The Flame malware exploit kit, a targeted threat to specific individuals in the Middle East and North Africa, may be overshadowing more serious problems facing enterprises, said some researchers who share concern that the threat is being overhyped.
This malware is not anything out of the ordinary ... It is a package of mini-popular features commonly available in most banking Trojans and other remote access toolkits.
Gunter Ollmann, vice president of research, Damballa Inc.
Kaspersky Lab, which went public last week over the targeted malware threat, said in its analysis that the Flame “might be the most sophisticated cyberweapon yet unleashed.” The Russia-based antivirus vendor said the malware seems to sit alongside “super-weapons” deployed in the Middle East, referring to the Stuxnet worm, which was designed to disrupt the controls at an Iranian nuclear power facility, and Duqu, designed to gather data from manufacturers of industrial components.
But experts who are getting a detailed look at the exploit kit are downplaying the threat. Cybercriminals with financial motivations are a far greater threat to enterprises and individuals, experts say. Attackers carrying out targeted campaigns to gather intellectual property for corporate espionage or politically motivated hacktivist attacks designed to cripple businesses are also a greater concern to most businesses. Flame was designed to target people for international intelligence gathering such as nuclear contractors and high-level government employees, said Mikko Hypponen, chief research officer at Finnish-based antivirus vendor, F-Secure Corp. It’s not likely to be a serious problem for the vast majority of computer users, he said.
It’s obvious that someone put tons of money and time into it, and it looks like it was done by a nation state; however, the likelihood of someone getting hit by this comes to almost zero.
Mikko Hypponen, chief research officer, F-Secure Corp.
“It’s obvious that someone put tons of money and time into it, and it looks like it was done by a nation state; however, the likelihood of someone getting hit by this comes to almost zero,” Hypponen said. “Even though antivirus vendors failed spectacularly in protecting against it – there’s no denying that we failed – most of our customers didn’t get hurt.”
Flame may have been used in targeted attacks beginning in 2007. It has a number of components that are easily detectable by current generation antivirus products, said Gunter Ollmann, vice president of research at network security vendor Damballa Inc. Large enterprises with host-based and network-based antivirus technologies deployed and maintained are well positioned to protect themselves from the malware sample, he said.
“This malware is not anything out of the ordinary,” Ollmann said. “It is a package of mini-popular features commonly available in most banking Trojans and other remote access toolkits.”
It is still difficult to tell the motivations behind the attackers, Ollmann said. Kaspersky sinkholed the command-and-control domain names, a technique that involves modifying the DNS to enable researchers there to intercept information being transmitted by the malware to the cybercriminal’s servers. Researchers could soon learn about the types of organizations and individuals compromised. If the sinkhole is sophisticated enough, it could also yield copies of the stolen data retrieved by the attackers, he said.
Andrew Storms, director of security operations at nCircle Network Security Inc., acknowledges that marketing teams like the hype surrounding threats to boost visibility and software sales. It often gives emerging malware and attack techniques the propensity to overshadow more critical issues, he said. “We can’t say for certainty how much of a problem the [Flame] malware is until its fully vetted,” Storms said. “But we know for sure that this is part of an extremely targeted attack.”
Storms and other experts point out that the successful Flame attacks were extremely limited. The malware targets vulnerabilities in Windows XP, Windows 2000 and Windows 7 systems. There were 189 infections in Iran and far fewer infections in other countries where the malware was detected. The Flame was designed to infect an individual’s system and then gather as much data as possible. It could snoop on audio conversations, copy and upload email and other documents. The malware is 20 megabytes and contains plug-in components that could be used by the attackers through a backdoor channel.
Malware analysts spent weeks decompiling and understanding Duqu, and it took months for researchers to document the Stuxnet worm, said Lenny Zeltser, a respected security professional and faculty member at the SANS Institute. It takes a complete understanding of the malicious code to reliably understand the program’s intent, Zeltser said.
What has changed over the last couple of years is our understanding that we cannot be successful at blocking all the attacks.
Lenny Zeltser, security expert, faculty member at the SANS Institute.
“This is something that is interesting and curious and we should be keeping an eye on it for new developments, but there’s not really any meaningful information about this piece of malware yet,” Zeltser said. “So far, we don’t know much.”
Individuals and enterprises should be more concerned about the Black Hole exploit toolkit that spreads malware, including the notorious Zeus Trojan family, which is targeting unpatched Java vulnerabilities, Adobe Flash weaknesses and other software flaws. Attack toolkits enable relatively unsophisticated cybercriminals to carry out attacks with the click of a mouse. Drive-by attacks, often hidden in legitimate websites, can scan a person’s Web browser, looking for vulnerabilities to exploit.
Security decision makers have come to appreciate over the last year that there are entities capable and willing to conduct targeted attacks for either financial gains, political gains and long-term intelligence gathering, Zeltser said. “The dynamics of defending data and computer systems have always been governed by the arms race dynamics of attackers working to develop reliable, well-functioning ways of penetrating our defenses and defenders developing reliable effective ways of attempting to block those attacks,” Zeltser said.
“What has changed over the last couple of years is our understanding that we cannot be successful at blocking all the attacks, Zeltser said. “It’s driving companies to put more effort into detecting and responding to attacks … a security product that achieves its promise will never be sufficient to defend an organization’s IT infrastructure; it needs to be weaved into an information security program.”