Flamer: urgent suicide

(Publication) Google search: [1]

Abstract

“ Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.

Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".

The browse32.ocx module has two exports:

• EnableBrowser—This is the initializer, which sets up the environment (mutex, events, shared memory, etc.) before any actions can be taken.
• StartBrowse—This is the part of the code that does the actual removal of the Flamer components.

The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection. This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind.

Here is a list of files and folders targeted by this module:

Bibtex

 @misc{2012BFR1026,
   editor = {Symantec},
   author = {},
   title = {Flamer: urgent suicide},
   date = {06},
   month = Jun,
   year = {2012},
   howpublished = {\url{http://www.symantec.com/connect/blogs/flamer-urgent-suicide}},
 }