Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame. It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to collect and upload information.

While it really doesn't do anything we haven't seen before in other malware attacks—what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system. Also, Flame has been operating under the radar for at least two years, which counter intuitively may partially be attributed to its large size.

Flame has been found mainly in the Middle East, specifically: Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria. Based on historical APT patterns, the target region, and complexity/quality of the code, our guess is that Flame was created by one or more Western intelligence agencies. I don't think we'll see too many copycats of Flame, but we will see more targeted attacks against nations. This is following the trend we have been seeing of nation vs. nation web threats that go beyond off-the-shelf Remote Access Kits.

How effective Flame has been remains to be determined, as there still have only been a small number of infections discovered. While we have identified it in approximately eight countries, it is targeted and on only a select number of systems. We will be sure to keep our readers updated on our findings.

It’s also important to mention that our Websense Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security, and Email Security Gateway (Anywhere) customers all have protection in place for known samples of Flame. All of these solutions leverage our ACE (Advanced Classification Engine) technology.

Do you have any questions on Flame? If so, leave a comment and we can discuss.

Yesterday, news broke that a new strain of highly advanced malware (APT), dubbed Flame (Flamer/Skywiper), has been identified. The variant was found to be prevalent in the Middle East. Recent well-known malware that was also found in the Middle East are Stuxnet and Duqu, both very advanced and ground-breaking. Flame has most likely been in circulation since 2010, but has just been identified. The primary function of Flame is to collect and upload information, which it does in several ways, including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more.

The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB. One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks.

Flame's main module name and some debugging data that suggests when that module was compiled:

Some runtime data in Flame at the infection stage: 

Does Websense protect customers?

Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security and Email Security Gateway (Anywhere) and Websense Email Security all have protection in place for known samples of Flame.

More information

Analysis throughout the security industry is ongoing. This additional analysis is available right now at CrySys (PDF).

Recently, our friends over at Symantec released a report about an attack named Nitro. This targeted attack allowed unknown attackers to target several types of organizations, the latest known attacks occurring in the chemical sector, where 29 different targets were confirmed.
 
The attacks follow a standard pattern for tools and techniques used in previous attempts. An email is sent to several recipients within an organization with an attachment or link pointing to a file. These files are repacked variants of Poison Ivy, a very popular Remote Access Tool (RAT). The Command & Control servers for this tool use Dynamic DNS services extensively to provide the hostname and IP address lookup.

Screenshot of the Poison Ivy builder application.

This is precisely why Websense released a Dynamic DNS category earlier this year. In its default configuration, products that have this category will not allow these RATs to successfully communicate. With this new category, our Websense Security Gateway and Hosted Web solutions will not allow traffic from PoisonIvy at all, due to the way it communicates over port 80. In this way, Websense customers remain protected from this popular form of target attack.

For more information about how Websense protects against APTs and Targeted Attacks see our white paper.

Symantec's full report can be downloaded here.

The security industry is buzzing today after Symantec released a whitepaper on a threat known as Duqu. What's interesting about Duqu is that it's heavily based on the Stuxnet source code, a worm that targets industrial control systems (ICS). The Stuxnet source code has never been made available publicly; it's only available to the original attackers. Therefore it's reasonable to assume that Duqu is written by the same people.

Duqu is not designed to attack Programmable Logic Controllers (PLCs) or any type of automation equipment, which was the ultimate purpose of Stuxnet. Instead, it acts as a reconnaissance tool that is designed to steal private information about these systems. With the information it obtains, further targeted attacks similar to Stuxnet can be executed.

One of the DLL drivers used in the Duqu attack is signed with a certificate issued to C-Media Electronics Corporation, a technology company in Taiwan. The certificate was revoked on 14th October, 2011:

While information about the Command & Control servers are still being researched, all known URLs are categorized as security risks (including a Dynamic DNS domain, a new category we released a few weeks ago for this specific purpose). Websense customers are protected against this family of malware and Advanced Persistent Threats  (APT) attacks with ACE, our Advanced Classification Engine.

Symantec curently has the most information available about this threat as they were the ones to first receive the sample. Their whitepaper can be found here.