Our Malware Analysis team has discovered a highly complex malware (Trojan.Flamer.A) that is written using the ‘Lua’ programming language. This malware is on par, if not stronger, than previously seen similar threats, Stuxnet and Duqu. The Iranian CERT (Computer Emergency Response Team) has many names for this worm – ‘Flame’, ‘Flamer’, ‘Skywiper’ or ‘Viper’. They detected the malware as it began launching cyber-attacks on their energy sector. The malware uses known vulnerabilities like Print Spooler and LNK in order to execute its malicious components. These vulnerabilities were first seen with Stuxnet in June 2010 and our investigations show that a few of the malicious components were reported around 2 years and 10 months ago. The malware is approximately 20 times larger than Stuxnet and hence the ramifications for the security industry are huge.
Furthermore, the malware communicates with its Command and Control (C&C) servers, which are inactive as of now, with the help of secure HTTPS and SSH protocols. This makes it even harder to detect this newfound threat. It is also capable of spreading through USB drives and local networks, thanks to its component based architecture. Further risks like screen capturing, scanning network resources, enabling and sharing Bluetooth connections, detecting and disabling anti-virus suites, negating the effects of security patches and recording audio (something which is highly unusual for malware) are also being seen.
The broad purpose of this malware is to extract information from the SQLite database on the machines of their victims. Its targets can range from individual users to educational institutions to state-run organizations. We are carrying out further analysis of this malware and will update our readers with more information soon since it is a highly complex malware with many other characteristics. It appears to have been written by a large group of people over a period of several years, so its analysis will need to be carried out in a systematic manner. Quick Heal ensures that its users are constantly protected against such threats.