Endpoint Protection

 View Only

Flamer: Urgent Suicide 

Jun 06, 2012 07:42 AM

Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.

Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".

The browse32.ocx module has two exports:

  1. EnableBrowser—This is the initializer, which sets up the environment (mutex, events, shared memory, etc.) before any actions can be taken.
  2. StartBrowse—This is the part of the code that does the actual removal of the Flamer components.

The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection. This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind.

Here is a list of files and folders targeted by this module:

Deleted files

  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\audcache
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\audfilter.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\dstrlog.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\dstrlogh.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m3aaux.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m3afilter.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m3asound.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m4aaux.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m4afilter.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m4asound.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m5aaux.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m5afilter.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m5asound.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\mlcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\mpgaaux.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\mpgaud.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\qpgaaux.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\srcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\wavesup3.drv
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\wpgfilter.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\authcfg.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\ctrllist.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\lmcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\ntcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\posttab.bin
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\secindex.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\tokencpt
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dmmsap.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\domm.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\domm2.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\domm3.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dommt.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dstrlog.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dstrlogh.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\lmcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\Lncache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\ltcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mscorest.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mscrol.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mscrypt.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mspovst.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\msrovst.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\msrsysv.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\msvolrst.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\nt2cache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\ntcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\rccache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\rdcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\rmcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\ssitable
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\syscache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\syscache3.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\audtable.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\fmpidx.bin
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\lmcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\lrlogic
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\mixercfg.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\mixerdef.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\ntcache.dat
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\sndmix.drv
  • %SystemDrive%\system32\msglu32.ocx
  • %SystemDrive%\Temp\~8C5FF6C.tmp
  • %Temp%\~*
  • %Temp%\~a28.tmp
  • %Temp%\~a38.tmp
  • %Temp%\~DF05AC8.tmp
  • %Temp%\~DFD85D3.tmp
  • %Temp%\~DFL542.tmp
  • %Temp%\~DFL543.tmp
  • %Temp%\~DFL544.tmp
  • %Temp%\~DFL545.tmp
  • %Temp%\~DFL546.tmp
  • %Temp%\~dra51.tmp
  • %Temp%\~dra52.tmp
  • %Temp%\~dra53.tmp
  • %Temp%\~dra61.tmp
  • %Temp%\~dra73.tmp
  • %Temp%\~fghz.tmp
  • %Temp%\~HLV084.tmp
  • %Temp%\~HLV294.tmp
  • %Temp%\~HLV473.tmp
  • %Temp%\~HLV751.tmp
  • %Temp%\~HLV927.tmp
  • %Temp%\~KWI988.tmp
  • %Temp%\~KWI989.tmp
  • %Temp%\~mso2a0.tmp
  • %Temp%\~mso2a1.tmp
  • %Temp%\~mso2a2.tmp
  • %Temp%\~rei524.tmp
  • %Temp%\~rei525.tmp
  • %Temp%\~rf288.tmp
  • %Temp%\~rft374.tmp
  • %Temp%\~TFL848.tmp
  • %Temp%\~TFL849.tmp
  • %Temp%\~ZFF042.tmp
  • %Temp%\comspol32.ocx
  • %Temp%\GRb9M2.bat
  • %Temp%\indsvc32.ocx
  • %Temp%\scaud32.exe
  • %Temp%\scsec32.exe
  • %Temp%\sdclt32.exe
  • %Temp%\sstab.dat
  • %Temp%\sstab15.dat
  • %Temp%\winrt32.dll
  • %Temp%\winrt32.ocx
  • %Temp%\wpab32.bat
  • %Temp%\wpab32.bat
  • %Windir%\Ef_trace.log
  • %Windir%\Prefetch\Layout.ini
  • %Windir%\Prefetch\NTOSBOOT-B00DFAAD.pf
  • %Windir%\repair\default
  • %Windir%\repair\sam
  • %Windir%\repair\security
  • %Windir%\repair\software
  • %Windir%\repair\system
  • %Windir%\system32\advnetcfg.ocx
  • %Windir%\system32\advpck.dat
  • %Windir%\system32\aud*
  • %Windir%\system32\authpack.ocx
  • %Windir%\system32\boot32drv.sys
  • %Windir%\system32\ccalc32.sys
  • %Windir%\system32\commgr32.dll
  • %Windir%\system32\comspol32.dll
  • %Windir%\system32\comspol32.ocx
  • %Windir%\system32\config\default.sav
  • %Windir%\system32\config\sam.sav
  • %Windir%\system32\config\security.sav
  • %Windir%\system32\config\software.sav
  • %Windir%\system32\config\system.sav
  • %Windir%\system32\config\userdiff.sav
  • %Windir%\system32\ctrllist.dat
  • %Windir%\system32\indsvc32.dll
  • %Windir%\system32\indsvc32.ocx
  • %Windir%\system32\lrl*
  • %Windir%\system32\modevga.com
  • %Windir%\system32\mssecmgr.ocx
  • %Windir%\system32\mssui.drv
  • %Windir%\system32\mssvc32.ocx
  • %Windir%\system32\ntaps.dat
  • %Windir%\system32\nteps32.ocx
  • %Windir%\system32\pcldrvx.ocx
  • %Windir%\system32\rpcnc.dat
  • %Windir%\system32\scaud32.exe
  • %Windir%\system32\sdclt32.exe
  • %Windir%\system32\soapr32.ocx
  • %Windir%\system32\ssi*
  • %Windir%\system32\sstab.dat
  • %Windir%\system32\sstab0.dat
  • %Windir%\system32\sstab1.dat
  • %Windir%\system32\sstab10.dat
  • %Windir%\system32\sstab11.dat
  • %Windir%\system32\sstab12.dat
  • %Windir%\system32\sstab2.dat
  • %Windir%\system32\sstab3.dat
  • %Windir%\system32\sstab4.dat
  • %Windir%\system32\sstab5.dat
  • %Windir%\system32\sstab6.dat
  • %Windir%\system32\sstab7.dat
  • %Windir%\system32\sstab8.dat
  • %Windir%\system32\sstab9.dat
  • %Windir%\system32\tok*
  • %Windir%\system32\watchxb.sys
  • %Windir%\system32\winconf32.ocx

Deleted folders

  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix

It is natural that this component has not been seen and recovered from the field, but instead it was captured in honeypots. Any client receiving this file would have had all traces of Flamer removed, including this module itself.

The version of this module that we have was created on May 9, 2012; just a few weeks before Flamer information became public. It is very likely that previous versions of this module have been used in the past. In addition, the module was seen as a command being sent to a client as late as just last week.

The existence of this module is interesting in itself. Previously analyzed Flamer code showed us a component named SUICIDE, which is functionally similar to browse32.ocx. It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.