Tuesday, May 29, 2012

Flame Malware, Targeted Attacks, and You

It seems no good holiday goes by without some quality new malware being dropped, and this year's Memorial Day was no exception. Announced in posts by Kaspersky, Symantec, the Iranian National CERT and the Budapest University of Technology and Economics, a targeted piece of malware called Flame has been snooping on private networks throughout the Middle East, sending back data ranging from audio recordings and screen shots to secret documents and emails, via a covert SSL channel since as early as March 2010, perhaps earlier.

The good news for your average network security guy is that the likelihood of seeing this malware on your network is exceptionally low. Unlike the newest Flash 0-day or the recent PHP-CGI issue, this particular attack won't be appearing in the latest exploit kit, and isn't going to be compromising thousands of hosts across the globe; to date, according to Kaspersky, it's been limited to a total of just 382 systems across 7 different countries in the Middle East. While it's of course possible that Flame has, or will, be used in other locations, the chances of you being impacted directly by it are probably as great as getting hit by Stuxnet.

That said, Flame has some surprisingly easy-to-detect behaviors, and since there will be plenty of CTOs who hear about "one of the most complex threats ever discovered" (per Kaspersky) as more and more media pick up the story, the VRT has you covered detection-wise. SIDs 23019 through 23038 look for C&C communications. You can see a sample of this traffic here, in a PCAP that the VRT gathered using live samples we've obtained this morning. ClamAV coverage has been delivered as Worm.Flame, Worm.Flame-1, and Worm.Flame-2.

We'll be watching this closely for further developments, and will add any further rules as necessary. In the meantime, we'd like to send a special compliment to the good folks of the Budapest University's Laboratory of Cryptography and System Security, whose writeup (linked above) is exceptionally detailed and helpful for those wishing to study this malware further.

No comments:

Post a Comment