Kaspersky Finds New Man-In-The-Middle Attack Within The Flame Worm

By Ken Presti
June 04, 2012 5:53 PM ET

Page 2 of 2

Kaspersky has identified more than 20 different server IP addresses, and the five that the company has closely examined appear to be running Ubuntu Linux. The SSL certificates used by the Flame C&C are all self-signed, and the certificate of the last active domain, which was in the Netherlands, seems to have been generated on May 18.

At the moment, Flame infections have been found in 23 countries; the most notable being Iran, with 185 victims. Israel has the second highest number of victims at 95, and the United States currently ranks in sixth place with 11.

PDF documents, Office and AutoCad drawings appear to be heavily targeted by the attackers. Data uploaded to the command-and-control servers are encrypted using relatively simple algorithms.

Kaspersky also notes that the command-and-control infrastructure suddenly went offline last week when news about the Flame malware began to spread, yet the operation somehow remains active.

"Even though the known C&C servers went offline last Monday, we see evidence that some victims have received Flame updates within the past week," Roel Schouwenberg, senior researcher at Kaspersky Labs, said at a news conference this morning. "It is entirely possible that there is an unknown update mechanism. We don’t have all the modules, so there can be something to that."

Security experts describe Flame as one of the most interesting and complex malicious programs they have ever seen. Schouwenberg speculates that Flame’s capabilities might extend beyond cyber-espionage and be able to commit acts of cyber-sabotage, though he stresses that this is still conjecture.

"It’s almost impossible to completely protect your enterprise 100 percent of the time," Schouwenberg said. "So enterprises need to look at their core businesses, determine the things that they most need to protect and invest their resources in those directions."

Dan Hibbard, CTO of OpenDNS, took Schouwenberg’s point one step further. "We need to change the way we think about security," he told the news conference. "Right now, it’s about protection and defense. I think we need to move to the mindset that things will get in, which means we need to think about both preventing, maintaining and deciding what we are going to do when something gets into the network."

<< Previous | 1 | 2

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Security Companies That Have Scored CIA Funding CIA-funded venture firm invests millions in technology startups, mostly security firms. Find out which security companies won In-Q-Tel funding.
	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	More Slide Shows