Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx

(Publication) Google search: [1]

Abstract

“ The Flame worm (detected by ESET as Win32/Flamer) is one of the most interesting targeted threats of this year. Although several articles about it have been published, many of the facts about the internal structure of its main module (mssecmgr.ocx) have not been disclosed yet. In this blog post we want to shed light on some of the implementation details of this component.

We first became acquainted with complex targeted threats through our analyses of Stuxnet (“Stuxnet Under the Microscope”), continued with Duqu (“Win32/Duqu: It’s A Date”), and now it’s Flame’s turn. Analysis of the Stuxnet code required quite an effort in order to comprehend the complete functionality of the worm. In the case of Duqu we found the architecture and implementation quite similar to those of Stuxnet, which made the process of analysing Duqu much easier. Flame is quite another story; there are lots of interconnected modules as well as internal storage for configuration information, and a payload with a format as yet unknown. Despite these difficulties we are going to reveal some interesting details about the main module mssecmgr.ocx.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1067,
   editor = {ESET},
   author = {Aleksandr Matrosov, Eugene Rodionov},
   title = {Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{http://blog.eset.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx blog.eset.com}},
 }