Some time ago, we rechecked some Stuxnet code. Guess what have we learned: Kasperksy already published Flame-Stuxnet relationship, but on the encryption level, there is another similarity. In fact, this was found by Norman back in June , but they compared with soapr32’s encryption which is slightly more different than 4069.dll’s encryption E2.
Just a short blog entry to save this info for the history.
We investigated originally two different pieces of duqu payload. One contained resource 302 with a compressed .zdata section, the other contained the to-be-injected code without compression. The injector-loader is the same for the two versions, then how does it find if .zdata should […]
Iranian CERT Maher just posted http://www.certcc.ir/index.php?name=news&file=article&sid=2293
Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk […]
SPE/MiniFlame contains the same “main” encryption alg from ver 4.00-5.00
It looks like this:
.text:10007DDE Decrypt_str_10007DDE proc near ; CODE XREF: sub_10001223+5p
.text:10007DDE ; sub_10001223+16p …
.text:10007DDE arg_0 = dword ptr 4
.text:10007DDE mov ecx, [esp+arg_0]
.text:10007DE2 push esi
.text:10007DE3 cmp byte ptr [ecx+0Ch], 42h
It seems Gauss samples already started to float around, so some more info on Palida is not a surprise anymore.
Palida Narrow header info:
‘head’ Table – Font Header
Size = 54 bytes (expecting 54 bytes)
‘head’ version: 1.0
flags: 0x001B- baseline(y)=0 […]
As you all know, Kaspersky Lab has just published a detailed tech report of the latest state-sponsored targeted threat named Gauss.
So the story of Stuxnet, Duqu (found and named by us, CrySyS Lab ), Flame (yes, we had a detailed tech report on that, but we called it […]
Basically the main functionality of the WuSetupV.exe of Flame is to create a special URL, download the main component of Flame using the special URL, store it and install it on the victim computer.
The most interesting topic is what type of data is stored inside the URL created by WuSetupV as it […]
Finally we were able to do some tests, and we can confirm Bitdefender’s http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ finding on USB file transfer of Flame. Again, please first read our original tech report first.
If started by rundll, Flame creates “.” file within minutes.
As the file name is very special, […]
As You know, the recent nation-sponsored attacks used a bunch of libraries. However, nobody investigated yet the license terms. Here is a short list, based on the feedbacks we might update this article
modified LZO for .zdata: LZO and the LZO algorithms and implementations are distributed under the terms of the […]
First of all, be sure to read Our tech report on the Flame/Flamer/TheFlame/sKyWIper Malware.
As You already know, some Microsoft certificates were abused for flame malware MiTM installation method.
But take a look on the technical details of the certificate chain.
The actual code is signed by a series of certificates:
- August 2019
- June 2018
- March 2018
- January 2018
- August 2017
- July 2017
- March 2017
- January 2017
- August 2016
- July 2016
- October 2015
- July 2015
- June 2015
- December 2014
- November 2014
- September 2014
- August 2014
- July 2014
- February 2014
- November 2013
- August 2013
- March 2013
- February 2013
- January 2013
- December 2012
- October 2012
- August 2012
- July 2012
- June 2012
- January 2012
- December 2011
- July 2011