The Flame: Questions and Answers

Hey, Duqu exploited a zero-day vulnerability that had nothing to do with the autorun misfeature. Disabling autorun is very useful, but not a panacea. Granted that USB drives should be prohibited anywhere important, Flame would work perfectly well on an "unimportant" desktop (and probably will soonish, once the blackhats get their hands on it).

 

Webroot strikes a different chord on 'Flame', compared to other security software/AV companies;

'A Webroot spokesperson says the security vendor takes issue with the hyperbolic claims about ‘Flame’, and claims the underlying threat has been known since 2007. “In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it--essentially a 2007 era technology.

There is one element of ‘Flame’ that Webroot believes may be unique, though. Many antimalware tools use some form of reputation analysis to help determine if a given program is malware or not. Essentially, if the executable has been seen before, and hasn’t done any previous harm it gets a bit of a “free pass”--it has proven itself and earned some level of trust.' link

 

Cheap Trick

 

I was surprised at the amount of ActiveX files used in this malware ! I'm not sure how often these are used these days in nasties ? but several years ago they used to feature quite heavily as part of, fr eg, IE exploits.

No signed drivers are used, which "appear" to sail right through Completely unchecked !

This is interesting from the CrySyS Lab's PDF

PREVENTION of sKyWIper infection

If you have in place something/s that will intercept/block, rundll32.exe - iexplore.exe - windowsupdate - .SYS's .EXE's .DRV's you will be safe

Also if you have something/s that will intercept/block Wscript.exe & .DAT such as ScriptDefender, you should be prompted for those Nasties which make use of them to run.

I make use of All the above so i'm not worried about sKyWIper, or any other nasty. I also use ShadowDefender too

 

Umm, ActiveX?

I'm a bit foggy on Windows, but can that be disabled globally, even for localhost? Because if it can, I would expect "disabling ActiveX globally" to be one of the first things anyone would do on a production system. Maybe that would offer some protection?

(And maybe it would indicate that someone did drop the ball. Ho hum.)

 

Has any variants been discovered? How is the payload typically delivered? What type of OS's are affected by this virus?

 

Lots of good info here: https://www.wilderssecurity.com/showthread.php?t=325074

TH

 

Agreed 100%

 

More Kaspersky analysis: https://www.securelist.com/en/blog/208193538/Flame_Bunny_Frog_Munch_and_BeetleJuice

FireEye analysis: http://blog.fireeye.com/research/2012/05/flamerskywiper-analysis.html

 

Here are 2 Videos from CNN on this malware!

-http://www.cnn.com/video/#/video/tech/2012/05/29/flame-malware.cnn

-http://www.cnn.com/video/#/video/bestoftv/2012/05/30/exp-eb-proxy-war-with-iran.cnn

TH

 

Kaspersky said they first discovered it in May of 2010, but Prevx (WSA) says they discovered it in December of 2007. They said they didn't make a big deal out of it because it was not that technically advance in comparison with other pieces of malware they had discovered. If they had known at the time it was most likely developed by a Nation State, and targeting Iran i'm sure they would have made a bigger deal out of it.

 

Yet more on this from the ESET Threat Blog; http://blog.eset.com/2012/05/29/flamer-the-21st-century-whale

Interesting to note the suggestion that module compilation dates could have been 'manipulated' to obscure exactly when this exploit first saw the light of day!

 

I'm not sure. Since Webroot is based in US, and that malware is targeting Iran with the purpose of collecting intel, wouldn't be anti-patriotic to make a big fuss out of it?

 

From a preventative standpoint, there is only one relevant piece of information so far:

The Flame: Questions and Answers
http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

Behind the 'Flame' malware
http://news.cnet.com/8301-1009_3-57...lame-malware-spying-on-mideast-computers-faq/

(mybolding)

While the analysis of what this malware does once installed may be fodder for good headlines, it's rather inconsequential from a preventative point of view, since it first has to install to do anything, as did Stuxnet, Conficker, and other sensational malware, all easily preventable with proper security measures in place.

So, as a friend says, Show me the URL (or email w/attachment; or booby-trapped USB stick) and let's see how far it gets.

One can speak only for herself/himself, of course.

----
rich

 

I managed to find 2 CLSID's to block

https://www.wilderssecurity.com/showthread.php?p=2064663#post2064663

 

Right...

This "super OMG advanced piece of malware" still relies on execution and would be immediately halted with a software restriction policy or anti-executable policy.

 

The fuss would have been that it was developed by any Nation State, and released upon the net. We all know it happens, but the media still likes to make a big deal out of it.

 

Ok, so in conclusion, flame are not that sophisticated

 

Or even a very, very basic scan-string antimalware signature. There is nothing advanced about this threat at all. Additionally, it can be removed literally with a batch script - not exactly armored

 

just a question How did the Hips approach to security react to this ?

did anyone try this against OA / MD / Comodo D+ ?

 

Some info of Flame domain registrations:

http://blog.opendns.com/2012/06/01/unique-insight-into-flame-malware/

 

Let say i have windows and software all upto date fully pached and internet security suite or combo of sandbox firewall antivirus bla.....bla ....bla


then i installed untrusted vendor software for free VPN let him give access to bypass all my security and install its crap software for high security or p2p

now who should i blame for

windows

my security suite or bla bla software

or

myself for giving full access of my system and letting my firewall/router bypass through it.



i agree with Mrk

its all about mind game

 

Some more info about Flame: http://www.securelist.com/en/blog/2...dle_Flame_malware_spreading_vector_identified

 

“Flame” / “Flamer” / “Skywiper”

Just listened to a very interesting audio with Steve Gibson and Leo LaPorte on this newly discovered threat.

Steve went in depth on what we currently know about it.

www.grc.com/SecurityNow.htm#66

"Poking Holes in TCP" Episode #355 | 30 May 2012 | 77 min.

 

Thanks for this. It confirms my thought that the analyses show that the modules and components noted in the Flame "toolkit" are downloaded after the initial infection -- the attack vector/initial entry point have not yet been determined:

----
rich