Putting Out the Flame

There's a lot of buzz going around in the security field about a big piece of malware, code named "Flame" or "Skywiper". Let's make some sense and try to extinguish the flame wars. There is an excellent paper that was published by the CrySys team [http://www.crysys.hu/skywiper/skywiper.pdf] and we also included information from an analysis we conducted. So, how does one gets infected with the Flame? Two possible vectors:

  1. Physical delivery, like it was with Stuxnet that used the infamous LNK exploit, which
    incidentally is found in Flame as well. Someone had to physically insert a USB
    thumb drive into a victim PC. This vulnerability was a 0-day back when Stuxnet
    was first discovered, but it's patched now. As of now, no 0-day exploits were
    found in Flame.
  2. Remote delivery. In this case it could be a malicious link or an email attachment. If
    the Flame authors would try to remotely deliver Flame's primary file to the
    victim machine, this file will get blocked by Trustwave Secure Web Gateway due
    to lack of a proper digital signature.

Even if this malware would get installed in your organization, it would probably try to "call home" – contact the C&C server. Secure Web Gateway will block its attempts to reach those domains.

The SpiderLabs team will continue to monitor this incident closely and provide any necessary updates.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.