Tuesday, June 5, 2012

Avoiding the Flame

After reading many articles and expert reviews about the Flame Virus I came up with the following summary

What is the Flame: Worm or Trojan
Flame is a complex attack toolkit, it is a TROJAN modified to have WORM like features, allowing it to replicate within local networks and removable media.
The initial entry point of Flame is still unknown – but once a system is infected, sKyWIper, another name for Flame virus, begins a sophisticated set of operations, including:
  • Running on Windows XP, Windows Vista and Windows 7 systems;
  • Scanning network resources;
  • Stealing information as specified;
  • Communicating to Control Servers over SSH and HTTPS protocols;
  • Detecting the presence of over 100 security products (AV, Anti-Spyware, FW, etc);
  • loading itself as a part of Winlogon.exe then injects to Explorer and Services;
  • Concealing its presence as ~ named temp files, just like Stuxnet and Duqu;
  • Attacking new systems over USB Flash Memory and local network;
  • Creating screen captures, Recording voice conversations;
  • Using SQLite Database to store collected information;
  • Utilizing PE encrypted resources;

Flame Complexity: Master Piece  
Flame is a huge package of modules accumulating up to 20 MB in size when fully deployed. Because of this, antivirus companies state that it is an extremely difficult piece of malware to analyze.
The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3).

Flame creation date: unknown
The developers of Flame were able to change the dates of creation of the files associated with this virus to 1992, 1994, 1995 and so on, but it’s very obvious that these dates are incorrect and they aim only to give false data to investigators.
Analyzers believe that the main Flame project was created in 2010, but is still undergoing active development to date. But there is big possibility that an earlier version of this virus existed before 2010.

Why the Name: Flame
Flame aka Flamer aka SKyWIper all different call signs for the same malware. The Flame virus consists of multiple modules, one main module is called Flame – as the picture indicatesThe flame module is responsible for attacking and infecting additional computers, and this is mainly the reason behind this malware naming.
No one to claim the spoils
Although, no party has claimed responsibility for the creation and usage of this malware, but it is so obvious that it was not created by a group of hacktivists to send a certain message or anonymous hackers just for the lulz.
The complex anatomy of this malware along with the geographic spread of the targets leaves no doubt that great deal of resources were invested in the creation of this virus and that it was created by nation state in order to collect info on the operations of certain countries in the Middle East, including Iran, Lebanon, Syria, and so on. 
Here’s a map of the top 7 affected countries:
Stop the Flame: Update your Antivirus
In general, most of the recent malware are small in size to be easily hidden, usually between 100k and 700K, but in Flame's case things are totally different. The large size of the Flame malware is precisely why it wasn’t discovered two years ago. For who would doubt a nine megabytes ~ named temp file to be a malware database file.
Finally In order to remove this Malware follow one of the following links and install the appropriate removal tool / Antivirus:
  1. Mcafee Stinger
  2. BitDefender Flame Removal Tool
  3. AVG and Keep it updated

No comments:

Post a Comment