Another Malware Variant—Flame

Posted by Mark Greisiger

A Q&A with Roger Thompson, Chief Emerging Threats Researcher, ICSA Labs
Every day brings new threats to data security, and in 2012, we’ve seen the rise of Flame malware, which attacks computers running Microsoft Windows and has been used for cyber espionage in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. To find out more about Flame and its significance for corporate data security, we spoke to Roger Thompson, chief emerging threats researcher of ICSA Labs. For more information, see

What is Flame?
In the overall scheme of things, W32/Flame.a is a JARAT (Just Another Remote Access Trojan). In other words, in and of itself, it’s not all that special. A RAT (Remote Access Trojan), by definition, gives control of your computer to someone else. This means this other person can siphon off information, and extra programs whenever they want. This is nothing new, but it’s not something you want in your network. Ever. There are, however, two things that are especially alarming about it: 1) The first is where Flame is being discovered. Although it’s being detected in countries as diverse as Hungary, Egypt and Israel, the largest number of detections has been in Iran, which has experienced some high profile and impressive attacks, (Stuxnet and DuQu for example) in recent times. 2) The second issue is that no one knows how long it’s been there. Some antivirus companies are saying that they’ve been seeing traces of similar things for years. If this proves to be correct, this is quite alarming, because we have no way of knowing what it’s been doing for all this time.

How does Flame get inserted into corporate networks?
We have no idea at this point, but this is not really the issue. The issue is that it got in somehow, and was undetected for an unknown amount of time. The worst hack is the one you don’t know about.

What is the ultimate damage that can occur?
Pick a disaster, any disaster. Seriously, though, as I said earlier, a RAT can allow anything to be installed at any time, so anything is possible. If they’re in your system long enough they might know more about it than you do. We have seen water systems and other major industrial systems attacked. And given the breadth and the size of this malware, it could take six months or longer to reverse engineer it. However, it’s important not to overact—it’s not a direct threat to us at this time, but we should understand the potential implications of what could happen. At this time, the understanding is that Flame was a targeted attack against governments and not an attack against US corporations.

How can a company prevent or mitigate something like this?
Unfortunately the main way people defend against this sort of thing is with a scanner but every day, every antivirus software gets 60,000-70,000 unique malware viruses a day, so it can be difficult for the software to detect it. It turns out that there are only three ways to detect malware: The first is a signature scanner, which is what most of the world uses to detect malware. This works great if the malware is known, but misses everything new, until it gets an update. Unfortunately, the bad guys know this, and simply create new malware every day. They know that within a few days to a week, every signature scanner will have been updated, but they don’t care, because they’ll have created a new version by then.

The second way is integrity checking/whitelisting. This is where you know what your system looks like, and you only allow whitelisted applications to run. This works extremely well, but is not popular because it requires discipline on the part of the user/administrator, and requires a high degree of user knowledge when it comes time to install something new.

The third way is behavior monitoring. This is where you watch for malicious behavior. Simple examples would be something that modified another program, or something that installed itself so that it would survive a reboot.

The nice thing about behavior monitoring is that all modern antiviruses do it to one degree or another. The problem is that it’s generally regarded as a second string line of defense, behind various types of signature scanning.

In my opinion, it’s time for antivirus developers to begin focusing on behavior monitoring as the principal line of defense. When an attacker knows that he has only to bypass a signature scanner, it means he has only to come up with something new. In other words, any new bit of malware will probably bypass all the world’s scanners, for at least a few days to a week, or until they all catch up. If, however, every antivirus developer starts to focus on their behavior layer, an attacker is faced with trying to bypass multiple and different behavior strategies. Put another way, each antivirus developer will have their own set of rules and nuances for what constitutes malicious behavior, and this in turn will make the attacker’s job some orders of magnitude harder.

In conclusion …
Whether it’s Flame or Stuxnet or any other latest stealth malware variant wreaking havoc against corporate networks, the fact is that the threats continue to morph and evolve in a manner that allows them to go undetected by businesses (or governments), and defeat the traditional tools of cyber security past. We can expect to see this trend continue.