U.S. companies, government not likely burned by Flame
Hope is security vendors, enterprises will get beyond panic and use the Middle East-focused malware as a teachable moment
By Taylor Armerding
May 31, 2012 — CSO — U.S. companies and government entities probably don't have to worry about being burned by Flame, the super Trojan discovered several days ago by Moscow-based Kaspersky Lab and described by some analysts as the most sophisticated Advanced Persistent Threat yet encountered.
But that does not mean they shouldn't be worried. The likely reason they haven't been hit is that they are not targets. Flame's major targets were Iran, Israel and other areas of the Middle East. Mikko Hypponen of F Secure, in a Q&A blog post, wrote: "Are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."
There is also the fact that it is an espionage tool, and was only useful while it remains a secret. Now that it is compromised, it is essentially out of business.
[Bill Brenner in Salted Hash: Flame: The importance vs. the hype | Security vendors flamed over Flame publicity]
Still, the discovery of Flame (some are calling it SKyWIper) long after it was created -- some reports say it has been in existence since 2010, and others say it may go back as far as 2007 -- means there may be others like it out there in the wild, still undetected and siphoning crucial and confidential data from American firms and government entities ranging from elected officials to law enforcement and the military.
Gary McGraw, CTO of Cigital, said he hopes security vendors and enterprises alike will get beyond the panic and hype and use the discovery of Flame as a teachable moment.
"Every once in a while a security disaster sticks up like the top of an iceberg," he said. "That's an opportunity to teach people how to do it right. When I talk about this, I try to bring it back around to what is the root problem, which is that we're relying on systems that aren't secure. The only way to deal with it is to build software that doesn't suck."
No, he doesn't mean it is possible to build software that is impenetrable. "You're probably not going to be able to defend yourself against the U.S. government," he said, "but we're still a long way from making it no longer [financially] feasible," for the average cybercriminal to invade networks.
By now, there is general agreement on the basics about Flame. It is big -- very big. At 20MB, it is 20 times the size of the Stuxnet virus. It has multiple capabilities. They include, according to a McAfee blog post, everything from scanning network resources(to stealing information, communicating to C&C Servers over SSH and HTTPS protocols, detecting more than 100 security products (antivius, anti-spyware, etc.), creating screen captures (and recording voice conversations.
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Virtual analysis misses 1/3 of malware?
Advanced evasion techniques emerge
Organized cybercrime revealed
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Content Analytics Explained
- Attacks from China: A survival guide
Chinese cyberattack activity is back in the news this morning, with new details emerging on new attacks. Here's a collection of stories to help infosec pros better understand the threat. - #FFSec: Infosec pros who bring value to Twitter
- B-Sides Boston is Saturday
More Salted Hash with Bill Brenner
