SKyWIper: A complex malware for targeted attacks

From Botnets.fr
Revision as of 15:24, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

SKyWIper: A complex malware for targeted attacks
Botnet sKyWIper
Malware sKyWIper (bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / mai 2012
Editor/Conference CrySyS Lab
Link http://www.crysys.hu/skywiper/skywiper.pdf www.crysys.hu (www.crysys.hu Archive copy)
Author sKyWIper Analysis Team, Budapest University of Technology and Economics
Type

Abstract

In May 2012, our team participated in the analysis of an as yet unknown malware, which we

internally call sKyWIper. Based on the information initially received, we understood that the malware is an important piece of a targeted attack. When we started the analysis, we did not know how many countries were affected, but we suspected that it was not limited to a single country. Our suspicion was based on indications that pieces of the malware was probably identified and uploaded from European parties onto binary analysis sites in the past. During the investigation, we received information about systems infected by sKyWIper in other countries, including Hungary, our home country. Hence, the suspicion became evidence, and this made it clear for us that our findings must be disclosed by publishing this report.

It is obvious from the list of its files that sKyWIper must be identical to the malware described in the post http://www.certcc.ir/index.php?name=news&file=article&sid=1894 (from IrCERT MAHER Center) where it is called Flamer. For convenience, we keep our naming of the malware and call it sKyWIper based on one of the filenames (~KWI) it uses for temporary files.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1012,
   editor = {CrySyS Lab},
   author = {sKyWIper Analysis Team, Budapest University of Technology and Economics},
   title = {SKyWIper: A complex malware for targeted attacks},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{http://www.crysys.hu/skywiper/skywiper.pdf www.crysys.hu}},
 }