Thursday, 31 May 2012

Flame: msglu32.ocx, Component That Can Track Location

This particular DLL component of the Flame threat is designed to locate various files in the system, read their contents and populate the SQL database with the file contents and characteristics. In addition, this file is capable of collecting geographical identification metadata that may be present in the files it inspects.

The string decryptor is slightly different this time:

void decrypt(int result, int iCount)
{
int i1, i2, i3, i4;

i1 = result;
if (iCount)
{
i2 = 11 - result;
do
{
i3 = i1 + i2;
i4 = i3 + 12;
result = i3 * i4;
*(BYTE *)i1 -= result ^ ((i3 * i4) >> 8) ^
((i3 * i4) >> 16) ^ ((i3 * i4) >> 24);
++i1;
--iCount;
}
while (iCount);
}
}

void Decrypt3(LPBYTE lpBuffer)
{
if (lpBuffer[16]) // 16th byte is a flag "encrypted"
{
decrypt((int)(lpBuffer + 20), (int)lpBuffer[18]);
// 18th byte is the string size
// 20th byte is where encrypted bytes start
lpBuffer[16] = 0; // clear "encrypted" flag (16th byte)
}
}

Feeding it the string below:

BYTE szTest3[] =
{
0xA7,0xC9,0xDF,0xF8,0x30,0x0C,0x52,0x9D,0x0C,0x7F,0xB5,0x32,0x2B,0x05,0xC6,0x08,
0x05,0xD5,0x26,0x00,0x74,0x21,0xA5,0x6D,0x0B,0xC1,0x54,0x1E,0xB0,0x82,0x24,0xEE,
0xA0,0x63,0xFF,0xDF,0x7A,0x64,0x03,0xE8,0x9F,0x85,0x3E,0x1A,0xD0,0xC6,0x73,0x6B,
0x34,0x28,0xD6,0xD4,0x96,0xA9,0x78,0x66,0x42,0x4B,0x00,0x00,0x68,0xB8,0xE7,0x8A,
0x23,0x51,0x36,0x5C,0xCD,0xC3,0x4D,0xE4,0xF2,0xE5,0xCC,0xA3,0x00
};
Decrypt3(szTest3);

produces the following result:

    A7 C9 DF F8 30 0C 52 9D 0C 7F B5 32 2B 05 C6 | ....0.R....2+..
    08 00 D5 26 00 77 00 61 00 77 00 68 00 61 00 | ...&.w.a.w.h.a.
    6D 00 7A 00 61 00 61 00 62 00 6F 00 76 00 65 | m.z.a.a.b.o.v.e
    00 61 00 72 00 61 00 62 00 69 00 63 00       | .a.r.a.b.i.c.

The file is capable of locating the following files:
  • Wicrosoft Word documents

  • Microsoft Excel spreadsheets

  • Microsoft PowerPoint slides

  • Microsoft Access Databases

  • Microsoft Outlook objects (IPM Notes, Appointments, Schedule/Meeting Requests)

  • AutoCAD Drawings

  • Visio Drawings

  • PDF Documents

  • Image files (JPEG, BMP, TIFF, PNG, GIF)

For every document, the DLL collects file characteristics, such as:
  • Modification Date

  • Creation Date

  • Creator

  • Author

  • Comments

  • Company

  • Producer

  • Title

  • Info

  • Revision number

  • Number of Keywords

The information about located files can then be stored in the database. That data is added and queried with the SQL commands, such as:
  • INSERT INTO Media (Type, MediumDescription) VALUES ('%s', '%s')

  • SELECT State FROM Pst_States WHERE FileName=? AND Size=%u AND LastModification=%I64d

The module contains a large table that consists of 4,173 Postscript glyph names, such as 'alefhamzabelowfinalarabic' or 'alefqamatshebrew'. This table is used to convert Postscript glyph names into Unicode codes - presumably to be able to parse the content of Adobe PDF documents written in Unicode Character Entities, such as Hebrew or Arabic.

The DLL is aware of the presence of the security product by inspecting the registry entries:
  • HKLM\SOFTWARE\KasperskyLab\AVP6

  • HKLM\SOFTWARE\KasperskyLab\protected\AVP7

If the files it inspects include geographical identification metadata (geotagging), it will extract the following data:
  • GPS Latitude

  • GPS Latitude Ref

  • GPS Longitude

  • GPS Longitude Ref

  • GPS Altitude

  • GPS Altitude Ref

This geotagging data may be present within the images, as shown below:


Image Source: Wikipedia, Geotagging

Some cameras use automatic picture geotagging with a built-in GPS receiver (such as Panasonic Lumix DMC-TZ10, Sony Alpha 55V, or Canon PowerShot SX230/SX260). Many mobile phones use either a built-in GPS receiver or a Wi-Fi positioning (assisted GPS) to embed geotagging in the photos by default.

Retrieving the geotagging data allows this Flame component to find GPS coordinates of the location where the pictures were taken, or with some statistical probability, where the compromised system is (has been) located:

.text:100C5DE8 sub_100C5DE8 proc near
.text:100C5DE8 push offset aGps_latitude ; "GPS_LATITUDE"
.text:100C5DED call decrypt_string
.text:100C5DF2 pop ecx
.text:100C5DF3 push eax
.text:100C5DF4 push offset GPS_LATITUDE
.text:100C5DF9 call copy_string
.text:100C5DFE push offset sub_100F32F8
.text:100C5E03 call _atexit
.text:100C5E08 pop ecx
.text:100C5E09 retn
.text:100C5E09 sub_100C5DE8 endp

The code is also capable of enumerating and terminating the following processes found on a compromised system:
  • AntiHook.exe

  • EngineServer.exe

  • FAMEH32.exe

  • FCH32.exe

  • Filemon.exe

  • FPAVServer.exe

  • FProtTray.exe

  • FrameworkService.exe

  • fsav32.exe

  • fsdfwd.exe

  • fsgk32.exe

  • fsgk32st.exe

  • fsguidll.exe

  • FSM32.exe

  • FSMA32.exe

  • FSMB32

  • fspc.exe

  • fsqh.exe

  • fssm32.exe

  • jpf.exe

  • jpfsrv.exe

  • mcagent.exe

  • mcmscsvc.exe

  • McNASvc.exe

  • McProxy.exe

  • McSACore.exe

  • Mcshield.exe

  • mcsysmon.exe

  • McTray.exe

  • mcupdmgr.exe

  • mfeann.exe

  • mfevtps.exe

  • MpfSrv.exe

  • naPrdMgr.exe

  • procexp.exe

  • PXAgent.exe

  • PXConsole.exe

  • shstat.exe

  • sp_rsser.exe

  • SpywareTerminator.exe

  • SpywareTerminatorShield.exe

  • UdaterUI.exe

  • VsTskMgr.exe

2 Comments:

Blogger tigzy-RK said...

Hello

Some of these processes are AVs' ones.
They used to be protected by hooks or callback routines.

How this component does to terminate them?

31 May 2012 at 19:37  
Blogger Sergei Shevchenko said...

The code has references to process/thread enumeration and termination APIs (SuspendThread/TerminateThread). If the AV process is protected (it should), then it'll survive the termination.

1 June 2012 at 14:38  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home