Flame, Flamer, Skywiper: What You Should Know? How To Scan Your PC For Flame Infection?
The Internet is abuzz about the latest most advanced and complex threat called “Flame” (also known as Flamer or Skywiper) after Duqu and Stuxnet. Flamer malware has been seen infecting computers particularly in the Middle East countries. Flamer was recently discovered by The Iranian Computer Emergency Response Team (MAHER) but it was actually in the wild spying on Middle East computers since 2010.
The malware is named “Flame” or “Flamer” because of the same words appearing in its code. Its one of the most advanced malware ever encountered by security researchers. It can monitor user activity by taking screenshots, record audio conversations and it can use Bluetooth technology to steal data on devices located near the infected computer, Alexander Gostev, a researcher at the Russian security firm Kaspersky Lab, said in a blog post on Monday.
Further Gostev said that the malware is designed to systematically collect information on the operations of certain nation states in the Middle East. He added that creators of Flame might be looking for any kind of intelligence — emails, documents, messages and discussions inside sensitive locations. The creators of the malware are still unknown, but according to experts, the malware appears to be part of a government-led espionage campaign. Kasperky’s Questions and Answers offers more detailed information about Flame, including how the malware spreads and infects computer systems.
Symantec reports that the complexity of the code within Flame is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry. Symantec has later published an analysis of the malware.
The Laboratory of Cryptography and System Security (CrySyS) has published an in-depth analysis on the malware. CrySyS has named the malware “Skywiper”. According to the 63-page long PDF report, Skywiper was “developed by a government or nation state with significant budget and effort, and may be related to cyber warfare activities.”
Flame malware is around 20 megabytes in size when all of its modules are installed. It has about 20 times to 40 times as much code than Stuxnet. It has multiple libraries, SQLite3 databases, various levels of encryption and 20 plug-ins that can be swapped in and out to offer various functionality for the attackers. The creators used a Command and Control network of around 80 different servers which spread across Asia, Europe and North America to remotely access and issue commands to infected machines. It is one of the largest CnC network used by any malware.
How to detect Flame, Flamer, or Skywiper and remove it?
BitDefender has released a special removal tool for detecting and removing Flame malware from infected computers. BitDefender detects the malware as Trojan.Flamer.A/B.
To inspect if your computer is infected by Flamer malware, download the 32-bit or 64-bit version of the removal tool from the BitDefender website, and run it afterwards on your system.
How to manually check for Flame malware infection?
Kaspersky has published a method to manually check your system for the presence of Flame infection:
- Search for the file
~DEB93D.tmp. If its present, it means your computer is either or has been infected by Flame.
- Check the following registry key
HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages. If you find
authpack.ocxin there, you are infected with Flame.
- Check for the presence of the following catalogs.
C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
C:\Program Files\Common Files\Microsoft Shared\MSAudio
C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
C:\Program Files\Common Files\Microsoft Shared\MSAPackages
C:\Program Files\Common Files\Microsoft Shared\MSSndMix
If you found them, you’re infected.