Page 1 of 2
The information security industry is now focused on a new attack vector that seems like it might be modeled on the Stuxnet worm, discovered in June 2010, and the Duqu worm, which was identified last September.
The new threat is known by a number of different names, including “Flame,” “Viper,” and “Skywiper.” It has been found over the weekend in the Middle East, most notably used against Iran. While there is widespread speculation that this development represents some sort of state-on-state attack, the validity of this theory is far from proven.
The worm’s capabilities are quite extensive, and full investigation is likely to go on for months. But known capabilities include information theft, the ability to detect more than 100 security products, the ability to scan network resources, and the functionality to read screenshots and record voice conversations. It communicates with its command and controlled servers over SSH and HTTPS protocols.
[Related: 10 Security Predictions]
“The thing that jumps out at me the most is the amount of encryption,” said Dave Marcus, director of advanced research and threat intelligence at McAfee. “There are a lot of similarities with other attacks, but the level of encryption that went into this one is significant.
While Flame does not appear to be an imminent threat to corporate networks outside the Middle East at this point, Marcus added that some of the functionalities might be seen repeated in other forms.
“The long-term concern is that malware writers tend to co-opt each other's code,” Marcus said. The code used in Flame is particularly modular, so long-term this will have effects on other malware because they will be able to drop modules from this worm into new attacks.”
The level of encryption does not appear problematic to Vikram Thakur, principal security response manager at Symantec. “We can decrypt and understand this,” he said. “It just takes more time to do so.
We have a pretty extensive understanding of what Flamer does. The part that we’re missing is how it does certain things, but I think we will be able to figure out those things, as well.”