As researchers continue to pull apart the Gauss malware code, looking for spreading mechanisms and infection vectors, there is still some work being done on Gauss’s cousin Flame, as well. New research from CERT Polska reveals how deeply Flame burrows itself into infected systems, showing that the malware injects various pieces of its code into three threads and hiding its operations behind commonly seen and legitimate processes.
The analysis done by the Polish team looked specifically at the ways in which the Flame malware is able to hide itself on infected PCs and distribute chunks of code throughout these machines. What they found is that the worm goes through a rather elaborate infection routine that winds up with it spawning new processes and then injecting bits of itself into these threads.
“The fact that the explorer.exe process creates several iexplore.exe instances all of a sudden is especially interesting. Let us clarify what that means: Flame has propagated its elements through four processes in order to perform its trojan operations! We decided to investigate this process in detail,” the CERT Polska analysis says.
“Let us analyze, what happened in course of this process. The victims computer is compromised, among other possible vectors, through exploitation of the MS10-061vulnerability. Upon a successful break-in, rundll32.exe module is started and ordered to load and execute Flame’s main module – mssecmgr.ocx. It performs various installation operations (including registering LSA service, so that the bot will be loaded during startup after reboot) and then finds services.exe process and injects parts of its code into it. Now, services.exe distributes subsequent parts of code through regular injections into various elements of operating system. It also prepares and injects code for explorer.exe.”
The researchers said that this was the most extensive use of code injection that they’d seen from any malware up till now. Typically a Trojan will create just one new thread, they said.
Once the malware has gotten its foothold onto the infected system, it then begins using services.exe and iexplore.exe as communication mechanisms. The two processes set up a direct link between one another and then services.exe issues commands directly to the other process, which then executes them. Flame also then attempts to connect to the legitimate Windows Update server, perhaps as a test of Internet connectivity or as part of its unique spreading routine that involved the use of a forged Microsoft digital certificate to stand up a fake Windows Update server to push the malware to new machines.
The common theme with the thread injections and other behind-the-scenes machinations is that they’re all designed to mimic legitimate operations that users are accustomed to seeing, a tactic designed to keep the malware hidden from view for as long as possible.
“Flame employs the most sophisticated system of code injections we’ve observed in malware. It distributes its elements throughout the OS processes using chains of up to three injections involving up to four processes in order to perform its trojan operations. The distribution among various processes, with respect to natural process hierarchy, renders behavior-based detection very hard. This system is one of Flame’s exceptional features which allowed it to operate undetected for months and years and the reason for its widespread recognition,” the CERT Polska team said.
Other researchers who have delved into Flame’s inner workings also have come away convinced that the malware is at the top of the heap in terms of sophistication and innovation. The forged Microsoft certificate and fake Windows Update gambit are part of that, as is the fact that the attackers had to find an MD5 hash collision just to forge the certificate in the first place. The clever hide-and-seek tricks CERT Polska found just add to the list.