Security Experts:

Sometimes It's Hard To Get Rid Of An Old Flame

Flame Malware

The description leaps off the pages like a Hollywood blockbuster in the making.

The Flame malware, whose aliases include sKyWIper and Flamer, is alleged to have been developed or commissioned by a joint U.S. and Israeli effort with the secret mission of compromising the computer systems of Iran's government in a sophisticated multi-year, multi-million dollar operation designed to slow the country's ability to develop a nuclear weapon.

And once discovered the virus’ creators ordered it to self-destruct. The malware which gets its name from the letter string encountered at many places in the code, infects select Windows targets that may include servers or laptops with the purpose of stealing information including keystrokes, passwords, contacts, microphone and camera inputs, screen-captures as well as network traffic.

It can even use Bluetooth connectivity to cull data from nearby smartphones and tablets. It then sends this information to Command and Control (C&C) servers, 80 or more, throughout the world so that the intelligence can be harvested.

The malware is believed to have been operating in the “wild” for at least two years but some estimates say perhaps as many as five to eight. In terms of complexity, as a comparison you may remember the Stuxnet virus that compromised Iranian computers at alleged uranium enrichment facilities.

Well according to the Budapest University of Technology and Economics Flame is twenty times as big. Unlike Stuxnet; however, whose ultimate aim was to disable centrifuges, Flame doesn’t aim to damage its hosts, rather its main purpose is espionage. So far this threat has caused concern in the Middle East and Eastern Europe where it has been reported but what about risks to the rest of us in other parts of the world?

The Flame malware is highly modular in architecture and according to experts could be theoretically augmented or leveraged by less adept cyber-attackers with aims much more pedestrian than espionage. However experts can’t seem to agree on what the likelihood of such exposure is for individuals and businesses worldwide.

In fact, Flame has been so controversial that some highly respected security analysts laugh off the threat while others take a cautious approach that there is still a lot we don’t know. Whether this malware is a single purpose, impossible to manage, now decommissioned espionage device or a Stuxnet evolution that can be studied, reverse engineered and leveraged to spawn new malware types will take some time to determine if ever.

And given all of the speculation around the malware’s inception and attack path, this is a debate that is likely to rage on for a while. Still there are some things we now know for a fact regarding Flame and there are precautions you can take as part of your security update regimes.

In short update your Windows systems with the latest security patches and your security systems too. Besides infected USB drives and file shares, one way that Flame can propagate is using compromised Microsoft root certificates. This essentially tricks systems into installing the malware because the systems believe it to be a legitimate update from Microsoft. Patches have already been released one of which will automatically look for untrusted certificates against the disallowed Certificate Trust List (CTL).

The second step involves updating your Anti Virus protections and intrusion detection (IDS) as well as intrusion prevention systems (IPS) with new signatures lists that include protections from some Flame based exploits. Symantec, Check Point and Juniper Networks among many others have such product updates available.

Both Stuxnet and Flame, after examination, are light-years more advanced than anything in use by common criminals. Now that these state-sponsored malware samples are being distributed and dissected, we can expect to see a significant increase in complexity and sophistication of “common” malware, thanks to these examples. That is, these super-malware samples are going to give criminals all kinds of new ideas on how to be evil.

On the whole, with only about 1000 machines infected today out of millions worldwide, the probability to exposure remains low, but just to be sure this old Flame doesn’t come knocking, make those updates.

Related News: Microsoft Certificate Was Used to Sign "Flame" Malware

Related Related Reading: What Flame Means to the Enterprise

view counter
Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings. Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems. Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a B.S. in Electrical Engineering from the University of Maryland.