.ocx,DDEnumCallback");

(source code of MOF file, svchostevt.mof)

When activated, mssecmgr registers itself as a custom authentication package in the Windows registry:

HKLM_SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages
= mssecmgr.ocx [added to existing entries]

On the next system boot, the module is loaded automatically by the operating system.

After updating the Windows registry, mssecmgr extracts any additional modules that are present in its encrypted and compressed resource section (resource “146”) and installs them. The resource is a dictionary that contains configuration options for mssecmgr and other modules, the modules themselves (DLL files), and parameters that need to be passed to these modules to load them properly, i.e., decryption keys.

We are analyzing the additional modules and will provide more information about their functionality in coming blog posts.

When installation is completed, mssecmgr loads available modules and starts several execution threads that implement a channel to the C&C servers and Lua interpreter host, and other features - depending on the configuration. The functionality of the module is separated into different “units” that have different namespaces in the configuration resource and have distinct names in log messages, which are extensively used throughout the code.

Here is a brief overview of the available units. The names were extracted from the binary and the 146 resource.

Beetlejuice Bluetooth: enumerates devices around the infected machine.
May turn itself into a “beacon”: announces the computer as a discoverable device and encode the status of the malware in device information using base64.
Microbe Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.
Infectmedia Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.
Autorun_infector Creates “autorun.inf” that contains the malware and starts with a custom “open” command. The same method was used by Stuxnet before it employed the LNK exploit.
Euphoria Create a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.
Limbo Creates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.
Frog Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.
Munch HTTP server that responds to “/view.php” and “/wpad.dat” requests.
Snack Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when “Munch” is started. Collected data is then used for replicating by network.
Boot_dll_loader Configuration section that contains the list of all additional modules that should be loaded and started.
Weasel Creates a directory listing of the infected computer.
Boost Creates a list of “interesting” files using several filename masks.
Telemetry Logging facilities
Gator When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.
Security Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.
Bunny
Dbquery
Driller
Headache
Gadget
The purpose of these modules is not yet known.

Additional modules are installed in the %windir%\system32\ directory:

mssecmgr.ocx
advnetcfg.ocx
msglu32.ocx
nteps32.ocx
soapr32.ocx
ccalc32.sys
boot32drv.sys

Additional modules downloaded from the C&C servers are installed in the same directory.

The modules of the Flame malware produce a lot of data files that contain extensive execution logs, plus the collected information - screenshots, lists of processes, hardware listings, etc.

The files are saved in the %windir%\temp directory using following names:

~DEB93D.tmp
~8C5FF6C.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~DFL*.tmp
~dra*.tmp
~fghz.tmp
~HLV*.tmp
~KWI988.tmp
~KWI989.tmp
~rei524.tmp
~rei525.tmp
~rf288.tmp
~rft374.tmp
~TFL848.tmp
~TFL849.tmp
~mso2a0.tmp
~mso2a1.tmp
~mso2a2.tmp
sstab*.dat

There are also optional files that can be found in the %windir%\system32 directory:

Advpck.dat
ntaps.dat
Rpcnc.dat

Also, in %windir%\:

Ef_trace.log

Flame stores its persistent data in files using different formats. All data is encrypted using several algorithms and keys. Some of the files are databases created using a built-in SQLite3 library. These databases contain data produced by both data stealing and replication routines. We will provide more information about these files in later publications.

The directory names used by the additional components of Flame may differ slightly depending on the type of installation and the configuration options from resource 146:

C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
C:\Program Files\Common Files\Microsoft Shared\MSAudio
C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
C:\Program Files\Common Files\Microsoft Shared\MSAPackages
C:\Program Files\Common Files\Microsoft Shared\MSSndMix

These directories may contain the following files:

dstrlog.dat
lmcache.dat
mscrypt.dat (or wpgfilter.dat)
ntcache.dat
rccache.dat (or audfilter.dat)
ssitable (or audache)
secindex.dat
wavesup3.drv (a copy of the main module, mssecmgr.ocx, in the MSAudio directory)

Flame can also produce or download files with the following names:

svchost1ex.mof
Svchostevt.mof
frog.bat
netcfgi.ocx
authpack.ocx
~a29.tmp
rdcvlt32.exe
to961.tmp
authcfg.dat
Wpab32.bat
ctrllist.dat
winrt32.ocx
winrt32.dll
scsec32.exe
grb9m2.bat
winconf32.ocx
watchxb.sys
sdclt32.exe
scaud32.exe
pcldrvx.ocx
mssvc32.ocx
mssui.drv
modevga.com
indsvc32.ocx
comspol32.ocx
comspol32.dll
browse32.ocx

As a consequence, we can provide a method for a quick “manual” check of your systems for presence of a Flame infection:

1. Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been infected by Flame.

2. Check the registry key HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages.
If you find mssecmgr.ocx or authpack.ocx in there - you are infected with Flame.

3. Check for the presence of the following catalogs. If present - you’re infected.

C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
C:\Program Files\Common Files\Microsoft Shared\MSAudio
C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
C:\Program Files\Common Files\Microsoft Shared\MSAPackages
C:\Program Files\Common Files\Microsoft Shared\MSSndMix

4. Conduct a search for the rest of the filenames given above. All of them are quite unique and their being discovered would mean that there is a strong possibility of an infection with Flame.

P.S. We have checked the information as suggested in the comments at our blogpost regarding a possible relation to FLAME (Flexible Lightweight Active Measurement Environment) software from Brazil.

Interestingly, the name picked by us fully matches that software, which also uses LUA for implementing business logics. The FLAME software is used to measure network characteristics by deploying measurement agents and collecting data in a central database. Despite some similarities, we think that this software is unrelated as it serves different objectives. Besides the LUA engine, the core of communication in FLAME is XMPP protocol, which is not used in the Flame malware.

The authors might have been inspired by the FLAME project and re-implemented similar architecture - only for the different goal, or this is all just a coincidence. We don't have any other reason to think that it is somehow related to the Flame malware.

27 comments

Oldest first
Threaded view
 

Roy Fuller

2012 May 30, 04:50
2
 

Tilded?

It's curious that in the first Flame article (The Flame: Questions and Answers) you state "Flame does not use the Tilded platform." But, in this article the first step to detection of the Flame on a system is to search for "~DEB93D.tmp", which begins with ~D. In a previous Kaspersky Stuxnet/Duqu article it was stated that the platform was called "'Tilded' (because of the tendency of its creators to use files that start with the tilde symbol (~))."

Reply    

Aleks

2012 May 30, 05:42
2
 

Re: Tilded?

Just a coincidence, but, yes, we found it because of name :)

Reply    

Roy Fuller

2012 May 30, 05:47
1
 

Re: Re: Tilded?

Coincidence or not these duqu/stuxnet and now flame blog posts have been very interesting. Thanks for the great info Aleks!

Reply    

mikk0j

2012 May 30, 17:42
0
 

DNSchanger funct.

Anyone found any DNSchanger kind of a functionality?

Reply    

Mapher

2012 May 31, 15:43
0
 

Network behaviour

Are there any known facts about the network spreading- / scanning- / communication-behavior of Flame?

Reply    

Hector Luis

2012 May 31, 17:14
0
 

Estoy infectado

Lamentablemente encontre los archivos. Resulta que note muy lenta mi pc y ademas ataques a mi sitio web. Desde diferentes ip intentaban ingresar a mi pc. Uno delos virus era el d1.exe (no se si tiene relacion) pero activando diferentes antivirus bloqueaban muchas ip entonces decidi averiguar sobre este virus y finalmente lo descubri. Me aseguran que con Kaspersky se elimina? y graciaspor toda la info.Unfortunately I found the files. It is very slow to notice my pc and also attacks on my website. From different ip tried accessing my pc. One virus was d1.exe models (not if you have relationship) but activating different antivirus blocked many ip so I decided to find out about this virus and eventually discovered. I say that Kaspersky is removed? Thank youfor and all the info.

Edited by Hector Luis, 2012 May 31, 17:28

Reply    

Dmitry Bestuzhev

2012 Jun 02, 18:51
0
 

Re: Estoy infectado

Hola Hector.

Al parecer su infección no está relacionada con el Flame.

Reply    

Hector Luis

2012 May 31, 17:22
0
 

No permite utilizar antivirus

Olvide comentar que me fue imposible de utilizar el antivirus de Kaspersky en cuanto lo queria instalar me salia una leyenda que era imposible porque faltaban archivos. En estos momentos estoy bajando la version de prueba de Kaspersky Internet Security 2012 y les informare de los sucesos

Reply    

Dmitry Bestuzhev

2012 Jun 02, 18:53
0
 

Re: No permite utilizar antivirus

Recuerde que también puede desinfectar su máquina con nuestra herramienta gratuita que se llama Kaspersky Virus Removal Tool y que se puede descargar desde http://www.kaspersky.com/antivirus-removal-tool-register No requiere instalación y puede ser utilizada paralelamente a cualquier AV que tenga en su máquina.

Reply    

Hector Luis

2012 May 31, 17:56
0
 

problem with antivirus

can not copy klif.sys is no path, however is there's the problem?

Reply    

dalahäst

2012 May 31, 19:52
0
 

You mentioned the source code of the MOF file above; what's the batch file look like? I'm assuming it just starts the malware using rundll32 or some such, but there could be more to it.

Reply    

Hector Luis

2012 May 31, 20:40
0
 

install and probe Kaspersky antivirus

even after all this shown in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/Acmru/5630/(all files mentioned in this forum)

Reply    

Hector Luis

2012 May 31, 20:43
0
 

search words windows xp

They may be the search words you make after reading this forum and these are not files.

Reply    

Hector Luis

2012 May 31, 20:46
0
 

Apparently the virus work very well

I detected malaware others do not.

Reply    

rzager

2012 May 31, 22:29
0
 

Preventing Spearphishing

Users would be less vulnernerable to deception if they used SP Guard from Iconix.

Reply    

rkhunter

2012 May 31, 23:22
0
 

hash

MD5: bdc9e04388bda8527b398a8c34667e 18
SHA1: a592d49ff32fe130591ecfde006ffa 4fb34140d5
File size: 6166528 bytes
File name: mssecmgr.ocx

Reply    

Hector Luis

2012 May 31, 23:59
0
 

Tganks but Kaspersky still does not eliminate di.exe

Continuously on startup and detects viruses di.exe

Reply    

Mehdi Ilbeigi

2012 Jun 01, 00:01
0
 

Flame Remover

Link Download:
http://www.certcc.ir/index.php?module=file_manager func=getit lid=26

Folder Remover Copy----> C:\

Run C:\Remover\remover.exe

Source:
http://www.certcc.ir/index.php?newlang=eng

Edited by Mehdi Ilbeigi, 2012 Jun 01, 00:55

Reply    

donotcrack

2012 Jun 01, 09:14
0
 

Use Bitdefender Removal Tool

http://labs.bitdefender.com/wp-content/uploads/downloads/2012/05/TrojanFlamer_BDRemovalToolDrop per_x86.exe

Source: http://www.donotcrack.com/2012/06/how-to-remove-trojan-flamer.html

Reply    

thebigonoff

2012 Jun 01, 13:03
0
 

List of C C?

Hello,
Thanks for this analysis. Do you have a list of known C C ? Any other information related to the user agent used by Munch module ?
G

Reply    

Sufyan

2012 Jun 04, 02:02
0
 

The article seems really interesting, I myself is a programmer and a kind of hacker (not black hat) and just love coding simple but most effective trojan.
I wonder why Microsoft doesn't makes any proper OS and obsolete vbscript from it ??
anyone with even basic knowledge of programming could design such a destructive trojan with some efforts and time.

btw, isn't it possible to trace them out by tracing the outgoing going connection established by FLAME to their server to upload Data ???

Reply    

Thoughtful

2012 Jun 04, 02:28
0
 

Windows only or Mac as well?

Does flame only affect the windows operation system, or also mac os x? I ask, as if it does, how could we search for the infection? Thoughts?

Reply    

Sufyan

2012 Jun 04, 16:50
0
 

and does it use ftp.exe to upload data to their server ?

Reply    

Bananu

2012 Jun 05, 08:19
0
 

Does bunny have any relationship to rabbIT? http://www.khelekore.org/rabbit/

Reply    

Christopher

2012 Jun 12, 19:44
0
 

In front of me...

I feel that something is weird with that virus..
Anyway, how about the 'registry block' thing that ESET mentioned during their research about Duqu and Stuxnet??

Reply    

synakal

2012 Jul 07, 07:29
0
 

HelpAssistant and more

Couple of things I found curious..

Flame's Limbo module created a HelpAssistant user just like Mebroot used to.. could this mean a link between the author(s), or possibly that Mebroot was an earlier version of this module, or probable code sharing or more?

Also, with certain latter releases of tdl4/alureon the malware would access certain vulnerable routers changing the DNS servers.. with such robust functionality is flame similarly affecting users routers or DNS servers?

Why would the writers decide not to create an actual pe file infecting piece of malware like vundo or etc to conceal the infection? Loading dll's into windows processes has become quite common... From what I've seen any amateur malware analyst could have identified this infection on a host machine. It's concealment methods may have been semi-advanced a few years back but these type of infections have become quite common in recent years.

With tdl we saw quotes from the simpsons and etc in the install log files.. do we see anything like this with flame or anything that gives us insight about the authors interests, humor, or etc? If not could this be because the authors were hired to write this software and that their code would be under scrutiny?

Also, in some other malware we see checks for keyboard languages to prevent infections in certain geographical locations. In theory if this was an attack carried out by say Isreal and the US, are there checks to prevent the installation on such local machines? It would seem wise to add such a check to ensure the malware didn't infect a machine that wasn't in the targeted areas to prevent any red flags from other developed countries or security professionals.

One last thought.. IF this was part of a cyber warfare program and is a collaboration of some of our best malware authors in(and out of?) the US.. I for one am greatly disappointed.. Sure, it is packed with features.. but it seems like the same regurgitated malware we've been seeing for years.. for a government project it seems rather weak and easily detectable... which somewhat frightens/worries me...

Reply    

estakhr

2013 Jan 02, 00:50
0
 

Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?

The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.
Do you agree with that?

http://www.mcafee.com/us/about/skywiper.aspx
Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services
I don't understand it. What is windows APC and its relationship to code injection? What about Winlogon.exe and injecting to explorer.exe ?

Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
Does it mean it holds attack modules in database?

Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability and spreads only when instructed to do so by the attackers.
Does it mean attackers spread of virus one by one?How attackers choose the next computer in order to attack?How they can understand this right choice? How can they limit?

Thanks in advance!

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog