Cyberattacks June 2012 (I) – Flame/Flamer/Skywiper malware

Flame/Flamer/Skywiper malware – one of the most advanced malware found yet!!.. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks.

Flame/Flamer/Skywiper malware has very advanced functionality to steal data and to spread itself once the machine is successfully infected. This malware covers all possible ways to gather information which includes keyboard, screen captures, microphone, storage devices, network including wifi, Bluetooth, USB and even some system processes.

The authors of this malware used SQLite, SSH, SSL and LUA libraries that made the code look less suspicious and more like a business database system.

CrySyS lab reported, this malware may have been active for as long as five to eight years. According to F-Secure, complex malwares or APTs like Stuxnet, Duqu, Flame/Flamer/Skywiper were most likely developed by a western intelligence agency as part of their covert operations which weren’t intended to be discovered.

There are recent reports that Flame/Flamer/Skywiper malware used MiTM (Man in the Middle) attack against windows update. This advanced malware has a additional module which appears to do a MiTM attack on the Microsoft Update or Windows Server Update Services (WSUS) system. Microsoft discovered that some components have been signed by certificates that allow software to appear as if it was product of Microsoft. It is believed that authors of this malware exploited older cryptography algorithm and then used to sign their malicious code as if it originated from Microsoft.