Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx

From Botnets.fr
Revision as of 16:27, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx
Botnet Flame, Duqu, Stuxnet
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / 20/07/2012
Editor/Conference ESET
Link http://blog.eset.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx blog.eset.com (blog.eset.com Archive copy)
Author Aleksandr Matrosov, Eugene Rodionov


The Flame worm (detected by ESET as Win32/Flamer) is one of the most interesting targeted threats of this year. Although several articles about it have been published, many of the facts about the internal structure of its main module (mssecmgr.ocx) have not been disclosed yet. In this blog post we want to shed light on some of the implementation details of this component.

We first became acquainted with complex targeted threats through our analyses of Stuxnet (“Stuxnet Under the Microscope”), continued with Duqu (“Win32/Duqu: It’s A Date”), and now it’s Flame’s turn. Analysis of the Stuxnet code required quite an effort in order to comprehend the complete functionality of the worm. In the case of Duqu we found the architecture and implementation quite similar to those of Stuxnet, which made the process of analysing Duqu much easier. Flame is quite another story; there are lots of interconnected modules as well as internal storage for configuration information, and a payload with a format as yet unknown. Despite these difficulties we are going to reveal some interesting details about the main module mssecmgr.ocx.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1067,
   editor = {ESET},
   author = {Aleksandr Matrosov, Eugene Rodionov},
   title = {Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{http://blog.eset.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx blog.eset.com}},