• United States



Contributing writer

U.S. companies, government not likely burned by Flame

May 31, 20126 mins
CybercrimeIT Leadership

Hope is security vendors, enterprises will get beyond panic and use the Middle East-focused malware as a teachable moment

U.S. companies and government entities probably don't have to worry about being burned by Flame, the super Trojan discovered several days ago by Moscow-based Kaspersky Lab and described by some analysts as the most sophisticated Advanced Persistent Threat yet encountered.

But that does not mean they shouldn't be worried. The likely reason they haven't been hit is that they are not targets. Flame's major targets were Iran, Israel and other areas of the Middle East. Mikko Hypponen of F Secure, in a Q&A blog post, wrote: "Are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."

There is also the fact that it is an espionage tool, and was only useful while it remains a secret. Now that it is compromised, it is essentially out of business.

Still, the discovery of Flame (some are calling it SKyWIper) long after it was created -- some reports say it has been in existence since 2010, and others say it may go back as far as 2007 -- means there may be others like it out there in the wild, still undetected and siphoning crucial and confidential data from American firms and government entities ranging from elected officials to law enforcement and the military.

Gary McGraw, CTO of Cigital, said he hopes security vendors and enterprises alike will get beyond the panic and hype and use the discovery of Flame as a teachable moment.

"Every once in a while a security disaster sticks up like the top of an iceberg," he said. "That's an opportunity to teach people how to do it right. When I talk about this, I try to bring it back around to what is the root problem, which is that we're relying on systems that aren't secure. The only way to deal with it is to build software that doesn't suck."

No, he doesn't mean it is possible to build software that is impenetrable. "You're probably not going to be able to defend yourself against the U.S. government," he said, "but we're still a long way from making it no longer [financially] feasible," for the average cybercriminal to invade networks.

By now, there is general agreement on the basics about Flame. It is big -- very big. At 20MB, it is 20 times the size of the Stuxnet virus. It has multiple capabilities. They include, according to a McAfee blog post, everything from scanning network resources(to stealing information, communicating to C&C Servers over SSH and HTTPS protocols, detecting more than 100 security products (antivius, anti-spyware, etc.), creating screen captures (and recording voice conversations.

But there is no unanimity over its sophistication. While some vendors say it brings cyberthreats to a whole new level, Hypponen said while it is big and complex, "it's not advanced crimeware."

"Data stealing crimeware is interested in the quickest, most efficient way to steal what it needs. And it evolves quickly. You might call it advanced evolution, he said. "Flame, on the other hand, is a 'limited edition' spy tool with a limited scope that was used very carefully. It didn't need to evolve."

Who created it and where it came from is not clear. There are only educated guesses about that. Hypponen is among many who believe it was "most likely created by a Western intelligence agency or military." Some are pointing to the U.S., noting that some of the code appears to have been written by native English speakers.

But Kevin McAleavey, cofounder and chief architect of the KNOS Project, is skeptical. In a blog post for Infosec Island, he wrote: "When you look at the code snippets, which Kaspersky published, in addition to the various use of the word "flame" in the code, there are also variables called 'gator' and 'frog' in there."

"When I've examined 'officially' produced malware, such names for variables published within the code just do not happen. Another thing that doesn't smell right is that Israel has also been a target of this worm in numbers only exceeded by Iran," he wrote.

McAleavey told CSO that while it could be European in origin, "it smells much more like Turkey or possibly Pakistan or India -- countries close enough to the area that a war would affect them directly and so are interested in all sides of what's going on over there."

Another reason he thinks the U.S. is not behind it: "The code is so bloated and made up of old modules and then heavily encrypted. It screams amateur hour and desperation," he said.

More significantly, McAleavey said, even though Flame is not much of a U.S. threat, its success at remaining hidden is "one hell of a condemnation of the antivirus industry's automated 'reputation-based' detection methods, in that it remained inert long enough to get whitelisted by some, ignored by others."

McGraw agrees, but said he doubts it would have been hidden for so long if it had been aimed at countries like the U.S. "It was in places where computers are old and people not very sophisticated," he said. Security products could be much better, but vendors are making progress, he said. "They're much better than they were five years ago."

Mark Baldwin, CISSP and principal researcher and consultant at InfosecStuff, said the prevention steps enterprises should take remain what they have always been: Aggressive patching of software to eliminate vulnerabilities; continuous monitoring of critical systems for anomalous activity; application whitelisting to prevent the execution of unauthorized software; and promotion of security awareness in the organization.

While most SMBs don't have the resources or expertise to implement all those countermeasures, "they are less likely to be targeted by an APT," Baldwin said. "No one is going to spend hundreds of thousands of dollars creating a stealthy piece of malware only to use it against small organizations with low likelihood of a return on that investment."

More on Flame: