sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
6. Attack details – dictionary and scripts<br />
The file dstrlog.dat contains a ClanDB for names and terms used by the malware, an SQLite<br />
database used for attacks. This file is loaded through libclandb.lua by SQL commands, and<br />
the database is accessed using Lua scripts. We disclose detailed description of the SQLite<br />
database to show the SQL tables used for attacks. The attackers even take care of versions,<br />
and update the structure if necessary. The sample below shows a version upgrade script.<br />
if userVer == 1 or userVer == 2 then l_26_0:exec("\n<br />
ALTER TABLE entities ADD COLUMN tool_id INTEGER NULL;\n<br />
ALTER TABLE entities ADD COLUMN first_update_dt DATETIME INTEGER NULL;\n<br />
ALTER TABLE entities ADD COLUMN last_update_dt DATETIME INTEGER NULL;\n<br />
ALTER TABLE entities ADD COLUMN last_ip_update_dt DATETIME INTEGER NULL;\n<br />
ALTER TABLE metadata ADD COLUMN first_update_dt DATETIME INTEGER NULL;\n<br />
ALTER TABLE metadata ADD COLUMN last_update_dt DATETIME INTEGER NULL;\n<br />
ALTER TABLE attack_log ADD COLUMN home_id INTEGER NULL;\n<br />
ALTER TABLE attack_log ADD COLUMN date_dt DATETIME INTEGER NULL;\n<br />
ALTER TABLE attack_queue ADD COLUMN min_attack_interval INTEGER NULL;\n<br />
ALTER TABLE attack_queue ADD COLUMN home_id INTEGER NULL;\n ALTER TABLE<br />
attack_queue ADD COLUMN last_try_date_dt DATETIME INTEGER NULL;\n<br />
ALTER TABLE attack_queue ADD COLUMN igno<br />
re_max BOOLEAN INTEGER NOT NULL DEFAULT 0;\n\n\t\t\tCREATE TABLE IF NOT EXISTS<br />
cruise_attack_log (\n\t\t\t log_id INTEGER NOT NULL REFERENCES<br />
attack_log(line_id),\n\t\t\t user_sid TEXT NOT NULL,\n\t\t\t user<strong>sKyWIper</strong> TEXT<br />
NULL\n\t\t\t);\n\n<br />
\t\t\tCREATE TABLE IF NOT EXISTS options_per_entity (\n\t\t\t entity_id INTEGER<br />
NOT NULL,\n\t\t\t attack_type TEXT NOT NULL,\n\t\t\t cred_id INTEGER<br />
NULL,\n\t\t\t retries_left INTEGER NULL\n\t\t\t);\n\n CREATE TABLE IF<br />
NOT EXISTS attack_params (\n attack_queue_id INTEGER NOT NULL,\n<br />
name TEXT NOT NULL,\n<br />
value NUMERIC NULL,\n\n<br />
PRIMARY KEY(attack_queue_id, name)\n );")<br />
Figure 42 – ClanDB update if version is too old<br />
There are a number of names and phrases in the database used in the code of the malware.<br />
Deeper analysis is needed to fully understand all these references. Here, we include the<br />
result of our initial investigation with a note that these interpretations might not be correct.<br />
Boost: Possibly information gathering based on enquiries received from remote parties.<br />
<strong>Flame</strong>: Common name for attacks, most likely by exploits. Ef_trace.txt relation.<br />
%temp%\dat3C.tmp and %systemroot%\\temp\\msdclr64.ocx related.<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 44