sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl\secindex.dat<br />
https://XXXX.info:443/cgi-bin/counter.cgi<br />
https://XXXX.info:443/cgi-bin/counter.cgi<br />
…<br />
GATOR.SERVERS.1.data.SITE<br />
SINGLE_CMD_RUNNER<br />
GATOR.SERVERS.1.data.SITE XXXX.info->XXXXX.com<br />
GATOR.SERVERS.1.data.URL cgi-bin/counter.cgi->wp-content/rss.php<br />
…<br />
GATOR.SERVERS.-1.SITE [NoValue]->XXXX.info<br />
GATOR.SERVERS.-1.USESSL [NoValue]->False<br />
GATOR.SERVERS.-1.TIMEOUT [NoValue]->180000<br />
GATOR.SERVERS.-1.URL [NoValue]->wp-content/rss.php<br />
GATOR.SERVERS.-1.PORT [NoValue]->80<br />
GATOR.SERVERS.-1.PASSWORD [NoValue]->LifeStyle2<br />
…<br />
XXX.info<br />
SINGLE_CMD_RUNNER<br />
P_CMDS.RESTORE_REDIRECTION_STATE<br />
SINGLE_CMD_RUNNER<br />
SINGLE_CMD_RUNNER<br />
P_CMDS.RESTORE_REDIRECTION_STATE.SECS_BETWEEN_RUNS [NoValue]->87654<br />
P_CMDS.RESTORE_REDIRECTION_STATE.MAX_RUNS [NoValue]->2<br />
P_CMDS.RESTORE_REDIRECTION_STATE.CMD_BUF [NoValue]->BUF_SITE:271 CRC:525FXXXX<br />
P_CMDS.RESTORE_REDIRECTION_STATE.NUM_OF_RUNS [NoValue]->0<br />
SINGLE_CMD_RUNNER<br />
SINGLE_CMD_RUNNER<br />
GATOR.LEAK.NEXT_REQUEST_TIME 314821->1222222222<br />
GATOR.LEAK.NEXT_REQUEST_SYS_TIME 133XXX2106->1222222222<br />
SINGLE_CMD_RUNNER<br />
SINGLE_CMD_RUNNER<br />
MANAGER.FLAME_ID 13XXXXX15X->13<br />
SINGLE_CMD_RUNNER<br />
SINGLE_CMD_RUNNER<br />
GATOR.CMD.NEXT_REQUEST_TIME 340504->0<br />
…<br />
COMAGENT<br />
COMAGENTWORKER<br />
WEASEL<br />
IDLER<br />
CommandExecuter<br />
CommandFileFinder<br />
MICROBE<br />
MICROBE_SECURITY<br />
GadgetSupplierWaitThread<br />
MICROBE_SECURITY<br />
MICROBE<br />
SINGLE_CMD_RUNNER<br />
C:\WINDOWS\system32\advpck.dat<br />
C:\WINDOWS\system32\advpck.dat, EnableTBS<br />
C:\WINDOWS\system32\advpck.dat<br />
C:\WINDOWS\system32\ntaps.dat, EnableSHR<br />
C:\WINDOWS\system32\ntaps.dat, EnableOFR<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 42