29 May 2012 03:21 PM
Yesterday, news broke that a new strain of highly advanced malware (APT), dubbed Flame (Flamer/Skywiper), has been identified. The variant was found to be prevalent in the Middle East. Recent well-known malware that was also found in the Middle East are Stuxnet and Duqu, both very advanced and ground-breaking. Flame has most likely been in circulation since 2010, but has just been identified. The primary function of Flame is to collect and upload information, which it does in several ways, including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more.
The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB. One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks.
Flame's main module name and some debugging data that suggests when that module was compiled:
Some runtime data in Flame at the infection stage:
Does Websense protect customers?
Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security and Email Security Gateway (Anywhere) and Websense Email Security all have protection in place for known samples of Flame.
Analysis throughout the security industry is ongoing. This additional analysis is available right now at CrySys (PDF).