Putting out the Flames
Stop me if you’ve heard this one before: there is a new piece of malware and this one is even worse than the last one. It is bigger, scarier, more complex and will take years, according to some estimates, to actually ever know what the malware really does. And of course it already has a plethora of names depending on which anti-virus company or research group tried to stake their claim of being the first to discover it. Welcome to this month’s installment of Scary Malware Theater, starring Flame.
While the anti-virus industry does as they always do and spends the vast majority of their time breaking down this piece of malware in a game of “let my firm tell the media some new interesting fact before the competing firm” the rest of you actually working in the real world of IT are stuck wondering when you will be hit by this malware (or the next one) and why this constant cycle of reactive discovery seems to have no end.
Don’t get lost in all of the noise though; the reality is this malware attack is still limited in scope and from all that we know so far, it is very easily preventable with the right solutions and process. Yes, that’s right, a security company just told you to relax, breathe and respond, not just react. We want to help by providing some context.
Success in security does not come from the constant cycle of malware analysis but rather the relentless analysis of the ways that malware can get onto a system in the first place. That is to say we need to work towards proper IT security practices that reduce attack surface and provide streamlined operational processes for doing something about preventing these attacks.
To that end, for the tireless IT and security folks at large and customers of eEye and BeyondTrust, I want to break down how this malware is currently known to spread and what you can do about it.
The Flame malware is currently leveraging two older Microsoft vulnerabilities that have been patched since August and September of 2010(specifically, that is Microsoft Security Bulletin’s MS10-046 and MS10-061).
In this case you should have a proper vulnerability and patch management process within your organization to verify that you do not have these unpatched vulnerabilities which Flame has been known to use.
Secondarily, the Flame malware has been shown to have capabilities to leverage Windows Domain Administrator credentials to further spread to other systems. While some investigation is being done it is recommended that best practices are followed to ensure your organization is running with “least privilege ” user accounts so as to not more easily allow malware to embed within a system and further propagate.
Specifically for eEye, now BeyondTrust customers and community users there are many ways that the BeyondTrust Retina CS Vulnerability Management platform can help you get visibility and control over this Flame malware. If you don’t already us our free Retina Community security products, now is as good a time as any to go grab it. Go ahead, we’ll wait right here.
Flame Vulnerability/Malware/Attack Identification
BeyondTrust’s flagship Retina CS Vulnerability Management solution has the capability to identify both systems infected with the Flame malware and systems with vulnerabilities that Flame malware can leverage for infection. The following are the relevant product related audits/identifiers.
Detection of Flame malware
Retina Network Security Scanner
- Audit ID: 16484 – Audit Name: Flame/sKyWIper Malware Detected – Modules
- Audit ID: 16486 – Audit Name: Flame/sKyWIper Malware Detected – ~DEB93D.tmp
- Audit ID: 16487 – Audit Name: Flame/sKyWIper Malware Detected – Registry
- Audit ID: 16488 – Audit Name: Flame/sKyWIper Malware Detected – Audio Driver
Blink Endpoint Security
- Malware Signature Name: W32/Flamer.A
Blink Endpoint Security/Retina Protection Agent
- Rule ID: 10133 – Attack Rule Name: Print Spooler RCE Attack
- Rule ID: 110287 – Attack Rule Name: LNK File Attack
Detection of Flame vulnerabilities
Microsoft Bulletin MS10-046
- Audit ID: 13247 – Audit Name: Microsoft Windows Shortcut Remote Code Execution (2286198)
Microsoft Bulletin MS10-061
- Audit ID: 13426 – Audit Name: Microsoft Windows Print Spooler Remote Code Execution (2347290) – Remote
- Audit ID: 13432 – Audit Name: Microsoft Windows Print Spooler Remote Code Execution (2347290)
Remediation of Flame vulnerabilities
- Retina CS has the ability to do patching of Microsoft and third party application vulnerabilities in a closed loop process that takes you all the way from identifying vulnerabilities, such as those used by Flame, to remediation, through the deployment of a patch.
- Retina CS specifically has the capability to automate the deployment of the two known Microsoft vulnerabilities that Flame has been leveraging.
The most important thing about the solutions we provide our customers and the community is that we not only provide the most comprehensive means to identify, prevent and remediate even the most sophisticated attacks but we do so in a way that is operationally efficient – true Context Aware Security Intelligence.
To that end I will close off this blog post with a screen shot of a simple “Smart Rule” group that customers and the community can create to have a quick view within less than 1 minute of what the Flame malware means to your organization. I hope this shows how quickly our solutions can give you back the visibility and control of security in your organization to cut through the noise and get down to what the scary “threat of the moment” really means to your organization.
marc – great analysis and breakdown, thank you. the coverage provided from eEye’s free tools is pretty impressive. Will you and your team be covering Flame on the VEF coming up in a couple weeks?
McAfee agrees that ‘Flame’ is similar to Stuxnet and Duqu, but also notes that it’s much more complex and has notable differences as well. The ‘Flame’ code is modular, extendable and updateable, and capable of a wide range of covert, malicious behaviors. ‘Flame’ can steal data, capture screen shots, record audio using the compromised system’s microphone–but that just barely scratches the surface.
Stuxnet and Duqu are both impressive in their own right, and ‘Flame’ seems to be an order or magnitude more complex than these “sibling” cyber attacks. One security vendor isn’t as impressed, though, and believes that the response to ‘Flame’ essentially amounts to spreading FUD (fear, uncertainty, and doubt).
A Webroot spokesperson says the security vendor takes issue with the hyperbolic claims about ‘Flame’, and claims the underlying threat has been known since 2007. “In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it–essentially a 2007 era technology.
There is one element of ‘Flame’ that Webroot believes may be unique, though. Many antimalware tools use some form of reputation analysis to help determine if a given program is malware or not. Essentially, if the executable has been seen before, and hasn’t done any previous harm it gets a bit of a “free pass”–it has proven itself and earned some level of trust.
Webroot feels that the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.
Early analysis suggests that ‘Flame’ is a complex, sophisticated threat. In terms of the actual size of the programming code behind it, ‘Flame’ is massive. Depending on the source, though, ‘Flame’ is either the most dangerous, insidious malware threat ever discovered, or simply a solid cyber attack that caught much of the industry with its proverbial pants down
Thanks Marc!
After analyzing this myself, I agree it’s another ‘Look at Us’ attempt from the IT Media to exaggerate the subject. I can’t imagine this malware being on a network that utilizes proper patch management, regular auditing, and Risk Analysis and Management.