Concerns raised about time taken to detect Flame

News by Dan Raywood

The detection of the Flame worm will lead to other attempts to emulate it.

The detection of the Flame worm will lead to other attempts to emulate it.

According to Phil Robinson, director at Digital Assurance, Flame is highly sophisticated but other hackers will seek to emulate it and vendors will have to rethink how they tackle malware.

He said: “It's no longer enough to rely upon a firewall, IPS and other mechanised point-to-point solutions. We need to fight fire with fire with new techniques such as virtualised penetration testing which puts the human back in control of the security process while conferring the advantages of instantaneous testing.”

Ron Gula, CEO of Tenable Network Security, said that what he found interesting was that Flame had been tracked since 2010, yet this was the first that has been heard about it.

“It is more evidence that malware is becoming increasingly targeted and tailored to specific targets. Traditional anti-virus techniques fail in these scenarios and must be replaced with increased prevention methods such as vulnerability management or increased detection methods such as SIEM or intrusion detection,” he said.

Flame was detected by Kaspersky Lab as a highly sophisticated surveillance worm that can sniff network traffic, take screenshots, record audio conversations and intercept the keyboard, and send that data via a secure connection to the controller.

Kaspersky Lab also said that Flame's package of modules make it almost 20MB in size, 20 times the size of Stuxnet, and it was not detected for so long as modern malware is often small and focused.

David Harley, senior researcher at ESET, said: “It's not only the malware which is complex (and certainly dauntingly large), conflicting conjecture and confusion over the ‘ownership' of the detection is muddying the waters.

“According to the Iran national computer emergency readiness team they had detection (but not removal) for the malware that ESET calls ‘Win32/Flamer.A' in early May, but Kaspersky claims it's been in the wild since March 2010; however, it seems to be the same malware threat the Laboratory of Cryptography and System Security in Budapest calls Skywiper (which they believe may have been active for five to eight years or even longer).”

According to McAfee, one of Flame's smaller encrypted modules contains over 70,000 lines of C decompiled code, which contains over 170 encrypted strings, suggesting the threat has been developed over many years, possibly by a large group or dedicated team.

Symantec research said that within the code so far analysed, there were multiple references to the string 'Flame' that might allude to certain attacks made by various parts of the code (injections, exploits, etc.) or might be an indication of the malware's developmental project name.

It said: “The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware.

“The architecture being employed by W32.Flamer allows the authors to change functionality and behaviour within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes or simply to evade security products.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews