If you keep track of technology news, you must have heard about “The FLAME” which led to had caused substantial damage and massive data loss in what may be most destructive cyber attack on Iran. Today we will talk about whatÂ Â “the FLAME” is and How to check if your system is infected by it too.
What is “The FLAME”
It is a sophisticated attack toolkit and comlex in nature. It acts as backdoor, a Trojan, and even worm to to replicate itself in local network and on removable media.Â On infection, it performs complex operations like sniffing the network traffic, taking screenshots, recording audio conversations, intercepting keyboard & much more.
It collects all the data obtained by performing these operations and can be retrived by the FLAME writer using their servers. It can download additional modules to perform additional operations. 20 sucvh modules are detected till now that can be downloaded.
When deployed fully, the package of modules comprise Â of ~20 MB as it includesÂ many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine making it extremely difficult to analyse by Antivirus vendors or anyone else.
Modules of Flame
|Beetlejuice||Bluetooth: enumerates devices around the infected machine.
May turn itself into a â€œbeaconâ€: announces the computer as a discoverable device and encode the status of the malware in device information using base64.
|Microbe||Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.|
|Infectmedia||Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.|
|Autorun_infector||Creates â€œautorun.infâ€ that contains the malware and starts with a custom â€œopenâ€ command. The same method was used by Stuxnet before it employed the LNK exploit.|
|Euphoria||Create a â€œjunction pointâ€ directory with â€œdesktop.iniâ€ and â€œtarget.lnkâ€ from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.|
|Limbo||Creates backdoor accounts with login â€œHelpAssistantâ€ on the machines within the network domain if appropriate rights are available.|
|Frog||Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is â€œHelpAssistantâ€ that is created by the â€œLimboâ€ attack.|
|Munch||HTTP server that responds to â€œ/view.phpâ€ and â€œ/wpad.datâ€ requests.|
|Snack||Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when â€œMunchâ€ is started. Collected data is then used for replicating by network.|
|Boot_dll_loader||Configuration section that contains the list of all additional modules that should be loaded and started.|
|Weasel||Creates a directory listing of the infected computer.|
|Boost||Creates a list of â€œinterestingâ€ files using several filename masks.|
|Gator||When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.|
|Security||Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.|
|The purpose of these modules is not yet known.|
Apart from those above, additional modules are installed in the %windir%\system32\ directory.
How to check for Flame Infection
1. Perform a search for the fileÂ ~DEB93D.tmp. If you are able to fin the said file on your system, it means that your system either is or has been infected by Flame.
2. Check for registry key HKLM_SYSTEM >> CurrentControlSet >> Control >> Lsa >> Authentication Packages.Â If you find something names mssecmgr.ocx or authpack.ocx there – it means that you are infected with Flame.
3. Check for the presence of the following catalogs. If present – youâ€™re infected.
- C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
- C:\Program Files\Common Files\Microsoft Shared\MSAudio
- C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
- C:\Program Files\Common Files\Microsoft Shared\MSAPackages
- C:\Program Files\Common Files\Microsoft Shared\MSSndMix
Â 4. Conduct a search for the rest of the file names given above. All of them are quite unique and their being discovered would mean that there is a strong possibility of an infection with Flame.
If you want to more about FLAME, please refer the two blog posts by Kaspersky below cited as Source for this Post.