• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

What is the "Flame" Worm and Should I Worry About It?

May 31, 2012 By Corey Nachreiner

If you’ve followed security or technical news over the last few days, you’ve probably heard about the “Flame” worm. This interesting new piece of malware belongs to a class of attack called an Advanced Persistent Threat (APT), and it’s making headlines worldwide. As a result, many of you may be wondering whether or not this nasty sounding malware will affect your organization. My short answer is, “probably not,” but read on to learn more.

Let’s start with the basics. Kaspersky Labs — one of WatchGuard’s Antivirus (AV) partners — was one of the first to discover and analyze the “Flame” worm (Worm.Win32.Flame). According to their analysis so far, Flame is one of the largest and most complex malware samples they have ever seen. As such, they haven’t finished their full investigation of this malware, but here’s a quick summary of what they know so far:

  • Flame is primarily an information stealing toolkit and backdoor trojan, but it also has worm-like capabilities that allows it to spread over local networks and USB storage.
  • Its information stealing capabilities include network sniffing, keystroke logging, screenshot snapping, and even audio recording. It also can collect data about Bluetooth devices in the vicinity. It shares all this stolen data over an encrypted Command and Control (C&C) channel.
  • It is one of the largest pieces of malware Kaspersky has seen, at around 20MB, and it contains over 20 different modules. Its author also created it using a scripting language (Lua) that malware writers don’t typically use.
  • Rather than running as an executable file like typical malware, Flame loads itself as a number of malicious DLL files at boot.
  • Kaspersky believes the author originally created the malware in 2010.
  • Flame is targeted. Its infections seem limited to various organizations in Middle Eastern countries, with a primary focus on Iran. It also does not appear to have spread widely (under 400 known infections).

All that said, one thing we don’t know yet is how Flame initially infects its victim. Since this is a very targeted attack, I doubt Flame’s initial infection vector is automated in any way, nor launched on a massive scale. Rather, the attackers probably directly target specific organizations, and may even leverage different infection vectors for each target. If you add up all these facts, you can probably see why many experts consider Flame an APT attack similar to Stuxnet and Duqu. While none of the researchers analyzing this malware can prove it yet, most suspect that a nation-state actor created the Flame malware for cyber-espionage.

This brings us back to our original question, “Should I worry about the Flame malware?” Unless you’re an administrator of a state or education related industry in the Middle East, Flame will probably never directly affect you. So, no. I don’t think typical organizations have anything to worry about Flame. Furthermore, now that AV organizations have identified Flame, they have released signatures to detect and remove its known variants. If you use any of the top AV products, and keep those products up-to-date, you are protected from Flame infections. More specifically, if you’re a WatchGuard customer, our XCS and XTM appliances will protect you from the Flame worm. We partner with both Kaspersky and AVG to deliver Gateway Antivirus to these appliances, and both our partners have signatures to detect Flame.

From a security industry perspective, Flame is a very interesting malware sample. It leverages more advanced attack techniques than typical malware and likely comes from a nation-state attacker, which is why it has garnered so much media attention. However, Flame is probably not going to directly affect normal organizations. If you’ve been worried about this headline-grabbing worm, you can probably stop. Even if this targeted attack started affecting organizations outside the Middle East, WatchGuard and Antivirus products have you covered.  — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: linux, remote root, Samba, Updates and patches

Comments

  1. Ray W. says

    May 31, 2012 at 7:53 am

    Corey, Thanks for the analysis, timely and to the point! With that said I’m wondering how long it will be before someone turns this around and points it “our way” (US, and other Western Countries). I could see them chopping out pieces repackaging them and automating the delivery.. fun for us all…

    Reply
    • Corey Nachreiner says

      June 1, 2012 at 3:19 am

      You are entirely right. First, while it may not actually be the “flame” toolkit, I believe nation-states have and are already launching these same types of cyber-espionage attacks against US organizations. So while I don’t think Flame specifically will affect the US, I wouldn’t be surprised if there are other APT-like malware samples already infecting our government and big private organizations.

      Also, in general I believe all the new attack techniques being leveraged in these advanced, likely nation-state sponsered attacks, will eventually affect all businesses. As the public becomes aware of malware like Stuxnet, Duqu, and Flame, and as researchers decompile and analyze these, criminal organizations that are responsible for more run of the mill malware are paying close attention. Many traditional malware variants (for instance, Zeus) have starting leveraging the techniques and attacks they see in these APT threats. So I think this advanced malware is evolving all malware quicker, which will affect everyone.

      Reply
  2. 123.vn's bep nuong dien says

    July 19, 2013 at 2:36 am

    After many grillings, you have to take time to faithfully clean with
    a small brush. With there being so many to choose from, we are going to take a
    closer look at some of the most popular models currently available.
    75″ by 10″ non-stick grilling surface is perfect in entertaining a small gathering.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use