SkyWiper or Flame - A complex piece of malware!

The news is out on mainstream media about a new malware called Skywiper or Flame. Its possible that this threat has been in the wild for many years now per analysts. However, the number of incidents of infection have been limited to a few hundreds and mostly concentrated in Middle East per the telescopic view below.

Source: Kaspersky

Detailed analysis by CrySys Lab suggests a semblance to Duqu. Its evident from the table below.

Source: CrySys

The complexity of this threat surpasses that of any of the previous targeted threats. Some of its unique features include recording voice conversations, communicating via BlueTooth with nearby devices etc. A list of its capabilities is detailed per McAfee here:

- Scanning network resources
- Stealing information as specified
- Communicate to C&C Servers over SSH and HTTPS protocols
- Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc)
- Both kernel and user mode logic is used
- Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes
- It loads as part of Winlogon.exe then injects to Explorer and Services
- Conceals its present as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB Flash Memory and local network (slowly spreads)
- Creates screen captures
- Records voice conversations
- Runs on Windows XP, Windows Vista and Windows 7 systems
- Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet
- Uses SQLite Database to store collected information
- Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware)
- Often located on nearby systems: a local network for both C&C and target infection cases
- Utilizes PE encrypted resources

Exponential growth of Android - A challenge for security

Android from Google is the leading smartphone platform in the U.S today. The last report from ComScore claims 1 in 2 smartphone users are running Android. It powers about 250 million devices and is only growing at an exponential pace what with more than 700,000 activations per day. But, Android is a mix of more than a dozen different versions. Note that each of these versions supports different API levels to further complicate matters. This fragmentation is evident from the Version tracker below.

Source: ComScore

Source: Android

Does it mean each of these versions of Android is supported actively? Its debatable as this is what is quoted on the android developer faq page.

Android is a mobile platform that is released as open source and available for free use by anybody. This means that there are many Android-based products available to consumers, and most of them are created without the knowledge or participation of the Android Open Source Project. Like the maintainers of other open source projects, we cannot build and release patches for the entire ecosystem of products using Android. Instead, we will work diligently to find and fix flaws as quickly as possible and to distribute those fixes to the manufacturers of the products through the open source project.

The key phrase is "we cannot build and release patches for the entire ecosystem of products using Android."  This poses a risk in my opinion. Security threats on Android can only proliferate in this scenario. In fact, the MobileThreatReport from F-Secure claims the number of unique malware on Android has more than quadrupled in the last year.

Source: ZDNet