As widely reported elsewhere, the Flamer/sKyWIper malware has largely been attributed to yet another unknown APT actor, which appears to target various organizations in the Middle East. Its size is massive, with the core components written in Lua and modular support for other languages (e.g., C/C++). Compared to Stuxnet and Duqu, it's likely this malware framework was authored and developed in parallel, with a broader goal: comprehensive intelligence gathering.

Rather than speculate on attribution or repeat the initial analysis provided by CrySyS Lab, this blog post will focus on additional indicators of compromise that have yet to be documented elsewhere. These indicators are exceptionally useful for confirming whether or not this malware is active on a suspect system.

In our second half (2H) of 2011 Advanced Threat Report, we provided compelling evidence that illustrated a possible correlation between an increase in email-based attacks and national holidays. Continuing this theme, let’s widen our dataset to worldwide and focus on the corresponding statistics collected year-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments who share intelligence back to us.

Figure 1. Rate of malicious attachments detected (worldwide) by relative volume (2H2011 + 2012YTD)

Blogging about crimeware (commodity malware that will infect victims in a purely opportunistic fashion) is an easy thing to do ethically, as the “victim” often times does not add much value to the story. Also, there are so many copies of the malware publicly available that talking about the threat does not compromise your collection source, and in general, we try to avoid “naming names” for the sake of shaming anyone. 

In the case of crimeware, whether a home user or a chemical company gets compromised by a ddos bot, the malware is going to act pretty much the same. For this reason, publicly talking about those types of threats don’t lead you down discussions of, “But now they now know that you know!” 

By packing their malicious executable, malware authors ensure that, when these malicious executables are opened in a disassembler, these executables do not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process. One method to locate the address of the code’s first instruction before it was packed, also known as the Original Entry Point (OEP) of a file, is to apply the breakpoint on the APIs that set up execution environments, like GetLoadLibraryA, and then use step-by-step tracing to locate the initialization of the stack frame. Initialization of the stack frame will denote that the file is unpacked.

For many commonly occurring packers, there are specific instructions for locating the OEP.

Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71.

When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting and protecting our customers from most of these malware. 

There was one thing that caught my attention during this investigation. One botnet was able to partially recover  from the takeover attempt. This particular zeus variant is known for rapidly changing its CnCs.

The new FireEye Advanced Threat Report for the second half of 2011, released today, is not your typical threat report. The threats we cover aren’t the known malware and spam you’ll find published in reports from traditional security vendors. Instead, what you’ll find is insight into advanced threats that have successfully evaded traditional lines of defense, including firewalls, IPS, gateways and antivirus.