sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
• The United Arab Emirates on Apr 28 2008<br />
• Islamic Republic of Iran on Mar 1 2010<br />
File sizes<br />
The following file sizes have been seen:<br />
• 1,153,536 bytes<br />
• 991,232 bytes<br />
• 975,872 bytes<br />
1.3. Build dates<br />
The build date PE header information of the malware uses fake date information for its files;<br />
hence we cannot precisely identify the target system’s infection time. Nonetheless, the<br />
SQLite related part of mssecmgr.ocx contains some build time info (more about the<br />
components later):<br />
“Unidentified build, Aug 31 2011 23:15:32 31...........Aug 31 2011<br />
23:15:32”<br />
The following string shows SQLite version information, found in the memory dumps:<br />
2010-01-05 15:30:36 28d0d7710761114a44a1a3a425a6883c661f06e7 NULL<br />
It relates to SQLITE_VERSION "3.6.22" (part of the source code)<br />
Also, there is a reference “1.2.3”, and we think that this refers to zlib version number<br />
possibly used in SQLite tables.<br />
Some tables of the malware contain timestamps, possibly some of these do not relate to<br />
actual running times, but instead some dates when the attackers developed or constructed<br />
attack flows. An example is audcache.dat that contains timestamps like the ones below. We<br />
are not sure about the timestamps’ function and about the table structure. There are other<br />
binary strings that might be timestamps, but their values vary too much to be accurate.<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 6