Flame War

May 31, 2012 - By Chris Larsen

The security press has been pretty active this week, spreading the news about a newly discovered malware known as "Flame", and it's interesting enough that the popular press has also been running articles about it. Without getting too far into the emerging "Flame War" about just how advanced and/or dangerous it might be, here is a summary of where things stand:

 

(1) First, kudos to CrySyS and Kaspersky, for nice write-ups:

   http://www.crysys.hu/skywiper/skywiper.pdf   (50+ page whitepaper)
   http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

Next, for a good perspective on the real impact (and the hype), with commentary from a good number of folks in the security business:

   http://www.theregister.co.uk/2012/05/31/flame_hype_analysis/

 

(2) Basically, no one is sure how it was originally distributed. (Some companies have stated that they think it's been spreading since at least 2010, and parts of it perhaps longer.)

No evidence  that it was spread via a Web (browser) vector; some speculation that spearphishing may have been used, but no evidence for that either. Its internal code shows that it's designed to spread via USB and direct network connections, like Stuxnet, but under the control of the attackers -- i.e., it doesn't spread willy-nilly, like a normal worm or virus. (And, it contains code that it can use to quietly remove itself, in case it does end up on a machine the attackers are not interested in.)

 

(3) The (relatively few) infections found were in Middle Eastern countries like Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, Lebanon and Egypt.  In other words, a regional threat, rather than a global one.

 

(4) Once on an infected machine, its phone-home traffic is via SSL, according to both write-ups. Generally speaking, SSL traffic is a great place for a Bad Guy to hide C&C communications, or to exfiltrate data. So it's important for network admins and security teams to consider tools for getting visibility into their SSL traffic. (And, since solutions from Blue Coat and others can crack open SSL traffic, the Bad Guys may be tempted to use a custom encryption, but keep it on port 443, so that's something else to keep an eye out for...)

 

(5) Finally, we haven't seen the C&C traffic from any Blue Coat customers in our logs. (Probably not too surprising, given the relatively small number of reported infected machines, and the countries they're in.)

 

My overall thoughts: Flame was able to avoid detection for years, and definitely has some unique and interesting characteristics (Lua scripting, SQLlite DB, Bluetooth snooping, microphone snooping...) so it can certainly be considered "advanced" in those ways. However, its size and construction make it relatively easy to deal with now that the world knows about it, and it was very limited in its scope of deployment, since 1000 or so infected computers is a drop in the bucket compared to all of the big botnets; so in those regards, it's not a major new threat, and the sky isn't falling.

 

--C.L.