Flame: msglu32.ocx, Component That Can Track Location
This particular DLL component of the Flame threat is designed to locate various files in the system, read their contents and populate the SQL database with the file contents and characteristics. In addition, this file is capable of collecting geographical identification metadata that may be present in the files it inspects.
The string decryptor is slightly different this time:
Feeding it the string below:
produces the following result:
The file is capable of locating the following files:
For every document, the DLL collects file characteristics, such as:
The information about located files can then be stored in the database. That data is added and queried with the SQL commands, such as:
The module contains a large table that consists of 4,173 Postscript glyph names, such as
The DLL is aware of the presence of the security product by inspecting the registry entries:
If the files it inspects include geographical identification metadata (geotagging), it will extract the following data:
This geotagging data may be present within the images, as shown below:
Image Source: Wikipedia, Geotagging
Some cameras use automatic picture geotagging with a built-in GPS receiver (such as Panasonic Lumix DMC-TZ10, Sony Alpha 55V, or Canon PowerShot SX230/SX260). Many mobile phones use either a built-in GPS receiver or a Wi-Fi positioning (assisted GPS) to embed geotagging in the photos by default.
Retrieving the geotagging data allows this Flame component to find GPS coordinates of the location where the pictures were taken, or with some statistical probability, where the compromised system is (has been) located:
The code is also capable of enumerating and terminating the following processes found on a compromised system:
The string decryptor is slightly different this time:
void decrypt(int result, int iCount)
{
int i1, i2, i3, i4;
i1 = result;
if (iCount)
{
i2 = 11 - result;
do
{
i3 = i1 + i2;
i4 = i3 + 12;
result = i3 * i4;
*(BYTE *)i1 -= result ^ ((i3 * i4) >> 8) ^
((i3 * i4) >> 16) ^ ((i3 * i4) >> 24);
++i1;
--iCount;
}
while (iCount);
}
}
void Decrypt3(LPBYTE lpBuffer)
{
if (lpBuffer[16]) // 16th byte is a flag "encrypted"
{
decrypt((int)(lpBuffer + 20), (int)lpBuffer[18]);
// 18th byte is the string size
// 20th byte is where encrypted bytes start
lpBuffer[16] = 0; // clear "encrypted" flag (16th byte)
}
}
Feeding it the string below:
BYTE szTest3[] =
{
0xA7,0xC9,0xDF,0xF8,0x30,0x0C,0x52,0x9D,0x0C,0x7F,0xB5,0x32,0x2B,0x05,0xC6,0x08,
0x05,0xD5,0x26,0x00,0x74,0x21,0xA5,0x6D,0x0B,0xC1,0x54,0x1E,0xB0,0x82,0x24,0xEE,
0xA0,0x63,0xFF,0xDF,0x7A,0x64,0x03,0xE8,0x9F,0x85,0x3E,0x1A,0xD0,0xC6,0x73,0x6B,
0x34,0x28,0xD6,0xD4,0x96,0xA9,0x78,0x66,0x42,0x4B,0x00,0x00,0x68,0xB8,0xE7,0x8A,
0x23,0x51,0x36,0x5C,0xCD,0xC3,0x4D,0xE4,0xF2,0xE5,0xCC,0xA3,0x00
};
Decrypt3(szTest3);
produces the following result:
A7 C9 DF F8 30 0C 52 9D 0C 7F B5 32 2B 05 C6 | ....0.R....2+..
08 00 D5 26 00 77 00 61 00 77 00 68 00 61 00 | ...&.w.a.w.h.a.
6D 00 7A 00 61 00 61 00 62 00 6F 00 76 00 65 | m.z.a.a.b.o.v.e
00 61 00 72 00 61 00 62 00 69 00 63 00 | .a.r.a.b.i.c.
The file is capable of locating the following files:
- Wicrosoft Word documents
- Microsoft Excel spreadsheets
- Microsoft PowerPoint slides
- Microsoft Access Databases
- Microsoft Outlook objects (IPM Notes, Appointments, Schedule/Meeting Requests)
- AutoCAD Drawings
- Visio Drawings
- PDF Documents
- Image files (JPEG, BMP, TIFF, PNG, GIF)
For every document, the DLL collects file characteristics, such as:
- Modification Date
- Creation Date
- Creator
- Author
- Comments
- Company
- Producer
- Title
- Info
- Revision number
- Number of Keywords
The information about located files can then be stored in the database. That data is added and queried with the SQL commands, such as:
INSERT INTO Media (Type, MediumDescription) VALUES ('%s', '%s')
SELECT State FROM Pst_States WHERE FileName=? AND Size=%u AND LastModification=%I64d
The module contains a large table that consists of 4,173 Postscript glyph names, such as
'alefhamzabelowfinalarabic'
or 'alefqamatshebrew'
. This table is used to convert Postscript glyph names into Unicode codes - presumably to be able to parse the content of Adobe PDF documents written in Unicode Character Entities, such as Hebrew or Arabic.The DLL is aware of the presence of the security product by inspecting the registry entries:
HKLM\SOFTWARE\KasperskyLab\AVP6
HKLM\SOFTWARE\KasperskyLab\protected\AVP7
If the files it inspects include geographical identification metadata (geotagging), it will extract the following data:
- GPS Latitude
- GPS Latitude Ref
- GPS Longitude
- GPS Longitude Ref
- GPS Altitude
- GPS Altitude Ref
This geotagging data may be present within the images, as shown below:
Image Source: Wikipedia, Geotagging
Some cameras use automatic picture geotagging with a built-in GPS receiver (such as Panasonic Lumix DMC-TZ10, Sony Alpha 55V, or Canon PowerShot SX230/SX260). Many mobile phones use either a built-in GPS receiver or a Wi-Fi positioning (assisted GPS) to embed geotagging in the photos by default.
Retrieving the geotagging data allows this Flame component to find GPS coordinates of the location where the pictures were taken, or with some statistical probability, where the compromised system is (has been) located:
.text:100C5DE8 sub_100C5DE8 proc near
.text:100C5DE8 push offset aGps_latitude ; "GPS_LATITUDE"
.text:100C5DED call decrypt_string
.text:100C5DF2 pop ecx
.text:100C5DF3 push eax
.text:100C5DF4 push offset GPS_LATITUDE
.text:100C5DF9 call copy_string
.text:100C5DFE push offset sub_100F32F8
.text:100C5E03 call _atexit
.text:100C5E08 pop ecx
.text:100C5E09 retn
.text:100C5E09 sub_100C5DE8 endp
The code is also capable of enumerating and terminating the following processes found on a compromised system:
- AntiHook.exe
- EngineServer.exe
- FAMEH32.exe
- FCH32.exe
- Filemon.exe
- FPAVServer.exe
- FProtTray.exe
- FrameworkService.exe
- fsav32.exe
- fsdfwd.exe
- fsgk32.exe
- fsgk32st.exe
- fsguidll.exe
- FSM32.exe
- FSMA32.exe
- FSMB32
- fspc.exe
- fsqh.exe
- fssm32.exe
- jpf.exe
- jpfsrv.exe
- mcagent.exe
- mcmscsvc.exe
- McNASvc.exe
- McProxy.exe
- McSACore.exe
- Mcshield.exe
- mcsysmon.exe
- McTray.exe
- mcupdmgr.exe
- mfeann.exe
- mfevtps.exe
- MpfSrv.exe
- naPrdMgr.exe
- procexp.exe
- PXAgent.exe
- PXConsole.exe
- shstat.exe
- sp_rsser.exe
- SpywareTerminator.exe
- SpywareTerminatorShield.exe
- UdaterUI.exe
- VsTskMgr.exe
2 Comments:
Hello
Some of these processes are AVs' ones.
They used to be protected by hooks or callback routines.
How this component does to terminate them?
The code has references to process/thread enumeration and termination APIs (SuspendThread/TerminateThread). If the AV process is protected (it should), then it'll survive the termination.
Post a Comment
Subscribe to Post Comments [Atom]
<< Home