U.S. companies, government not likely burned by Flame

U.S. companies and government entities probably don't have to worry about being burned by Flame, the super Trojan discovered several days ago by Moscow-based Kaspersky Lab and described by some analysts as the most sophisticated Advanced Persistent Threat yet encountered.

But that does not mean they shouldn't be worried. The likely reason they haven't been hit is that they are not targets. Flame's major targets were Iran, Israel and other areas of the Middle East. Mikko Hypponen of F Secure, in a Q&A blog post, wrote: "Are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."

There is also the fact that it is an espionage tool, and was only useful while it remains a secret. Now that it is compromised, it is essentially out of business.

[Bill Brenner in Salted Hash: Security vendors flamed over Flame publicity]


Still, the discovery of Flame (some are calling it SKyWIper) long after it was created -- some reports say it has been in existence since 2010, and others say it may go back as far as 2007 -- means there may be others like it out there in the wild, still undetected and siphoning crucial and confidential data from American firms and government entities ranging from elected officials to law enforcement and the military.

Gary McGraw, CTO of Cigital, said he hopes security vendors and enterprises alike will get beyond the panic and hype and use the discovery of Flame as a teachable moment.

"Every once in a while a security disaster sticks up like the top of an iceberg," he said. "That's an opportunity to teach people how to do it right. When I talk about this, I try to bring it back around to what is the root problem, which is that we're relying on systems that aren't secure. The only way to deal with it is to build software that doesn't suck."

No, he doesn't mean it is possible to build software that is impenetrable. "You're probably not going to be able to defend yourself against the U.S. government," he said, "but we're still a long way from making it no longer [financially] feasible," for the average cybercriminal to invade networks.

By now, there is general agreement on the basics about Flame. It is big -- very big. At 20MB, it is 20 times the size of the Stuxnet virus. It has multiple capabilities. They include, according to a McAfee blog post, everything from scanning network resources(to stealing information, communicating to C&C Servers over SSH and HTTPS protocols, detecting more than 100 security products (antivius, anti-spyware, etc.), creating screen captures (and recording voice conversations.

But there is no unanimity over its sophistication. While some vendors say it brings cyberthreats to a whole new level, Hypponen said while it is big and complex, "it's not advanced crimeware."

"Data stealing crimeware is interested in the quickest, most efficient way to steal what it needs. And it evolves quickly. You might call it advanced evolution, he said. "Flame, on the other hand, is a 'limited edition' spy tool with a limited scope that was used very carefully. It didn't need to evolve."

Who created it and where it came from is not clear. There are only educated guesses about that. Hypponen is among many who believe it was "most likely created by a Western intelligence agency or military." Some are pointing to the U.S., noting that some of the code appears to have been written by native English speakers.

But Kevin McAleavey, cofounder and chief architect of the KNOS Project, is skeptical. In a blog post for Infosec Island, he wrote: "When you look at the code snippets, which Kaspersky published, in addition to the various use of the word "flame" in the code, there are also variables called 'gator' and 'frog' in there."

"When I've examined 'officially' produced malware, such names for variables published within the code just do not happen. Another thing that doesn't smell right is that Israel has also been a target of this worm in numbers only exceeded by Iran," he wrote.

McAleavey told CSO that while it could be European in origin, "it smells much more like Turkey or possibly Pakistan or India -- countries close enough to the area that a war would affect them directly and so are interested in all sides of what's going on over there."

Another reason he thinks the U.S. is not behind it: "The code is so bloated and made up of old modules and then heavily encrypted. It screams amateur hour and desperation," he said.

More significantly, McAleavey said, even though Flame is not much of a U.S. threat, its success at remaining hidden is "one hell of a condemnation of the antivirus industry's automated 'reputation-based' detection methods, in that it remained inert long enough to get whitelisted by some, ignored by others."

McGraw agrees, but said he doubts it would have been hidden for so long if it had been aimed at countries like the U.S. "It was in places where computers are old and people not very sophisticated," he said. Security products could be much better, but vendors are making progress, he said. "They're much better than they were five years ago."

Mark Baldwin, CISSP and principal researcher and consultant at InfosecStuff, said the prevention steps enterprises should take remain what they have always been: Aggressive patching of software to eliminate vulnerabilities; continuous monitoring of critical systems for anomalous activity; application whitelisting to prevent the execution of unauthorized software; and promotion of security awareness in the organization.

While most SMBs don't have the resources or expertise to implement all those countermeasures, "they are less likely to be targeted by an APT," Baldwin said. "No one is going to spend hundreds of thousands of dollars creating a stealthy piece of malware only to use it against small organizations with low likelihood of a return on that investment."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place