Flame – Malware on Steroids

Flame is in the news.  What is Flame?  It is a large piece of malware that is used to spy on its victims.  Flame takes numerous cyberspying techniques and packages them together into a comprehensive suite of bad news.  Flame can record keystrokes, screen shots and SKYPE sessions.  It can turn on your microphone and listen in on conversations.  It can hijack bluetooth devices.

You can watch a discussion about Flame between a former CIA official and a security expert on the PBS Newshour.

Flame also demonstrates the general problem with anti-virus.  Until the malware is identified, it operates undetected.  The Kaspersky blog notes:

Kaspersky has seen multiple versions of the Flame attack toolkit in the wild and called Flame “the most sophisticated cyber weapon yet unleashed.” If it’s been floating around for a couple years at least before discovery, it would seem possible there are even more advanced attack toolkits, more sophisticated cyber weapons lurking, working and awaiting discovery.

Iranian CERT reports that Flame went undetected by 43 different security programs.  The authors of Flame were able to do this by understanding how security software works and then avoided using the things that security software detects. No doubt, the authors of malware will use the new Flame detection software to create a new generation of malware that Flame detectors can’t find.

While the focus has been on the problems that Flame causes after it is installed, little has been said about how Flame enters a network.  Roel Schouwenberg, senior researcher at Kaspersky, speculates that Flame’s initial entry into a network is through a spearphishing email that delivers a zero-day exploit.  Spearphishing is a social engineering attack in which the attacker creates a highly personalized email that deceives the recipient into acting.  You can see how this is done by viewing “Spearphishing – The Movie.”

In order to prevent social engineering from deceiving the email recipient,  SP Guard from Iconix modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342 , ext 3 or use our online form.


Comments are closed.