#Iran Confirms “Flame” Malware Attack Detected

Map showing the number and geographical location of Flame infections detected by Kaspersky Lab on customer machines - CNN
Standard

In a departure from normal behaviour, Iran has published details confirming a cyber attack by the newly-announced Flame malware, discovered using a detection tool developed by the Maher Centre.

Map showing the number and geographical location of Flame infections detected by Kaspersky Lab on customer machines – CNN

Following to investigations started since 2010, about Stuxnet and Duqu, Iran National CERT (MAHER) has done a technical survey during past several months. MAHER publishes information about the last found sample for the first time.

ID: IRCNE2012051505

Date: 2012-05-28

Having conducted multiple investigations during the last few months, the Maher center, the Iranian CERTCC, following the continuous research on the targeted attacks of Stuxnet and Duqu since 2010, announces the latest detection of this attack for the very first time.

The attack, codenamed “Flame” is launched by a new malware. The name “Flame” comes from one of the attack modules, located at various places in the decrypted malware code. In fact this malware is a platform which is capable of receiving and installing various modules for different goals. At the time of writing, none of the 43 tested antiviruses could detect any of the malicious components. Nevertheless, a detector was created by Maher center and delivered to selected organizations and companies in first days of May. And now a removal tool is ready to be delivered.

Some features of the malware are as follows:

·         Distribution via removable medias

·         Distribution through local networks

·         Network sniffing, detecting network resources and collecting lists of vulnerable passwords

·         Scanning the disk of infected system looking for specific extensions and contents

·         Creating series of user’s screen captures when some specific processes or windows are active

·         Using the infected system’s attached microphone to record the environment sounds

·         Transferring saved data to control servers

·         Using more than 10 domains as C&C servers

·         Establishment of secure connection with C&C servers through SSH and HTTPS protocols

·         Bypassing tens of known antiviruses, anti malware and other security software

·         Capable of infecting Windows Xp, Vista and 7 operating systems

·         Infecting large scale local networks

According to file naming conventions, propagation methods, complexity level, precise targeting and superb functionality, it seems that there is a close relation to the Stuxnet and Duqu targeted attacks.

The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat.

A list of the major infection components of this malware is presented below; these samples would be available for security software vendors.

Table1: Infection Components

Content

Name & Path

Registry key existence

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages -> mssecmgr.ocx

Malware binaries

windows\system32\mssecmgr.ocx

Windows\System32\ccalc32.sys

Windows\System32\msglu32.ocx

Windows\System32\boot32drv.sys

Windows\System32\nteps32.ocx

Windows\System32\advnetcfg.ocx

Windows\System32\soapr32.ocx

via مركز مدیریت امداد و هماهنگی عملیات رخدادهای رایانه ای:: Identification of a New Targeted Cyber-Attack.

3 thoughts on “#Iran Confirms “Flame” Malware Attack Detected

  1. US President Barack Obama accelerated cyberattacks on Iran’s nuclear program and expanded the assault even after the Stuxnet virus accidentally escaped in 2010, the New York Times reported Friday 1 June, 2012.
    The operation, begun under president George W. Bush and codenamed “Olympic Games,” is the first known sustained US cyberattack ever launched on another country, and used malicious code developed with Israel…
    tw: http://snup.us/BZ3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s