Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

W32.Flamer.B: Additional Module Discovered

Created: 15 Oct 2012 15:37:48 GMT • Updated: 23 Jan 2014 18:12:04 GMT • Translations available: 日本語
Symantec Security Response's picture
+2 2 Votes
Login to vote

In our joint analysis of a W32.Flamer command-and-control (C&C) server, as documented here, we described several C&C server protocols present in code on the server.  One of those protocols we knew was associated with W32.Flamer. The other remaining protocol had not previously been observed in the wild and no samples were retrieved which used those protocols.

Figure 1. Protocols present on W32.Flamer C&C server

The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use. That protocol is for a module that can operate independently of W32.Flamer.

We have added detection for this threat as W32.Flamer.B.

Thanks to Kaspersky Labs for making those samples available.