SKyWIper: A complex malware for targeted attacks

Revision as of 14:24, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

SKyWIper: A complex malware for targeted attacks
Botnet sKyWIper
Malware sKyWIper (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / mai 2012
Editor/Conference CrySyS Lab
Link ( Archive copy)
Author sKyWIper Analysis Team, Budapest University of Technology and Economics


In May 2012, our team participated in the analysis of an as yet unknown malware, which we

internally call sKyWIper. Based on the information initially received, we understood that the malware is an important piece of a targeted attack. When we started the analysis, we did not know how many countries were affected, but we suspected that it was not limited to a single country. Our suspicion was based on indications that pieces of the malware was probably identified and uploaded from European parties onto binary analysis sites in the past. During the investigation, we received information about systems infected by sKyWIper in other countries, including Hungary, our home country. Hence, the suspicion became evidence, and this made it clear for us that our findings must be disclosed by publishing this report.

It is obvious from the list of its files that sKyWIper must be identical to the malware described in the post (from IrCERT MAHER Center) where it is called Flamer. For convenience, we keep our naming of the malware and call it sKyWIper based on one of the filenames (~KWI) it uses for temporary files.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1012,
   editor = {CrySyS Lab},
   author = {sKyWIper Analysis Team, Budapest University of Technology and Economics},
   title = {SKyWIper: A complex malware for targeted attacks},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{}},