Page 2 of 2
Flame seems to be able to propagate itself through a wide variety of media and has the ability to fully wipe itself on command, thereby making it far more difficult to track where on the network the adversary has been.
“This particular vector is kind of unique,” said Darien Kindlund, senior staff scientist, FireEye, which develops advanced malware analysis capabilities. “We haven't really seen attacks like this over web-based email attachments or drive-by downloads. So it's likely the initial attack vector was through mobile media.”
“Depending upon which platform you are running and what patch level, there are slightly different changes and indicators,” Kindlund added. “This particular piece of malware is not as stealthy as some of the others. For example, it does quite a bit of code injection. So as long as your endpoint protection systems are in place and updated, you should be able to detect any threats related to this.”
McAfee’s Marcus agreed. “I would recommend that partners look at the customer’s settings, and how their customer security is deployed. Are the settings correct? Something as simple as a setting configuration can make you miss an awful lot of attacks. You also need to consider the level of suspicion and make sure that you are looking at things at the proper level of granularity.”
The main module pretends to be a “Windows Authentication Client” for Microsoft Windows Version 5.1 (2600 Build). Several other modules also claim to be Microsoft Windows components. But, none of the files analyzed appear to be signed with a valid, or even a stolen, key.
<< Previous | 1 | 2