Flame - was it actually seen three years ago?

Opinion by Dan Raywood

Flame dominated the security headlines a month ago and one new perspective may open a whole new discussion.

Flame dominated the security headlines a month ago and one new perspective may open a whole new discussion.

According to an article by Radware president and CEO, Roy Zisapel, for SC Magazine US, a session at DefCon 2009 in Las Vegas may have detected a key characteristic of Flame.

He said that before Flame became an overnight household name, the idea of ‘hiding a malicious cyber attack beneath a fleece of unsecured software updates' sparked a lot of anxiety for many in the application and network security industry. 

Flame notoriously was able to generate signed certificates that allowed the malicious software to appear as if it was produced by Microsoft, aiding its success in passing anti-virus and intrusion detection systems.

He said: “In our presentation titled ‘Day of the Updates', Radware released an Ippon demo-tool called Jinx, which portrays how a software update service can install malware on a computer.

“The demo showed that by opening a laptop and connecting to a network using an unsecured WiFi connection, or through the internal organisation network, many of the applications automatically check for new software updates. An attacker located at the same network can forge a reply ‘yes, there is an update' and provide its IP as the location of the software update.

“The victim's application then downloads the malicious file and executes it. Nearly all applications at the time did not check the authenticity of the file. They just blindly used it.”

Zisapel concluded by claiming that the only ‘proven' way for companies to protect themselves against Flame is by employing a signature that notifies IT professionals of its existence as soon as it tries to spread in the organisation. This can then block the malware through an automatic software update with verified and protected authenticity.

Did it detect Flame three years ago then? No, but what it did do was prove the capability of a forged certificate to enable infection.

One of the few companies that claimed to have been able to stop Flame was Bit9. Its report said: “Bit9 protected one of its customers before anyone, including Bit9, knew what it was.”

Speaking to SC Magazine recently, Bit9 CTO Harry Sverdlove said that when Flame came out, it was able to detect it by looking at its database from one specific user from the Middle East.

He said: “We caught it and they were willing to work with us. We found that the attack began in October 2011 and then it called the command and control server every few weeks. However for ten days it began dialling out every day at 6am and at every instance, it tried to download a new payload but we stopped it.

“We work by allowing trustworthy stuff in, but it is easier to look bad than to be trustworthy.”

Sverdlove admitted that the user only had a few thousand systems and Flame ‘only hit one user'. He said that from its analysis, it was able to see that this was being run by a human operator with a list of targets who was updating it manually.

He said: “The pattern was for a five-month period, it tried to download around the 10th or 12th of the month. If your name was on the list it is down to something you have done or who you are. We do not know what it did as we never let it execute, but it was trying to install a series of OS X files, dropping it into the system directory and trying to run them.

“So we assume that it tried to use the network as a foothold to do something else, but it was never able to as it never reached that level of attack.”

He said that despite reports about it being 20MB in size, it was in fact a series of six files. Despite this, Sverdlove said that its ‘elegance' was in the fact that its files looked like an application and that it did many things that a traditional Trojan did but also that legitimate applications did too.

“To deal with thousands of new attacks you need to filter them, so you can maximise your efforts and go after files of less than 1MB, but that will involve companies ‘boiling the ocean',” he said.

Asked if he felt that Flame was more sophisticated than anything he had seen before, he said that it was the most comprehensive, as it had everything that had been done before, but not altogether.

He said: “It was much more controlled, which is why it was not detected for so long. The most sophisticated thing about it is its ability to forge digital certificates so it looked legitimate.”

Sverdlove said that Bit9 was working with its customer to find out how and why it was infected, but said it was possible that it was a third party. It is now looking at all its systems to ensure it is protecting those as well in order to stop the ‘launch pad'.

There is contrasting opinion on Flame, that is what keeps the information security industry interesting. One person's view that this is not the most sophisticated threat ever seen compared with those that do believe that is why this is still being discussed, but the Radware opinion could lend some gravitas as to why this could not have been detected earlier and prevented more easily.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events