Security Experts:

What Flame Means to the Enterprise

Flame Malware Analysis

While The Immediate Risk of "Flame" is Low, Attackers Could Adapt Its Techniques and Repackage Them Into New Malware

The recent disclosure of the Flame malware has once again focused the spotlight on nation-state sponsored hacking.

Given the extensive media coverage Flame (also known as Flamer and sKyWIper) has received, plus the fact that you are reading SecurityWeek, the odds are high that you have already heard and read quite a bit about this highly sophisticated spying malware. However, just as a basic review the Flame malware, which was brought to light in the last week, has all the hallmarks of malware developed by a nation-state based on an impressive level of technical sophistication and customization as well as the apparent targeting of the malware to Iran. As a result, Flame has spurred no small amount of spy-vs-spy intrigue and speculation. Yet, with that said, security professionals need to know the realistic risks that Flame poses and what it will mean for their everyday security practices.

The Immediate Risk is Low

When malware hits the mainstream news cycle, security professionals are sure to be inundated with questions from worried executives, including “Are we protected?” and “Are we infected?” In the case of Flame the prognosis is good for the vast majority of the world.

First and foremost, Flame is quite targeted. Even though it has apparently been in the wild since 2010 it has remained targeted to Iran and surrounding countries, and the odds are low that it would have been seen in a “normal” enterprise network. Just to provide a data point, the main Flame module nor any of the supporting DLLs have been seen in the WildFire analysis engine, which analyzes unknown files when they traverse a Palo Alto Networks firewall. Additionally, almost all security vendors have quickly responded by releasing signatures for Flame and its components. So the good news is that you likely were not infected, and if your security products are up to date, you are likely protected.

Now on to the not-so-good news…

The Long-Term Risk is High

It’s hard to overstate the impact of nation-state hacking on the evolution of malware.

With Stuxnet and Duqu, we saw malware that was easily the most sophisticated malware that the industry had ever seen at the time. Now with Flame, we see yet another example of malware that is just as sophisticated, if not more, but which is entirely different from Stuxnet and Duqu. This has demonstrated that when nation-states are pulling the strings, they have the ability to repeatedly and significantly leap ahead of the state of the art in terms of malware.

This is significant for a variety of reasons, not the least of which is the simple fact that malware has already been evolving rapidly with organized crime being the primary driver. Now with the introduction of nation-states, we see significant escalators injected into an already steep evolutionary ramp of malware. And this is a fundamental aspect of using malware as a weapon. Malware by nature doesn’t live in a vacuum. It is either released to the wild or its dropped into a target environment. But either way, the odds are high that it will eventually be discovered and its secrets will be spilled.

This has two important effects. One effect is that other malware authors can learn new techniques that they can incorporate into their own malware. And secondly, it means that the nation-state attacker must constantly invent new weapons with new techniques that haven’t been seen before. This is especially relevant to Flame because it is so significantly different from Stuxnet and Duqu, which seemed to be closely related to one another.

The problem, obviously, is that even if these malicious techniques are not hitting our networks today, they likely will in the future when repackaged into new malware. The potential irony here is that a nation-state (or states) is developing and releasing 21st century malware secrets to prevent a rogue state from developing 20th century nuclear secrets. My point here isn’t to debate that decision, but rather to point out how that decision will likely impact us all as security professionals, and that we need to prepare to deal with uknown malware that remain undetected by antivirus products. 

It’s probably impossible to truly predict the impact this new breed of malware will have on the industry, but one thing is certain; information security is becoming both more challenging and more valuable every day.

Suggesting Reading: Five Must-Have Capabilities for Controlling Modern Malware

Related News: Microsoft Certificate Was Used to Sign "Flame" Malware

Subscribe to the SecurityWeek Email Briefing
view counter
Wade Williamson is a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.
view counter