Lessons Learned from FLAME
Author: Kyle Cooper, email@example.com
Unless you are a middle-eastern nation state with a rogue nuclear program, chances are you have not been targeted by the authors of the latest “big thing” in information security: the Flame virus. There has been a lot of hype surrounding its discovery and complexity. Let’s delve through the fear, uncertainty and doubt (FUD) surrounding the facts and point out the important features of this event that are most likely to affect the actual landscape of malware going forward.
New Attack Vectors
The Flame malware achieved the “Holy Grail” of hacks by including a module which is able to spoof a Windows Update Server, allowing it to silently infect devices on the network under the guise of installing Microsoft patches. To achieve this, the malware authors included counterfeit Microsoft certificates. These certs are supposed to protect updates by providing machines with a way to authenticate their source. Although this technique has not been spotted in the wild outside of Flame, you can bet the bad guys are hard at work researching how they can incorporate this attack into malware targeting the everyday computer user.
New Design Possibilities
Due to its design, Flame has been called the “All in one virus-trojan-backdoor.” The core of Flame is 6 megabytes (MB), which is roughly the average file size typical of malware we observe daily. However, Flame is designed in a modular manner, allowing it’s controller to grow it to up to 20MB. This is a huge piece of malware, allowing it to contain practically any feature needed by the controller. Flame contains modules for network sniffing, recording audio, key logging, anti-virus detection and more, including modules researchers haven’t determined uses for yet. Flame’s modular additions give attackers much more flexibility than current available malware products. This is a design technique others are sure to mimic going forward.
Invocation Occurs Across All Sectors
A virus from two years ago called Stuxnet was recently revealed to have been developed by the United States and Israel. Iranian nuclear facilities were targeted in an attempt to avoid kinetic warfare with Iran over its unsanctioned nuclear program. By some expert accounts, the malware delayed the program by two years, biding the time needed to continue international discussions. However, the program leaked out onto the internet. Stuxnet showed that even nation states with good intentions and unlimited budgets can lose control of their creations. While Stuxnet was designed only to affect very specific software controlling nuclear reactors, Flame has much broader uses that anyone with malicious intent may find useful. As nation states get better at cyber offense, that innovation will eventually trickle down to those who will use it for less than honorable purposes.
It’s important to keep perspective on this issue. Learning what we can from these situations and preparing for the future is the only effective response. Falling prey to hysteria will only leave you unprepared for the challenge of moving forward. Patch, monitor your network proactively and have an incident response plan intact for your worst case scenario.