Joint Security Awareness Report (JSAR-12-151-01A)
sKyWIper/Flame Information-Stealing Malware (Update A)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
On May 28, 2012, the Laboratory of Cryptography and Systems Security (CrySyS) located at the Budapest University of Technology and Economics, Department of Telecommunications, released a report on a new sophisticated information-stealing malware they have identified as sKyWIper. Various other sources also refer to this malware as "Flame" and "Flamer."
--------- Begin Update A Part 1 of 1 --------
The sKyWIper malware uses a new cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on systems not originally the focus of the sKyWIper malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack. This issue affects all supported releases of Microsoft Windows.
On June 3, 2012, Microsoft published Security Advisory 2718704 Unauthorized Digital Certificates Could Allow Spoofing.a Microsoft recommends that users apply this update immediately using update management software or by checking for updates using the Microsoft Update service. For more information, see the Suggested Actions section of the Microsoft Security Advisory.
ICS-CERT and US-CERT recommend that industrial control systems owners and operators review the Microsoft Advisory and work with equipment vendors to install this update. Control systems asset owners are reminded to perform proper impact analysis and risk assessment prior to taking defensive measures.
--------- End Update A Part 1 of 1 --------
Because of the size and complexity of this malware, comparisons have been drawn to Stuxnet and Duqu malware. However, initial analysis by the CrySyS team indicates that sKyWIper has few similarities when compared to Duqu and Stuxnet. At this time, insufficient data exist to conclude that sKyWIper is related to Duqu or Stuxnet, or produced by the same author.
According to the report, sKyWIper uses a modular structure incorporating multiple propagation and attack techniques. The malware is reported to be complex and sophisticated using multiple compression and encryption techniques, multiple file formats, and special code injection techniques. This malware is a comprehensive toolkit that creates a backdoor on the infected machine, contains worm-like features allowing it to spread throughout the network, and has the ability to proliferate through removable media or malicious links and email attachments. sKyWIper has the ability to sniff network traffic, take screenshots, record audio via an installed microphone, record keystrokes, and conduct other monitoring activities.
Based on initial reporting and analysis of this malware, no evidence exists that sKyWIper specifically targets industrial control systems. Both ICS-CERT and US-CERT are evaluating the malware and will report updates as needed.
Currently, neither ICS-CERT nor US-CERT have received any reports of affected entities and are not aware of any sKyWIper malware infections in the United States.
The full extent of the threat posed by sKyWIper is currently being evaluated. At this time, no specific mitigations are available; however, organizations should consider taking defensive measures against this threat. Specifically, ICS-CERT and US-CERT encourage organizations to:
- Update antivirus definitions for detection of the sKyWIper/Flame malware.
- Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT and US-CERT remind organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT recommends that organizations review the ICS-CERT Technical Information Paper ICS-TIP-12-146-01 Cyber Intrusion Mitigation Strategies for high-level strategies that can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the US-CERT Web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and US-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.