The Flame: Questions and Answers

Discussion in 'malware problems & news' started by Dermot7, May 28, 2012.

Thread Status:
Not open for further replies.
  1. Hey, Duqu exploited a zero-day vulnerability that had nothing to do with the autorun misfeature. Disabling autorun is very useful, but not a panacea. Granted that USB drives should be prohibited anywhere important, Flame would work perfectly well on an "unimportant" desktop (and probably will soonish, once the blackhats get their hands on it).
     
  2. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Webroot strikes a different chord on 'Flame', compared to other security software/AV companies;

    'A Webroot spokesperson says the security vendor takes issue with the hyperbolic claims about ‘Flame’, and claims the underlying threat has been known since 2007. “In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it--essentially a 2007 era technology.

    There is one element of ‘Flame’ that Webroot believes may be unique, though. Many antimalware tools use some form of reputation analysis to help determine if a given program is malware or not. Essentially, if the executable has been seen before, and hasn’t done any previous harm it gets a bit of a “free pass”--it has proven itself and earned some level of trust.
    ' link
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,967
    Cheap Trick :D
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    I was surprised at the amount of ActiveX files used in this malware ! I'm not sure how often these are used these days in nasties ? but several years ago they used to feature quite heavily as part of, fr eg, IE exploits.

    No signed drivers are used, which "appear" to sail right through Completely unchecked !

    This is interesting from the CrySyS Lab's PDF :thumb:

    PREVENTION of sKyWIper infection

    If you have in place something/s that will intercept/block, rundll32.exe - iexplore.exe - windowsupdate - .SYS's .EXE's .DRV's you will be safe :)

    Also if you have something/s that will intercept/block Wscript.exe & .DAT such as ScriptDefender, you should be prompted for those Nasties :) which make use of them to run.

    I make use of All the above ;) so i'm not worried about sKyWIper, or any other nasty. I also use ShadowDefender too :thumb:
     
  5. Umm, ActiveX?

    I'm a bit foggy on Windows, but can that be disabled globally, even for localhost? Because if it can, I would expect "disabling ActiveX globally" to be one of the first things anyone would do on a production system. Maybe that would offer some protection?

    (And maybe it would indicate that someone did drop the ball. Ho hum.)
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Has any variants been discovered? How is the payload typically delivered? What type of OS's are affected by this virus?
     
  7. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,044
    Location:
    Ontario, Canada
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Agreed 100% :thumb:
     
  9. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,411
    Location:
    Surrey, England.
    More Kaspersky analysis: https://www.securelist.com/en/blog/208193538/Flame_Bunny_Frog_Munch_and_BeetleJuice

    FireEye analysis: http://blog.fireeye.com/research/2012/05/flamerskywiper-analysis.html
     
    Last edited: May 30, 2012
  10. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,044
    Location:
    Ontario, Canada
    Here are 2 Videos from CNN on this malware!

    -http://www.cnn.com/video/#/video/tech/2012/05/29/flame-malware.cnn

    -http://www.cnn.com/video/#/video/bestoftv/2012/05/30/exp-eb-proxy-war-with-iran.cnn

    TH
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Kaspersky said they first discovered it in May of 2010, but Prevx (WSA) says they discovered it in December of 2007. They said they didn't make a big deal out of it because it was not that technically advance in comparison with other pieces of malware they had discovered. If they had known at the time it was most likely developed by a Nation State, and targeting Iran i'm sure they would have made a bigger deal out of it.
     
  12. Togg

    Togg Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    177
  13. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    I'm not sure. Since Webroot is based in US, and that malware is targeting Iran with the purpose of collecting intel, wouldn't be anti-patriotic to make a big fuss out of it?
     
    Last edited: May 31, 2012
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    From a preventative standpoint, there is only one relevant piece of information so far:

    The Flame: Questions and Answers
    http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
    Behind the 'Flame' malware
    http://news.cnet.com/8301-1009_3-57...lame-malware-spying-on-mideast-computers-faq/
    (mybolding)

    While the analysis of what this malware does once installed may be fodder for good headlines, it's rather inconsequential from a preventative point of view, since it first has to install to do anything, as did Stuxnet, Conficker, and other sensational malware, all easily preventable with proper security measures in place.

    So, as a friend says, Show me the URL (or email w/attachment; or booby-trapped USB stick) and let's see how far it gets.

    One can speak only for herself/himself, of course.

    ----
    rich
     
    Last edited: May 31, 2012
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
  16. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Right...

    This "super OMG advanced piece of malware" still relies on execution and would be immediately halted with a software restriction policy or anti-executable policy. :thumb:
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    The fuss would have been that it was developed by any Nation State, and released upon the net. We all know it happens, but the media still likes to make a big deal out of it.
     
  18. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Ok, so in conclusion, flame are not that sophisticated o_O
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Or even a very, very basic scan-string antimalware signature. There is nothing advanced about this threat at all. Additionally, it can be removed literally with a batch script - not exactly armored ;)
     
  20. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    just a question How did the Hips approach to security react to this ?

    did anyone try this against OA / MD / Comodo D+ ?
     
  21. tomazyk

    tomazyk Guest

  22. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    Let say i have windows and software all upto date fully pached and internet security suite or combo of sandbox firewall antivirus bla.....bla ....bla


    then i installed untrusted vendor software for free VPN let him give access to bypass all my security and install its crap software for high security or p2p

    now who should i blame for

    windows

    my security suite or bla bla software

    or

    myself for giving full access of my system and letting my firewall/router bypass through it.

    :rolleyes:

    i agree with Mrk

    its all about mind game
     
  23. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    804
    Some more info about Flame: http://www.securelist.com/en/blog/2...dle_Flame_malware_spreading_vector_identified
     
  24. Stonepuppet

    Stonepuppet Registered Member

    Joined:
    Nov 11, 2010
    Posts:
    5
    “Flame” / “Flamer” / “Skywiper”

    Just listened to a very interesting audio with Steve Gibson and Leo LaPorte on this newly discovered threat.

    Steve went in depth on what we currently know about it.

    www.grc.com/SecurityNow.htm#66

    "Poking Holes in TCP" Episode #355 | 30 May 2012 | 77 min.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Thanks for this. It confirms my thought that the analyses show that the modules and components noted in the Flame "toolkit" are downloaded after the initial infection -- the attack vector/initial entry point have not yet been determined:

    ----
    rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.