If you’ve followed security or technical news over the last few days, you’ve probably heard about the “Flame” worm. This interesting new piece of malware belongs to a class of attack called an Advanced Persistent Threat (APT), and it’s making headlines worldwide. As a result, many of you may be wondering whether or not this nasty sounding malware will affect your organization. My short answer is, “probably not,” but read on to learn more.
Let’s start with the basics. Kaspersky Labs — one of WatchGuard’s Antivirus (AV) partners — was one of the first to discover and analyze the “Flame” worm (Worm.Win32.Flame). According to their analysis so far, Flame is one of the largest and most complex malware samples they have ever seen. As such, they haven’t finished their full investigation of this malware, but here’s a quick summary of what they know so far:
- Flame is primarily an information stealing toolkit and backdoor trojan, but it also has worm-like capabilities that allows it to spread over local networks and USB storage.
- Its information stealing capabilities include network sniffing, keystroke logging, screenshot snapping, and even audio recording. It also can collect data about Bluetooth devices in the vicinity. It shares all this stolen data over an encrypted Command and Control (C&C) channel.
- It is one of the largest pieces of malware Kaspersky has seen, at around 20MB, and it contains over 20 different modules. Its author also created it using a scripting language (Lua) that malware writers don’t typically use.
- Rather than running as an executable file like typical malware, Flame loads itself as a number of malicious DLL files at boot.
- Kaspersky believes the author originally created the malware in 2010.
- Flame is targeted. Its infections seem limited to various organizations in Middle Eastern countries, with a primary focus on Iran. It also does not appear to have spread widely (under 400 known infections).
All that said, one thing we don’t know yet is how Flame initially infects its victim. Since this is a very targeted attack, I doubt Flame’s initial infection vector is automated in any way, nor launched on a massive scale. Rather, the attackers probably directly target specific organizations, and may even leverage different infection vectors for each target. If you add up all these facts, you can probably see why many experts consider Flame an APT attack similar to Stuxnet and Duqu. While none of the researchers analyzing this malware can prove it yet, most suspect that a nation-state actor created the Flame malware for cyber-espionage.
This brings us back to our original question, “Should I worry about the Flame malware?” Unless you’re an administrator of a state or education related industry in the Middle East, Flame will probably never directly affect you. So, no. I don’t think typical organizations have anything to worry about Flame. Furthermore, now that AV organizations have identified Flame, they have released signatures to detect and remove its known variants. If you use any of the top AV products, and keep those products up-to-date, you are protected from Flame infections. More specifically, if you’re a WatchGuard customer, our XCS and XTM appliances will protect you from the Flame worm. We partner with both Kaspersky and AVG to deliver Gateway Antivirus to these appliances, and both our partners have signatures to detect Flame.
From a security industry perspective, Flame is a very interesting malware sample. It leverages more advanced attack techniques than typical malware and likely comes from a nation-state attacker, which is why it has garnered so much media attention. However, Flame is probably not going to directly affect normal organizations. If you’ve been worried about this headline-grabbing worm, you can probably stop. Even if this targeted attack started affecting organizations outside the Middle East, WatchGuard and Antivirus products have you covered. — Corey Nachreiner, CISSP (@SecAdept)