Have I Got Newsforyou: Analysis of Flamer C&C Servers

W32.Flamer is a sophisticated cyber espionage tool which targeted the Middle East. News of its existence hit the headlines earlier in 2012. Symantec, has performed a detailed forensic analysis of two of the command-and-control (C&C) servers used in the W32.Flamer attacks earlier this year.

The servers were set up on March 25, 2012, and May 18, 2012, respectively.  On both occasions, within only a few hours of the server being setup, the first interaction with a computer compromised with Flamer was recorded. The servers would go on to control at least a few hundred compromised computers over the next few weeks of their existence.

The analyzed servers contain the same control framework, but they were used for distinct purposes. The server that was set up in March of 2012 shows evidence of having collected almost 6 GB of data from compromised computers in just over a week. In comparison, the server that was set up in May 2012 received just 75 MB of data and was used solely to distribute one command module to the compromised computers.

Command-and-control happens through a Web application called Newsforyou. The application processes the W32.Flamer client interactions and provides a simple control panel. The control panel allows the attackers to upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data. This application does not appear to be exclusively used by Flamer. It contains functionality that allows it to communicate with computers compromised with multiple malware identifiers using different protocols. Below is a table showing the correlation between different malware identifiers and the various supported protocols:

As shown in the above table, several threats supported by this framework are still unknown. They are most likely unknown variants of Flamer or totally distinct malware.

The servers were set up to record minimal amounts of information in case of discovery. The systems were configured to disable any unnecessary logging events and entries in the database were deleted at regular intervals. Existing log files were securely deleted from the server on a regular basis. These steps were taken in order to hamper any investigation should the server be acquired by third parties.

The attackers were not thorough enough, however, as a file revealing the entire history of the server‘s setup was available. In addition, a limited set of encrypted records in the database revealed that compromised computers had been connecting from the Middle East. We were also able to recover the nicknames of four authors—D***, H*****, O******, and R***—who had worked on the code at various stages and on differing aspects of the project, which appear to have been written as far back as 2006.

The setup of this framework displays a clear distinction of roles on the attackers’ end: those responsible for setting up the server (administrators), those responsible for uploading packages and downloading stolen data through the control panel (operators), and those holding the private key with the ability to decrypt the stolen data (attackers). The operators themselves may actually be completely unaware of the contents of the stolen data due to the use of data security compartmentalization techniques.  The use of this type of structure suggests that this is the work of a well-funded and organized group.

Despite the controllers’ attempts to prevent information disclosure in the event the servers were obtained by a third party, we were able to determine that the server set up in May 2012 delivered a module instructing Flamer to commit suicide and wipe itself from computers in late May 2012. An action we witnessed through compromised honeypots.

Finally, access to the control panel required a password which is stored as a hash. Despite brute-force attempts at reversing the hash to plain text, we were unable to determine the password. If someone is able to extract the password from the following hash, please get in touch with us:

Password Hash: 27934e96d90d06818674b98bec7230fa 

Analysis of these C&C servers was performed as a joint effort between Symantec, CERT-Bund/BSI, IMPACT, and Kaspersky. Click here to read Symantec’s full analysis of the command-and-control servers which details the server setup, the Web application developed by at least four separate authors since 2006, the control panel used by the operators, and the database that helps drive the application.

 

Update: September 17, 2012 07:30 PDT

The plain text of the password hash is 900gage!@#. Thanks to Dmitry Bestuzhev for providing this information.