Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Sometimes It’s Hard To Get Rid Of An Old Flame

Flame Malware

The description leaps off the pages like a Hollywood blockbuster in the making.

Flame Malware

The description leaps off the pages like a Hollywood blockbuster in the making.

The Flame malware, whose aliases include sKyWIper and Flamer, is alleged to have been developed or commissioned by a joint U.S. and Israeli effort with the secret mission of compromising the computer systems of Iran’s government in a sophisticated multi-year, multi-million dollar operation designed to slow the country’s ability to develop a nuclear weapon.

And once discovered the virus’ creators ordered it to self-destruct. The malware which gets its name from the letter string encountered at many places in the code, infects select Windows targets that may include servers or laptops with the purpose of stealing information including keystrokes, passwords, contacts, microphone and camera inputs, screen-captures as well as network traffic.

It can even use Bluetooth connectivity to cull data from nearby smartphones and tablets. It then sends this information to Command and Control (C&C) servers, 80 or more, throughout the world so that the intelligence can be harvested.

The malware is believed to have been operating in the “wild” for at least two years but some estimates say perhaps as many as five to eight. In terms of complexity, as a comparison you may remember the Stuxnet virus that compromised Iranian computers at alleged uranium enrichment facilities.

Well according to the Budapest University of Technology and Economics Flame is twenty times as big. Unlike Stuxnet; however, whose ultimate aim was to disable centrifuges, Flame doesn’t aim to damage its hosts, rather its main purpose is espionage. So far this threat has caused concern in the Middle East and Eastern Europe where it has been reported but what about risks to the rest of us in other parts of the world?

The Flame malware is highly modular in architecture and according to experts could be theoretically augmented or leveraged by less adept cyber-attackers with aims much more pedestrian than espionage. However experts can’t seem to agree on what the likelihood of such exposure is for individuals and businesses worldwide.

In fact, Flame has been so controversial that some highly respected security analysts laugh off the threat while others take a cautious approach that there is still a lot we don’t know. Whether this malware is a single purpose, impossible to manage, now decommissioned espionage device or a Stuxnet evolution that can be studied, reverse engineered and leveraged to spawn new malware types will take some time to determine if ever.

And given all of the speculation around the malware’s inception and attack path, this is a debate that is likely to rage on for a while. Still there are some things we now know for a fact regarding Flame and there are precautions you can take as part of your security update regimes.

In short update your Windows systems with the latest security patches and your security systems too. Besides infected USB drives and file shares, one way that Flame can propagate is using compromised Microsoft root certificates. This essentially tricks systems into installing the malware because the systems believe it to be a legitimate update from Microsoft. Patches have already been released one of which will automatically look for untrusted certificates against the disallowed Certificate Trust List (CTL).

The second step involves updating your Anti Virus protections and intrusion detection (IDS) as well as intrusion prevention systems (IPS) with new signatures lists that include protections from some Flame based exploits. Symantec, Check Point and Juniper Networks among many others have such product updates available.

Both Stuxnet and Flame, after examination, are light-years more advanced than anything in use by common criminals. Now that these state-sponsored malware samples are being distributed and dissected, we can expect to see a significant increase in complexity and sophistication of “common” malware, thanks to these examples. That is, these super-malware samples are going to give criminals all kinds of new ideas on how to be evil.

On the whole, with only about 1000 machines infected today out of millions worldwide, the probability to exposure remains low, but just to be sure this old Flame doesn’t come knocking, make those updates.

Related News: Microsoft Certificate Was Used to Sign “Flame” Malware

Related Related Reading: What Flame Means to the Enterprise

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...