McAfee Labs

Jumping Into the Flames of Skywiper

By , on May 29, 2012

There has been quite a bit of analysis and speculation about the Flamer/Skywiper threat. As we started to analyze this threat, we knew from the very beginning that this was going to be a giant undertaking and potentially very long term. Now we want to pause to help the people we protect visualize the kind of task at hand when dealing with the level of complexity and encryption that this threat presents.

Here are some quick facts about this threat: The main module has been decompiled to about 650,000 lines of C code.

Yes, you read that number right.

All indications are that this is not all the code in the malware and that it possibly extends to a good 750,000 lines of C code. It is fair to say that we are looking at a long-term analysis to determine its full set of functionality and features.

Here is a diagram that illustrates the relationships of the code up to this point of analysis:

(If you see a twister hovering, your eyes are not deceiving you! This threat has some complex relationships.)

There is a lot of code to this threat, and IDA (a pro disassembler and decompiler we use) does a decent job of keeping up, and helped us create the graph above. And this is not all the code but simply the main module! This module alone has about 4,400+ calls to string deobfuscator routines. Essentially, when the code has an interesting string such as “flame::beetlejuice::BeetleJuiceDataCollector,” or “flame::gator::GatorCmdFetcher,” it encapsulates the information in a sealed function. This adds extra “fat” to the already monstrous code, and makes it a lot more challenging to read. Not that it wasn’t big enough already!

The extraordinary amount of obfuscation in the code ensures that the functionality of the executable is not only hard to understand but also helps reduce the risk that one could capture the code and easily use it for one’s own needs.

The code carries all the library code it needs: SSH, ZLib routines, web server code, etc. At this point, there are more than two dozen encryption functions–such as Blowfish routines, MD5/MD4, and others.

Skywiper seems to focus on accessing information meaningful to professional surveillance needs and operations. Some of these functions include::

- It has low-level disk-access parsing, for file system parsing and access
- It supports ZIP file parsing
- It supports parsing multiple documents formats such as PDF, Microsoft Word, and other Office formats
- It is interested in notes, and searches even hidden places within the OS
- It is curious about what is on the target’s desktop
- It has functionality to remotely spread itself within a domain
- The malware is also very careful to get this information back to the control server: It does this by silently firing up extra instances of Internet Explorer, and injects code into them. This way it can be part of a “trusted” process on the machine, allowing it to circumvent personal firewalls.
- Maybe most important, it is interested in mobile devices. This is what the Beetlejuice module does. This “ghost in the machine” discovers Bluetooth devices, and shows interest in the target’s social network, by looking for contacts. It also does this locally, as device information can be found in files, or on the host when the information is synched to it. As of this analysis, it targets Sony and Nokia device contacts. And certainly there could be more here than quickly meets the eye!

Other routines and calls include:

FLAME – Handles AutoRun-infection routines
WEASEL – Handles disk-parsing routines
JIMMY – File parsing support
TELEMETRY – Control server reporting and handling
SUICIDE – Self-termination routine
EUPHORIA – Various exploit modules
BEETLEJUICE – Interface and control for Bluetooth devices
BUNNY – Research continues…
PLATYPUS – Research continues…
CLAN – Lua Module, possibly related to remote target exploits
FROG – Password-stealer module
CRUISE – Handles NT domain-parsing routines
DRILLER – Research continues…
AUDITION – Process termination, AV/security product processes
GATOR – Handles control server communication
LIMBO – Research continues…
MICROBE – Microphone/Audio capture and recording
SNACK – research continues….
MUNCH – Handles network-related tasks; appears to be sniffing
VIPER – Screenshot module
HEADACHE – Research continues…

That is a long list, and there is still more to come. Certainly, Skywiper shows significant development. We still need to dig into these modules some more; but one thing is certain, this analysis will be long term.

In the early 1990s, virus analysis became a “100 meter tournament,” as we jokingly used to call it. By that we mean looking at assembly printouts of the actual code took about 100 meters of printer paper. In the case of Flamer/Skywiper, this would be a mile-long walk!

This will keep us in shape for some time.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>