A session at DefCon 2009 spotted the Flame virus, sort of
Roy Zisapel, president and CEO, Radware
We all know Aesop's fable about the wolf in sheep's clothing and the moral that appearances can be deceiving; but did you know that the wolf's first victim was the lamb that belonged to the sheep whose pelt the wolf wore?
Because the pelt was familiar, trusted and it was only natural to follow it, the lamb naively trotted off with the wolf far from the safety of the flock.
Exploiting processes based on the familiar, the trusted, and the normal is the theory behind most cyber attacks that rely on some kind of social engineering, including the now infamous Flame malware.
Before Flame recently became an overnight household name, the idea of hiding a malicious cyber attack beneath a fleece of unsecured software updates sparked a lot of anxiety for many of us in the application and network security industry.
Concern over the vulnerability of unsecured software update services stretches back for some time. In fact, during a session at DefCon 2009 in Las Vegas, Radware security experts demonstrated how it could be done using an application update download to install malware on a computer.
Security specialists describe the malware Flame, also known as Flamer, as the most advanced computer virus ever found and a new level of sophistication in cyber warfare. Flame is able to extract large volumes of information from its victim and send the information back to its operators. The malware extracts information, including keystrokes, directory structures, files and documents; can activate audio recording on demand; can scan for neighboring Bluetooth devices and much more.
The method used by Flame operators for initial infection of a victim computer is still unclear, and the assumptions of security specialists vary from network intrusion to physical infection of a computer through USB key.
According to published reports, once Flame penetrated into the organization, it spread across networked computers through a sophisticated man-in-the-middle attack on the Windows Update service. When an uninfected computer in the organization tries to update itself, Flame intercepts the request to Microsoft Update service and instead delivers a malicious update to the computer. The victim believes that a genuine update has been delivered, but apparently malware has been downloaded and installed itself on the computer.
In our DefCon 2009 presentation titled "Day of the Updates," Radware released an IPPON demo-tool called JINX, which portrays how a software update service can install malware on a computer.
The demo showed that by opening a laptop and connecting to a network using an unsecured WiFi connection, or through the internal organization network, many of the applications automatically check for new software updates. An attacker located at the same network can forge a reply “yes, there is an update” and provide its IP as the location of the software update. The victim's application then downloads the malicious file and executes it. Nearly all applications at the time did not check the authenticity of the file. They just blindly used it.
The only proven way for companies to protect themselves against Flame is by employing a signature that notifies IT professionals of its existence as soon as it tries to spread in the organization and then blocks the malware through an automatic software update with verified and protected authenticity.