The information security industry is now focused on a new attack vector that seems like it might be modeled on the Stuxnet worm, discovered in June 2010, and the Duqu worm, which was identified last September.
The new threat is known by a number of different names, including “Flame,” “Viper,” and “Skywiper.” It has been found over the weekend in the Middle East, most notably used against Iran. While there is widespread speculation that this development represents some sort of state-on-state attack, the validity of this theory is far from proven.
The worm’s capabilities are quite extensive, and full investigation is likely to go on for months. But known capabilities include information theft, the ability to detect more than 100 security products, the ability to scan network resources, and the functionality to read screenshots and record voice conversations. It communicates with its command and controlled servers over SSH and HTTPS protocols.
[Related: 10 Security Predictions]
“The thing that jumps out at me the most is the amount of encryption,” said Dave Marcus, director of advanced research and threat intelligence at McAfee. “There are a lot of similarities with other attacks, but the level of encryption that went into this one is significant.
While Flame does not appear to be an imminent threat to corporate networks outside the Middle East at this point, Marcus added that some of the functionalities might be seen repeated in other forms.
“The long-term concern is that malware writers tend to co-opt each other's code,” Marcus said. The code used in Flame is particularly modular, so long-term this will have effects on other malware because they will be able to drop modules from this worm into new attacks.”
The level of encryption does not appear problematic to Vikram Thakur, principal security response manager at Symantec. “We can decrypt and understand this,” he said. “It just takes more time to do so.
We have a pretty extensive understanding of what Flamer does. The part that we’re missing is how it does certain things, but I think we will be able to figure out those things, as well.”
NEXT: Experts Speak To Why Flame Is Unique, How Partners Can ProtectFlame seems to be able to propagate itself through a wide variety of media and has the ability to fully wipe itself on command, thereby making it far more difficult to track where on the network the adversary has been.
“This particular vector is kind of unique,” said Darien Kindlund, senior staff scientist, FireEye, which develops advanced malware analysis capabilities. “We haven't really seen attacks like this over web-based email attachments or drive-by downloads. So it's likely the initial attack vector was through mobile media.”
“Depending upon which platform you are running and what patch level, there are slightly different changes and indicators,” Kindlund added. “This particular piece of malware is not as stealthy as some of the others. For example, it does quite a bit of code injection. So as long as your endpoint protection systems are in place and updated, you should be able to detect any threats related to this.”
McAfee’s Marcus agreed. “I would recommend that partners look at the customer’s settings, and how their customer security is deployed. Are the settings correct? Something as simple as a setting configuration can make you miss an awful lot of attacks. You also need to consider the level of suspicion and make sure that you are looking at things at the proper level of granularity.”
The main module pretends to be a “Windows Authentication Client” for Microsoft Windows Version 5.1 (2600 Build). Several other modules also claim to be Microsoft Windows components. But, none of the files analyzed appear to be signed with a valid, or even a stolen, key.