Flamer worm

Forum for analysis and discussion about malware.
User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Flamer worm

Post by rkhunter » Wed Jun 06, 2012 4:53 am

Signed infector that was mentioned here http://www.securelist.com/en/blog/20819 ... identified
And here http://www.symantec.com/connect/blogs/w ... man-middle

MD5: 1f61d280067e2564999cac20e386041c
SHA1: d36fad73c6aeff98906008f3eb5a16812cc3188a
File size: 29928 bytes
Name: WuSetupV.exe
signers..................: MS
Microsoft LSRA PA
Microsoft Enforced Licensing Registration Authority CA
Microsoft Enforced Licensing Intermediate PCA
Microsoft Root Authority
signing date.............: 3:54 PM 12/28/2010
Certificate already was revoked and update was released:
Microsoft Security Advisory (2718704) Unauthorized Digital Certificates Could Allow Spoofing
http://technet.microsoft.com/en-us/secu ... ry/2718704
http://support.microsoft.com/kb/2718704
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4777
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Flamer worm

Post by EP_X0FF » Wed Jun 06, 2012 7:10 am

I hope marketing division of Kaspersky Lab finally setup addon that will make them able to attach hashes of investigated components to their articles.
Ring0 - the source of inspiration

dumb110
Posts: 105
Joined: Tue Jun 05, 2012 1:29 pm

Re: Flamer worm

Post by dumb110 » Wed Jun 06, 2012 8:15 am

Can somebody help with decryption of attached sample please..
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4777
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Flamer worm

Post by EP_X0FF » Wed Jun 06, 2012 8:27 am

dumb110 wrote:Can somebody help with decryption of attached sample please..
http://www.kernelmode.info/forum/viewto ... 699#p13699
Ring0 - the source of inspiration

dumb110
Posts: 105
Joined: Tue Jun 05, 2012 1:29 pm

Re: Flamer worm

Post by dumb110 » Wed Jun 06, 2012 8:34 am

EP_X0FF wrote:
dumb110 wrote:Can somebody help with decryption of attached sample please..
http://www.kernelmode.info/forum/viewto ... 699#p13699
u mean they are the same?
https://www.virustotal.com/file/5f6b60f ... /analysis/
https://www.virustotal.com/file/b2c6a70 ... /analysis/
same ones?

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Flamer worm

Post by rkhunter » Wed Jun 06, 2012 9:14 am

EP_X0FF wrote:I hope marketing division of Kaspersky Lab finally setup addon that will make them able to attach hashes of investigated components to their articles.
seems impossible in Flamer case...
I published hashes to Gostev-article.

User avatar
EP_X0FF
Global Moderator
Posts: 4777
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Flamer worm

Post by EP_X0FF » Wed Jun 06, 2012 9:48 am

dumb110 wrote:
EP_X0FF wrote:
dumb110 wrote:Can somebody help with decryption of attached sample please..
http://www.kernelmode.info/forum/viewto ... 699#p13699
u mean they are the same?
https://www.virustotal.com/file/5f6b60f ... /analysis/
https://www.virustotal.com/file/b2c6a70 ... /analysis/
same ones?
Hash you posted is the same as hash of mscrypt file in this archive http://www.kernelmode.info/forum/viewto ... 698#p13698. Decrypted attached next. Compare two originals.
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Flamer worm

Post by rkhunter » Wed Jun 06, 2012 12:30 pm

Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.

Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".
http://www.symantec.com/connect/blogs/f ... nt-suicide

User avatar
kareldjag/michk
Posts: 91
Joined: Sun Jul 04, 2010 6:57 pm
Location: FRANCE

Re: Flamer worm

Post by kareldjag/michk » Wed Jun 06, 2012 4:26 pm

hi
Somes files hashes here (no direct link as i do not remember if it is out of the TOS
http://www.google.com/search?client=ope ... 33&bih=646
And a few http://solerablog.files.wordpress.com/2 ... hashes.png
File dump http://blog.didierstevens.com/2012/06/0 ... kb2718704/

The AV induastry have failed...but what great marketing for taking advantage of this spy toolkit...
A funny summary of the AV industry since a few years http://research.pandasecurity.com/blogs ... ikarus.jpg
A contest of MIKKO statement http://attrition.org/security/rebuttal/ ... nd_av.html
And a contest of the contest by an av evangelist http://anti-virus-rants.blogspot.ca/201 ... uttal.html

If the way to spread and exfiltrate data is interesting, armoring techniques are very soft in comparison to some recent evil rootkits.
And there can be no doubt about its goal and origin.

rgds
Security? Yeah But Well: http://www.ouaismaisbon.ch/ )

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Flamer worm

Post by rkhunter » Wed Jun 06, 2012 4:30 pm

kareldjag/michk wrote:hi
Somes files hashes here (no direct link as i do not remember if it is out of the TOS
http://www.google.com/search?client=ope ... 33&bih=646
And a few http://solerablog.files.wordpress.com/2 ... hashes.png
File dump http://blog.didierstevens.com/2012/06/0 ... kb2718704/
Seems nothing new...
would be great if anyone published browse32.ocx hash :!:

Post Reply