There are several ways, how Flamer spreads from computer to computer. However, it doesn’t do that automatically; instead it waits for the attacker to send instructions. Here are the methods that Flamer uses to spread:
- By using captured credentials from administrators – spreads through network shares.
- By using (CVE-2010-2729), spreads through a Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability, which was previously used by Stuxnet.
- By using removable media – spreads through a specially crafted autorun file.
- By using removable drives – spreads through a special directory that hides the files. It can execute automatically while viewing the USB drive, if combined with the (CVE-2010-2568), the Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability
You have already known most of them, but what about the last one? It hasn’t been seen before, and it is quite interesting, because it uses junction points.
A junction point is actually an alias to a directory, which has some special attributes. The interesting thing is that Flames user junction points, and makes them hide its files and enable auto-execution.
So, Flamer creates a directory and places three files there – mssecmgr.ocx, desktop.ini and target.lnk. the configuration in desktop.ini file causes this directory work as a junction point. However, Flamer uses a special trick, to make the junction point lead to a file instead of a directory. So this directory leads to a file named target.lnk. That means that this folder won’t be accessible by the user, and the files inside will be hidden.
And that’s not all. It still needs a way to get itself executed. To do that, Flames uses (CVE-2010-2568) Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability. Then the target.lnk file will be used and automatically parsed, and by using the “shortcut” vulnerability, it will execute the Flamer (mssecmgr.ocx). Additionally, Flamer might change it’s names to LSS.OCX, SYSTEM32.DAT, NTVOLUME.DAT, or probably any other name.
So the conclusion is – Flamer uses new techniques to get executed and hide itself. Moreover, it exploits the old techniques too. It is incredibly large, and probably it will show us some more tricks with the new versions of it.