Posted by 破冰 on 2012-6-2 9:48 Saturday

sKyWIper (a.k.a. Flame a.k.a. Flamer):

A complex malware for targeted attacks

v1.05 (May 31, 2012) – It’s a live document modified all the time

Technical Report

by Laboratory of Cryptography and System Security (CrySyS Lab)


Findings in brief

In May 2012, our team participated in the analysis of an as yet unknown malware, which we internally call sKyWIper. Based on the information initially received, we understood that the malware is an important piece of a targeted attack. When we started the analysis, we did not know how many countries were affected, but we suspected that it was not limited to a single country. Our suspicion was based on indications that pieces of the malware was probably identified and uploaded from European parties onto binary analysis sites in the past. During the investigation, we received information about systems infected by sKyWIper in other countries, including Hungary, our home country. Hence, the suspicion became evidence, and this made it clear for us that our findings must be disclosed by publishing this report.

在2012年五月,我们的团队参与了一款未知的恶意软件的分析。在我们团队的内部我们称 之为sKyWIper(国内译为"超级火焰",因为根据伊朗CERT的称呼它被叫 做"Flame"和"Flamer"。译注。)。根据我们最初收集到的信息,我们明白这款恶意软件是 一个有目标的攻击计划的一部分。当我们开始这次分析的时候,我们不知道有多少个国家 已经受这款恶意软件的的影响,但我们怀疑这个影响范围并非仅仅局限于一个国家——我们 的怀疑是基于欧洲各国的病毒样本上传分析网站的可疑文件样本的。在调查过程中,我们 收到了感染sKyWIper病毒的系统的信息,这些信息既有来自于别的国家的,也有来自于我 们的祖国,匈牙利的。因此,我们的怀疑有了证据的支持,这也使得我们明确了一点——我 们必须把我们的研究结果公开发表在这篇报告中。

It is obvious from the list of its files that sKyWIper must be identical to the malware described in the post http://www.certcc.ir/index.php? name=news&file=article&sid=1894(from Iran National CERT (MAHER)) where it is called Flamer. For convenience, we keep our naming of the malware and call it sKyWIper based on one of the filenames (~KWI) it uses for temporary files.

从这个受感染文件列表里面的文件中我们可以很显而易见地判断出sKyWIper就是和在这个 帖子中所陈述的恶意软件是同一个程序。请您猛击此地址(该地址来自于伊朗国家互联网应 急中心,Iran National CERT):http://www.certcc.ir/index.php? name=news&file=article&sid=1894,在这篇贴子中,sKyWIper被他们称作了Flamer。为方 便起见,我们根据它用作临时文件的文件后缀名(.kwi)来把它称作sKyWIper,而不因伊朗 CERT的称呼而改变对它的命名。(其实说了这么半天CrySyS实验室也就是想统一对于“超级 火焰”病毒的称呼。后文中我不对sKyWIper这个名字作翻译了。译注。)

sKyWIper’s constitution is quite complex with a large number of components and the substantial size of some of its files. Therefore, providing its full analysis in a limited amount of time was infeasible with our current resources. Our goal was to get a quick understanding of the malware’s purpose, and to identify its main modules, storage formats, encryption algorithms, injection mechanisms and activity in general. This report contains the results of our analysis, which should help other researchers with more resources to get started and continue the analysis producing more detailed results.

sKyWIper的结构是由大量相当复杂的组件和某些体积庞大的文件组成的。因此,以我们目 前所拥有的资源,在如此有限的时间内提供全面的分析是几乎没有可能性的。我们的目的 是让您大体上了解这个恶意软件的用途,并且确定它的主要组成模块,存储格式,加密算 法和它的恶意行为。这篇报告中包含了我们的分析结果,这应该能够帮助那些其他的研究 人员获取更多的资源以开始着手分析并得出更详尽的分析结果。

Our first insight suggests that sKyWIper is another info-stealer malware with a modular structure incorporating multiple propagation and attack techniques, but further analysis may discover components with other functionalities. In addition, sKyWIper may have been active for as long as five to eight years, or even more. sKyWIper uses compression and encryption techniques to encode its files. More specifically, it uses 5 different encryption methods (and some variants), 3 different compression techniques, and at least 5 different file formats (and some proprietary formats too). It also uses special code injection techniques. Quite interestingly, sKyWIper stores information that it gathers on infected systems in a highly structured format in SQLite databases. Another uncommon feature of sKyWIper is the usage of the Lua scripting language.

在我们最初的理解中,sKyWIper是另一种拥有模块化结构的信息窃取类型的恶意软件。它结合了多种传染和攻击技术——但又不仅仅如此——我们进一步的分析表明它还具有带其它功 能的组件。此外,sKyWIper可能已经(以某种形式)活跃了长达五至八年的时间,甚至还可 能更久。sKyWIper运用压缩和加密技术来编码它本身的文件。具体一点来讲,它用上了5种 不同的加密算法(其中包括衍生出的算法变体),3种不同的压缩技术,和至少5种不同的文 件格式(包括其专有的格式)。它甚至还用上了特殊的代码注入技术。颇有意思的是, sKyWIper将它感染的系统信息以高度结构化的格式存储在SQLite数据库中。sKyWIper还有 个罕见的地方就是使用了LUA脚本语言。(LUA脚本语言通常是用在游戏中的,如维基百科中 提到的,“使用它作为嵌入式脚本语言的程序包括大话西游II、仙境传说、魔兽世界、战锤 40k、博德之门、轩辕剑外传汉之云、愤怒的小鸟等”。译注。)

sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.

sKyWIper拥有非常先进的窃取信息和感染其它电脑的功能。持有它的控制权的攻击者可以自己配置多种利用漏洞和感染方法。从未有过任何一种病毒能像制作精良的sKyWIper一样无遗漏地从一个巨大的受感染的计算机网络群中收集信息。这款恶意软件竭尽所能地去使 用所有它能调用的计算机功能去达到它的目的。这个恶劣的目标即为“运用所有的可能条件去收集情报”,这些条件包括键盘,屏幕,麦克风,移动存储设备,网络,WIFI,蓝牙,USB和系统进程。

The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.


sKyWIper is certainly the most sophisticated malware we encountered during our practice;

arguably, it is the most complex malware ever found.




使用方法     2012-06-02 09:57   回复 1楼
破冰   2012-06-02 11:28   回复