Flame:超级火焰病毒攻击行动评估
                - By nEINEI

Time：2012-05-25

				
1)Flame实际上是一个间谍工具包，被发现于中东地区已经感染伊朗、黎巴嫩、叙利亚、苏丹、其他中东和北非国家的相应目标计算机系统，是迄今为止最
复杂的恶意程序,同震网stuxnet存在千丝万缕的联系。火焰病毒伪装成微软开发的合法程序，侵入个人计算机、窃取私密数据。主要功能在收集个人信息，
并上传到网络，以数种方式进行活动，包括录音、截取显示屏画面、侵入邻近的蓝牙设备等。大小约为20MB，包含数个模块，包括解压缩程序库、SQL数据库、
和Lua虚拟器等。 

2) Flame中包含了一个伪造的数字签名。被伪造签名的主体是Microsoft Enforced Licensing Intermediate PCA数字证书认证机构,该方式打破了以往所有
安全研究人员对恶意程序攻击技术的想象限制。

 
Symptoms 

	When the worm executes, it may create the following files: 
	%System%\boot32drv.sys
	%System%\ccalc32.sys
	%System%\csvde.exe
	%System%\msglu32.ocx
	%System%\mssecmgr.ocx
	%System%\nteps32.ocx
	%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSAudio\audcache
	%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSAudio\audfilter.dat
	%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSAudio\dstrlog.dat
	%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSAudio\lmcache.dat
	%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSAudio\ntcache.dat
	%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSAudio\wavesup3.drv
	%SystemDrive%\Program Files\Common Files\Microsoft Shared\MSAudio\wpgfilter.dat
	%Temp%\~a38.tmp
	%Temp%\~c34.tmp
	%Temp%\~DEB93D.tmp
	%Temp%\~dra53.tmp
	%Temp%\~HLV084.tmp
	%Temp%\~HLV084.tmp
	%Temp%\~HLV294.tmp
	%Temp%\~HLV473.tmp
	%Temp%\~HLV473.tmp
	%Temp%\~HLV751.tmp
	%Temp%\~HLV927.tmp
	%Temp%\~HLV927.tmp
	%Temp%\~KWI988.tmp
	%Temp%\~mso2a0.tmp
	%Temp%\~mso2a2.tmp
	%Temp%\~rf288.tmp
	%Temp%\~ZFF
	%Temp%\dat3C.tmp

	Next, it creates the following registry entry so that it executes whenever Windows starts: 
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"wave9" = "%SystemDrive%\Program Files\Common Files\Microsoft Shared\msaudio\wavesup3.drv" 

	The mssecmgr.ocx file is the principal file in this threat and it is the first element of the threat that is executed on a compromised computer.
	The file contains a large number of sub-components that implement many of functions that this threat can perform. 

	For example, there are components that provide Web, Proxy and SSH services, manage databases, a component to handle Bluetooth, and there is 
	even a component that is a script engine for the Lua scripting language . 

	Lua is a lightweight and fast scripting language that has multiple uses including video games. It is particularly suited for embedding within 
	executable files allowing for functionality to be scripted quickly. Much of the functionality contained within W32.Flamer is implemented using
	 the embedded Lua scripts. 

	Most sub-components, including various scripts, are stored in an encrypted resource embedded in the mssecmgr.ocx file. Several standalone executable
	DLL files are also included. The sub-components include some of the following files: 
	%CurrentFolder%\00006411.dll
	%CurrentFolder%\advnetcfg.ocx
	%CurrentFolder%\boot32drv.sys
	%CurrentFolder%\jimmy.dll
	%CurrentFolder%\msglu32.ocx
	%CurrentFolder%\nteps32.ocx
	%CurrentFolder%\soapr32.ocs

	W32.Flamer has built-in modules to gather information from compromised computers, including: 

	System information: 
	Computer name
	Drive properties, e.g. size
	Printer information
	Registered devices
	Removable media properties
	Running processes
	Services
	System code page
	System drive letter
	Time and time zone information

	System network information: 
	DHCP information
	DNS information
	Gateway settings
	Host file
	Internet connection information
	IP addresses
	Mail server configuration
	Network adapters and interfaces
	Open ports
	Proxy settings
	Routing table
	Wi-fi network name and profiles

	Profiles and cached credentials: 
	CoreFTP
	CuteFTP
	EmFTP
	FTP Explorer
	Local computer credentials
	Microsoft Outlook
	Mssh
	NetserveFTP
	RAdmin
	Remote AccessServices
	RoboFTP
	Softx FTP
	South River WebDrive
	TeamViewer
	VNC

	Files: 
	AutoCAD design data
	Images, including the following formats: BMP, GIF, JPEG, PNG, and TIFF
	Microsoft Office documents, including: Access, Excel, PowerPoint, Publisher, and Word
	Outlook details, including: appointments, emails, meeting requests, and notes
	PDF documents
	URL shortcuts
	Visio diagrams

	Files with the following extensions: 
	.CSV
	.LNK
	.ORA
	.RDP
	.RTF
	.SSH
	.SSH2
	.TXT
 

相关样本信息：
	b51424138d72d343f22d03438fc9ced5  
	0a17040c18a6646d485bde9ce899789f 
	ee4b589a7b5d56ada10d9a15f81dada9  
	e5a49547191e16b0a69f633e16b96560  
	37c97c908706969b2e3addf70b68dc13  
	f0a654f7c485ae195ccf81a72fe083a2  
	8ed3846d189c51c6a0d69bdc4e66c1a5  
	2512321f27a05344867f381f632277d8   
	e66e6dd6c41ece3566f759f7b4ebfa2d 
	5ecad23b3ae7365a25b11d4d608adffd   
	1f9f0baa3ab56d72daab024936fdcaf3 
	cc54006c114d51ec47c173baea51213d  
	e6cb7c89a0cae27defa0fd06952791b2  
	20732c97ef66dd97389e219fc0182cb5 
	1f61d280067e2564999cac20e386041c
	2afaab2840e4ba6af0e5fa744cd8f41f
	7d49d4a9d7f0954a970d02e5e1d85b6b
	bb5441af1e1741fca600e9c433cb1550 *advnetcfg.ocx
	d53b39fb50841ff163f6e9cfd8b52c2e *msglu32.ocx
	bdc9e04388bda8527b398a8c34667e18 *mssecmgr.ocx
	c9e00c9d94d1a790d5923b050b0bd741 *nteps32.ocx
	5ad73d2e4e33bb84155ee4b35fbefc2b *ccalc32.sys
	dcf8dab7e0fc7a3eaf6368e05b3505c5 *mscrypt.dat
	06a84ad28bbc9365eb9e08c697555154 *00004069.ex_
	ec992e35e794947a17804451f2a8857e *00004784.dl_
	296e04abb00ea5f18ba021c34e486746 *00005729.dl_
	b604c68cd46f8839979da49bb2818c36 *00006411.dl_ 
	60d5dbddae21ecb4cfb601a2586dae776ca973ef *advnetcfg.ocx
	3a9ac7cd49e10a922abce365f88a6f894f7f1e9e *msglu32.ocx
	a592d49ff32fe130591ecfde006ffa4fb34140d5 *mssecmgr.ocx
	7105b17d07fd5b30d5386862a3b9cc1ff53a2398 *nteps32.ocx
	5fdd7f613db43a5b0dbec8583d30ea7064983106 *soapr32.ocx
	faaef4933e5f738e2abaff3089d36801dd871e89 *ccalc32.sys
	8b591dd7cd44d8abae7024ca2cc26034457dd50e *mscrypt.dat
	25fc20eedd7bfca26cf5fad1fade13b05c9a2d20 *00004069.ex_
	e608a6d9f0ab379e62119656e30eef12542f2263 *00004784.dl_
	5fdd7f613db43a5b0dbec8583d30ea7064983106 *00005729.dl_
	7a1351c084a556bdceaf221a43cb69579ca7b9bb *00006411.dl_
	d4b21620d68fdc44caa20362a417b251ff833761 *boot32drv.sys 
	
最小闭合的攻击样本：  
	mssecmgr.ocx：b51424138d72d343f22d03438fc9ced5，size = 6,166,528 
	Advnetcfg.ocx：f0a654f7c485ae195ccf81a72fe083a2，size = 643,072   
	nteps32.ocx：c9e00c9d94d1a790d5923b050b0bd741,SIZE = 827,392;　

 
				
攻击能力计算： 
	K = 3 (超出安全认知范围)
	a = 3 (无交互)
	s = 3 (钓鱼邮件为主，U盘传播，网络传播)
	m = 9 (代码注入，特定编程语言利用，特定目标感染，高强度破解难度，范围极广的间谍功能，武器集合，特殊持久化隐藏，高强度破解难度，被发现已有三年以上隐藏时间)
	p = 1 (攻击1种平台)
	x = 16 (其中，破解微软升级服务器的签名校验 = 8，利用0day漏洞，CVE-2010-2729 = 4 ， CVE-2010-2568 = 4，Flame发现时间时间2012年这个
	2个0day漏洞已经被修复，但更可能的事情是火焰和stuxnet共用了这些漏洞早在2007年时就已经使用了这些漏洞，故这里使用4等级评分处理)
	
	c = 277264/1024 = 271

	攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c  
	
    AT = (3 + 3 + 9 + 1) ^ 3 * (1 + 16) ^ 2 +　(6166528+643072+827392)/1024
	   = 16^3 * (17^2) + 7458
	   = 1183744+7458
	   = 1191202

	==> 1191202 * 1000/1279625(1T攻击力单位) = 930.899T
				
参考引用：
1.https://www.crysys.hu/publications/files/skywiper.pdf
2.http://www.antiy.com/response/flame/Analysis_on_the_Flame.html
3.http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf
4.http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
5.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt