Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

What Flame Means to the Enterprise

Flame Malware Analysis

While The Immediate Risk of “Flame” is Low, Attackers Could Adapt Its Techniques and Repackage Them Into New Malware

Flame Malware Analysis

While The Immediate Risk of “Flame” is Low, Attackers Could Adapt Its Techniques and Repackage Them Into New Malware

The recent disclosure of the Flame malware has once again focused the spotlight on nation-state sponsored hacking.

Given the extensive media coverage Flame (also known as Flamer and sKyWIper) has received, plus the fact that you are reading SecurityWeek, the odds are high that you have already heard and read quite a bit about this highly sophisticated spying malware. However, just as a basic review the Flame malware, which was brought to light in the last week, has all the hallmarks of malware developed by a nation-state based on an impressive level of technical sophistication and customization as well as the apparent targeting of the malware to Iran. As a result, Flame has spurred no small amount of spy-vs-spy intrigue and speculation. Yet, with that said, security professionals need to know the realistic risks that Flame poses and what it will mean for their everyday security practices.

The Immediate Risk is Low

When malware hits the mainstream news cycle, security professionals are sure to be inundated with questions from worried executives, including “Are we protected?” and “Are we infected?” In the case of Flame the prognosis is good for the vast majority of the world.

First and foremost, Flame is quite targeted. Even though it has apparently been in the wild since 2010 it has remained targeted to Iran and surrounding countries, and the odds are low that it would have been seen in a “normal” enterprise network. Just to provide a data point, the main Flame module nor any of the supporting DLLs have been seen in the WildFire analysis engine, which analyzes unknown files when they traverse a Palo Alto Networks firewall. Additionally, almost all security vendors have quickly responded by releasing signatures for Flame and its components. So the good news is that you likely were not infected, and if your security products are up to date, you are likely protected.

Now on to the not-so-good news…

The Long-Term Risk is High

Advertisement. Scroll to continue reading.

It’s hard to overstate the impact of nation-state hacking on the evolution of malware.

With Stuxnet and Duqu, we saw malware that was easily the most sophisticated malware that the industry had ever seen at the time. Now with Flame, we see yet another example of malware that is just as sophisticated, if not more, but which is entirely different from Stuxnet and Duqu. This has demonstrated that when nation-states are pulling the strings, they have the ability to repeatedly and significantly leap ahead of the state of the art in terms of malware.

This is significant for a variety of reasons, not the least of which is the simple fact that malware has already been evolving rapidly with organized crime being the primary driver. Now with the introduction of nation-states, we see significant escalators injected into an already steep evolutionary ramp of malware. And this is a fundamental aspect of using malware as a weapon. Malware by nature doesn’t live in a vacuum. It is either released to the wild or its dropped into a target environment. But either way, the odds are high that it will eventually be discovered and its secrets will be spilled.

This has two important effects. One effect is that other malware authors can learn new techniques that they can incorporate into their own malware. And secondly, it means that the nation-state attacker must constantly invent new weapons with new techniques that haven’t been seen before. This is especially relevant to Flame because it is so significantly different from Stuxnet and Duqu, which seemed to be closely related to one another.

The problem, obviously, is that even if these malicious techniques are not hitting our networks today, they likely will in the future when repackaged into new malware. The potential irony here is that a nation-state (or states) is developing and releasing 21st century malware secrets to prevent a rogue state from developing 20th century nuclear secrets. My point here isn’t to debate that decision, but rather to point out how that decision will likely impact us all as security professionals, and that we need to prepare to deal with uknown malware that remain undetected by antivirus products. 

It’s probably impossible to truly predict the impact this new breed of malware will have on the industry, but one thing is certain; information security is becoming both more challenging and more valuable every day.

Suggesting Reading: Five Must-Have Capabilities for Controlling Modern Malware

Related News: Microsoft Certificate Was Used to Sign “Flame” Malware

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture