Flame: Bunny, Frog, Munch and BeetleJuice…

Tilded?

It's curious that in the first Flame article (The Flame: Questions and Answers) you state "Flame does not use the Tilded platform." But, in this article the first step to detection of the Flame on a system is to search for "~DEB93D.tmp", which begins with ~D. In a previous Kaspersky Stuxnet/Duqu article it was stated that the platform was called "'Tilded' (because of the tendency of its creators to use files that start with the tilde symbol (~))."

Re: Tilded?

Just a coincidence, but, yes, we found it because of name :)

Re: Re: Tilded?

Coincidence or not these duqu/stuxnet and now flame blog posts have been very interesting. Thanks for the great info Aleks!

DNSchanger funct.

Anyone found any DNSchanger kind of a functionality?

Network behaviour

Are there any known facts about the network spreading- / scanning- / communication-behavior of Flame?

Estoy infectado

Lamentablemente encontre los archivos. Resulta que note muy lenta mi pc y ademas ataques a mi sitio web. Desde diferentes ip intentaban ingresar a mi pc. Uno delos virus era el d1.exe (no se si tiene relacion) pero activando diferentes antivirus bloqueaban muchas ip entonces decidi averiguar sobre este virus y finalmente lo descubri. Me aseguran que con Kaspersky se elimina? y graciaspor toda la info.Unfortunately I found the files. It is very slow to notice my pc and also attacks on my website. From different ip tried accessing my pc. One virus was d1.exe models (not if you have relationship) but activating different antivirus blocked many ip so I decided to find out about this virus and eventually discovered. I say that Kaspersky is removed? Thank youfor and all the info.

Edited by Hector Luis, 2012 May 31, 17:28

No permite utilizar antivirus

Olvide comentar que me fue imposible de utilizar el antivirus de Kaspersky en cuanto lo queria instalar me salia una leyenda que era imposible porque faltaban archivos. En estos momentos estoy bajando la version de prueba de Kaspersky Internet Security 2012 y les informare de los sucesos

problem with antivirus

can not copy klif.sys is no path, however is there's the problem?

You mentioned the source code of the MOF file above; what's the batch file look like? I'm assuming it just starts the malware using rundll32 or some such, but there could be more to it.

install and probe Kaspersky antivirus

even after all this shown in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/Acmru/5630/(all files mentioned in this forum)

search words windows xp

They may be the search words you make after reading this forum and these are not files.

Apparently the virus work very well

I detected malaware others do not.

Preventing Spearphishing

Users would be less vulnernerable to deception if they used SP Guard from Iconix.

hash

MD5: bdc9e04388bda8527b398a8c34667e 18
SHA1: a592d49ff32fe130591ecfde006ffa 4fb34140d5
File size: 6166528 bytes
File name: mssecmgr.ocx

Tganks but Kaspersky still does not eliminate di.exe

Continuously on startup and detects viruses di.exe

Flame Remover

Link Download:
http://www.certcc.ir/index.php?module=file_manager func=getit lid=26

Folder Remover Copy----> C:\

Run C:\Remover\remover.exe

Source:
http://www.certcc.ir/index.php?newlang=eng

Edited by Mehdi Ilbeigi, 2012 Jun 01, 00:55

Use Bitdefender Removal Tool

http://labs.bitdefender.com/wp-content/uploads/downloads/2012/05/TrojanFlamer_BDRemovalToolDrop per_x86.exe

Source: http://www.donotcrack.com/2012/06/how-to-remove-trojan-flamer.html

List of C C?

Hello,
Thanks for this analysis. Do you have a list of known C C ? Any other information related to the user agent used by Munch module ?
G

Re: Estoy infectado

Hola Hector.

Al parecer su infección no está relacionada con el Flame.

Re: No permite utilizar antivirus

Recuerde que también puede desinfectar su máquina con nuestra herramienta gratuita que se llama Kaspersky Virus Removal Tool y que se puede descargar desde http://www.kaspersky.com/antivirus-removal-tool-register No requiere instalación y puede ser utilizada paralelamente a cualquier AV que tenga en su máquina.

The article seems really interesting, I myself is a programmer and a kind of hacker (not black hat) and just love coding simple but most effective trojan.
I wonder why Microsoft doesn't makes any proper OS and obsolete vbscript from it ??
anyone with even basic knowledge of programming could design such a destructive trojan with some efforts and time.

btw, isn't it possible to trace them out by tracing the outgoing going connection established by FLAME to their server to upload Data ???

Windows only or Mac as well?

Does flame only affect the windows operation system, or also mac os x? I ask, as if it does, how could we search for the infection? Thoughts?

and does it use ftp.exe to upload data to their server ?

Does bunny have any relationship to rabbIT? http://www.khelekore.org/rabbit/

In front of me...

I feel that something is weird with that virus..
Anyway, how about the 'registry block' thing that ESET mentioned during their research about Duqu and Stuxnet??

HelpAssistant and more

Couple of things I found curious..

Flame's Limbo module created a HelpAssistant user just like Mebroot used to.. could this mean a link between the author(s), or possibly that Mebroot was an earlier version of this module, or probable code sharing or more?

Also, with certain latter releases of tdl4/alureon the malware would access certain vulnerable routers changing the DNS servers.. with such robust functionality is flame similarly affecting users routers or DNS servers?

Why would the writers decide not to create an actual pe file infecting piece of malware like vundo or etc to conceal the infection? Loading dll's into windows processes has become quite common... From what I've seen any amateur malware analyst could have identified this infection on a host machine. It's concealment methods may have been semi-advanced a few years back but these type of infections have become quite common in recent years.

With tdl we saw quotes from the simpsons and etc in the install log files.. do we see anything like this with flame or anything that gives us insight about the authors interests, humor, or etc? If not could this be because the authors were hired to write this software and that their code would be under scrutiny?

Also, in some other malware we see checks for keyboard languages to prevent infections in certain geographical locations. In theory if this was an attack carried out by say Isreal and the US, are there checks to prevent the installation on such local machines? It would seem wise to add such a check to ensure the malware didn't infect a machine that wasn't in the targeted areas to prevent any red flags from other developed countries or security professionals.

One last thought.. IF this was part of a cyber warfare program and is a collaboration of some of our best malware authors in(and out of?) the US.. I for one am greatly disappointed.. Sure, it is packed with features.. but it seems like the same regurgitated malware we've been seeing for years.. for a government project it seems rather weak and easily detectable... which somewhat frightens/worries me...

Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?

The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.
Do you agree with that?

http://www.mcafee.com/us/about/skywiper.aspx
Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services
I don't understand it. What is windows APC and its relationship to code injection? What about Winlogon.exe and injecting to explorer.exe ?

Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
Does it mean it holds attack modules in database?

Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability and spreads only when instructed to do so by the attackers.
Does it mean attackers spread of virus one by one?How attackers choose the next computer in order to attack?How they can understand this right choice? How can they limit?

Thanks in advance!