• eForensics Magazine
  • Hakin9 Magazine
  • Pentest Magazine
  • Software Developer's Journal

Flame malware – Overview and Mitigation

Recently a newly discovered, high profile piece of malware called Flame/Flamer has been making quite a bit of news. The BeyondTrust R&D team has been analyzing this malware and correlating how our products can help customers with managing this potential threat to their environments.

A blog post http://app.en25.com/e/er?s=2580&lid=188&elq=2c15def8793443f9a45e066b0f2f1296
Details how a combination of best practices and use of our products eliminates/mitigates the threat.

At a high level here are some of the key points on this new threat:

* The Flame malware has largely been targeting middle-eastern countries in what appears to be an intelligence gathering operation.
* The malware initially gets onto a system by leveraging two Microsoft vulnerabilities from 2010.

* Our Retina CS product suite can detect these vulnerabilities and provide patching capabilities.
* Our Blink Endpoint Protection and Retina Protection Agents can prevent these two vulnerabilities from being exploited to compromise systems and infect them with this malware.

* The malware appears to not be as successful when running under lower privilege levels.

* I.E. PowerBroker Windows Desktop can help lessen the blow from this attack in terms of it allowing environments to more easily run without employees having to be Administrator.

* The malware has gone undetected by the Anti-Virus industry for potentially a few years.

* Note: Just because the anti-virus industry failed here does not mean BeyondTrust did.
* Our Endpoint Protection product, Blink, would have successfully stopped the two known methods of initial system compromise.

* This is protection that we have had since roughly 2010, I.E. almost two years before this attack.

* Our Vulnerability Management product, Retina CS, would have successfully identified systems with the missing Microsoft patches.

* We would not only identify vulnerable systems but also provide the capability to deploy patches to remediate these flaws directly from Retina CS.

You can read more on our blog post here: http://eeye.co/F1amer and Wired has a good overview here:
http://www.wired.com/threatlevel/2012/05/flame/
Note: This will be on the BeyondTrust blog tomorrow morning as we finish combing the company websites etc…

As you all know, we have a regular monthly “Vulnerability Expert Forum” which is a Webinar hosted by myself and our research team. This happens the day after Microsoft’s Patch Tuesday (second Tuesday of every month). This Flame malware will be a big topic of conversation and we will be covering it more in depth on our Webinar. I strongly suggest sending customers to the Webinar to listen in as it has always been a great educational security tool. Sign up for the webinar is here: http://www.eeye.com/vef