Kaspersky Finds New Man-In-The-Middle Attack Within The Flame Worm

Printer-friendly version Email this CRN article

Kaspersky has identified more than 20 different server IP addresses, and the five that the company has closely examined appear to be running Ubuntu Linux. The SSL certificates used by the Flame C&C are all self-signed, and the certificate of the last active domain, which was in the Netherlands, seems to have been generated on May 18.

At the moment, Flame infections have been found in 23 countries; the most notable being Iran, with 185 victims. Israel has the second highest number of victims at 95, and the United States currently ranks in sixth place with 11.

PDF documents, Office and AutoCad drawings appear to be heavily targeted by the attackers. Data uploaded to the command-and-control servers are encrypted using relatively simple algorithms.

Kaspersky also notes that the command-and-control infrastructure suddenly went offline last week when news about the Flame malware began to spread, yet the operation somehow remains active.

"Even though the known C&C servers went offline last Monday, we see evidence that some victims have received Flame updates within the past week," Roel Schouwenberg, senior researcher at Kaspersky Labs, said at a news conference this morning. "It is entirely possible that there is an unknown update mechanism. We don’t have all the modules, so there can be something to that."

Security experts describe Flame as one of the most interesting and complex malicious programs they have ever seen. Schouwenberg speculates that Flame’s capabilities might extend beyond cyber-espionage and be able to commit acts of cyber-sabotage, though he stresses that this is still conjecture.

"It’s almost impossible to completely protect your enterprise 100 percent of the time," Schouwenberg said. "So enterprises need to look at their core businesses, determine the things that they most need to protect and invest their resources in those directions."

Dan Hibbard, CTO of OpenDNS, took Schouwenberg’s point one step further. "We need to change the way we think about security," he told the news conference. "Right now, it’s about protection and defense. I think we need to move to the mindset that things will get in, which means we need to think about both preventing, maintaining and deciding what we are going to do when something gets into the network."

Printer-friendly version Email this CRN article