SKyWIper: A complex malware for targeted attacks

(Publication) Google search: [1]

Abstract

“ In May 2012, our team participated in the analysis of an as yet unknown malware, which we

internally call sKyWIper. Based on the information initially received, we understood that the malware is an important piece of a targeted attack. When we started the analysis, we did not know how many countries were affected, but we suspected that it was not limited to a single country. Our suspicion was based on indications that pieces of the malware was probably identified and uploaded from European parties onto binary analysis sites in the past. During the investigation, we received information about systems infected by sKyWIper in other countries, including Hungary, our home country. Hence, the suspicion became evidence, and this made it clear for us that our findings must be disclosed by publishing this report.

It is obvious from the list of its files that sKyWIper must be identical to the malware described in the post http://www.certcc.ir/index.php?name=news&file=article&sid=1894 (from IrCERT MAHER Center) where it is called Flamer. For convenience, we keep our naming of the malware and call it sKyWIper based on one of the filenames (~KWI) it uses for temporary files.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1012,
   editor = {CrySyS Lab},
   author = {sKyWIper Analysis Team, Budapest University of Technology and Economics},
   title = {SKyWIper: A complex malware for targeted attacks},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{http://www.crysys.hu/skywiper/skywiper.pdf www.crysys.hu}},
 }