sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
obj.REMOTE_PATH_TEMPLATES = {temp = string.format("\\\\%s\\admin$\\temp",<br />
l_4_0.tgt), systemroot = string.format("\\\\%s\\admin$", l_4_0.tgt),<br />
commonprogramfiles = string.format("\\\\%s\\%s$\\Program Files\\Common Files",<br />
l_4_0.tgt, remoteSystemDrive)}<br />
obj.REMOTE_PATH_TEMPLATES.windir = obj.REMOTE_PATH_TEMPLATES.systemroot<br />
obj.REMOTE_LOCAL_PATH_TEMPLATES = {temp = "..\\temp"}<br />
Figure 44 – Net use based propagation targets get configured<br />
Euphoria: “EuphoriaApp” handling. Related to a “<strong>Flame</strong>” attack. Related to “mediaId”.<br />
Possibly file leaking after successful attack.<br />
BUENO_FLAME_DLL_KEY – pointer to a large 1 MB binary in wpgfilter.dat<br />
CONFIG_TABLE : Referred from Lua code for configuration directives. Contains lot of<br />
parameters for attacks. Not sure which configuration is that.<br />
Headache: Related to multiple attacks, possibly additional parameters or properties of the<br />
attacks.<br />
Multiple phrases are related to animals in the malware:<br />
Gator: Windowsupdate based internet-check. If everything successful, things go on. If not,<br />
then there is a minimum and maximum waiting time defined, and a multiplier to<br />
increase retries slowly.<br />
Goat: Possibly C&C communications to GOAT servers<br />
Frog: ??<br />
Beetlejuice: ??<br />
Microbe: ??<br />
Weasel: ??<br />
Great work is going on the topic! on 30/05 new information was published by Kasperksy<br />
It’s available at https://www.securelist.com/en/blog?weblogid=208193538#w208193538<br />
We updated this document to reflect up-to-date information on 30/05/2012.<br />
So from Kaspersky:<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 46