Saturday, August 11, 2012

How to Protect Yourself from the “Flame” Virus

Recently, reports have been circulating that a virus, called “Flame,” has been infecting users in the Middle East, particularly Iran. This has led many to conclude it is the work of Israel’s engineers. Experts also suggest there is more evidence to suggest this including the links of this malware with previous malware targeting Iran. The official name for Flame is W32.Flamer because it targets 32bit Windows PC users.

The “Flame” Virus Looks to be the Work of Professionals
According to the USA Today, the reason for the suspicion existing about Israel being pinned as the culprit is that Iran has been particularly affected by it. This led Kaspersky Lab to conclude engineers in Israel should claim responsibility as there is distrust and animosity between the two nations.

Another virus launched last November, called Stuxnet that targeted nuclear centrifuges in Iran and Flame. It shares a lot of similarity to Flame, according to reports. It has been speculated for quite a while now that engineers from Israel created Stuxnet.

The New York Times reported last November, the virus was precisely created to disrupt Iran’s nuclear program. It caused nuclear centrifuges to be sent out of control.

The Russian anti-virus company, Kaspersky Lab, also claims responsibility for the discovery of its existence, as reported by a company news brief. However, other anti-virus companies have also been analyzing it and trying to address its reach as well.

According to USA Today, a unit within Iran’s communication and information technology ministry claimed it has anti-virus software capable of identifying and removing it:

“Tehran has not said whether it lost any data to the virus, but a unit of the Iranian communications and information technology ministry said it had produced an anti-virus capable of identifying and removing Flame from its computers.”

When Israel’s Vice Premier Moshe Yaalon didn’t outright dismiss Israel’s responsibility for it when asked about its significance. This leads to further conclusion Israel’s hands were at work here.

“Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us,” he said.

What Makes “Flame” Stand Out Among Malware
Flame is particularly alarming in terms of the security concerns it poses for users on the recipient end of it. It really shows just how exposed anyone of us can be online if we do not take precautions. Examples of damage it can do include allowing its creators to take screenshots, log keystrokes, and even steal data from mobile devices via Bluetooth.

“It can be used to spy on everything that a user is doing,” said researcher Roel Schouwenberg in the USA Today report.
I recently spoke to the director of Norton’s Star Program, Kevin Haley, about the threat and what risks it poses for end users.
Besides its ability to spy on users; take screenshots of user activity and send it back for analysis; and steal files, it can also be improved upon or patched.

Haley said that its creators can write modules adding functionality to it over time. This means they do not have to create new malware but simply modify Flame for added functionality end threats.

“It was clearly built so it could be added upon again and again.”

He also pointed out its complexity when analyzing it and looking at its size. The actual file size is about 200MB, which makes it much larger in scope than most other malware. It also makes Flame harder to detect in many cases due to users thinking it is a legitimate application or program.

“It is like 20 times as large as Stuxnet. It is bigger and more modular, Haley said. “It is built like multiple people worked on it and didn’t know what other people were doing.”

What he meant by calling its engineering modular was that multiple groups of professional engineers were probably contracted to create it in different steps. Then their work was put together into what is now known as Flame.

Haley also indicated that in his opinion it probably took about 6 months to create and it will take Norton months to fully comprehend it. Norton has only been analyzing it for the last few days although there are indications it was around for at least two years in one shape or form.

A Disguised File
Haley said that its creators found clever ways to hide it inside systems it infects. Because of its large size, it may trick users into thinking it is harmless, but also in the way it runs on machines without showing indications of its approach.

“It tries to hide itself inside other applications to disguise itself,” he said. “It also hides itself inside another process inside the computer.

“If you weren’t examining it closely, you would think it is doing things that are harmless. It has functionality that normal programs have to make users think it is not doing anything not unique.”

Command-and-Control Server
The way its authors use Flame is through a command-and-control server (C&C). Its authors give it instructions through this structure to accomplish certain tasks.

“Typically once it gets on a machine it will report back to CMC server and wait for instructions,” haley said. “The author gives commands like show what documents they are and these are the ones I want you to copy.”

By the way, Symantec has provided further analysis of the virus in a blog posting on the company’s website titled “Painting a Picture of @32.Flamer.” This analysis points out that Flame is actually a whole platform and not just a file with a single function. It includes a Web server, a database server, and secure shell communications. It also includes a scripting editor.

How to Protect Yourself from the “Flame” Threat
What makes Flame such a threat is that it may have the potential of infecting users who have great firewalls or are not even connected online. Malware can, for instance, be infected from a USB drive.

However, Haley said that anyone with an updated version of Norton’s or Symantec’s anti-malware programs should be safe (these two product lines are linked to the same company, but Symantec is geared for enterprise users while Norton is geared for regular computing users). It should automatically detect and remove Flame. He even pointed out that competitor products are also able to remove it now. It is the users who are not protected that should make sure their system is safe.

Haley described how in 2011 alone there were over 400 million unique threats and he expects 2012 to show greater figures.

He thinks that a layered approach is needed with anti-virus software, firewalls, and other tools. He described one of these tools, which Norton uses, as the intrusion prevention systems (IPS).

“IPS intrusion prevention systems looks for patterns in network traffic,” Haley said. “It will detect malware unlike firewall that just blocks it.”

Despite Haley’s enthusiasm for anti-virus software being able to remove it, keep in mind that he did also say its creators have the ability to modify it and add functionality to it. Take that as you will, but it may mean that it still can pose a danger to any user.

Conclusion
Viruses like Flame show the challenges users and companies face every day when targeted by calculating and skillful threats. However, do not expect the average hacker to be able to create something this sophisticated. A group like Anonymous may have the potential over time so do not rule the idea out. However, this was most likely the work of engineers being hired full time to work on it over a period of numerous months as Haley pointed out.

No comments:

Post a Comment