What is Flame?
Defending network endpoints against malware tends to be a high priority in almost any organization. Although most of the major anti malware products do a good job, current malware protection is anything but perfect. Perhaps the best evidence of this is flame malware. Flame is an especially sophisticated piece of malware that has been used in targeted attacks in the middle east. There are a number of things that make flame unique, but the most alarming aspect of flame was that it has been confirmed that flame had infected high level systems for several years before it was detected. Flame was also unique in its size. Flame tipped the scales at a whopping 20 MB and consists of an estimated 750,000 lines of code. By way of comparison, most viruses have fewer than 150 lines of code. All of that code allows Flame to record audio, screen captures, keyboard activity, and even Skype conversations.
How does Flame work?
Of course these capabilities are not unique in and of themselves. There are legitimate parental control applications that utilize similar capabilities to allow parents to monitor their children’s computer usage. What was unique was the way that Flame managed to work its way into high level computer networks. Flame’s authors reportedly went to great lengths to disguise Flame as a legitimate Content Management System platform. Furthermore, the code was signed using a counterfeit Microsoft digital signature. Flame’s developers found a Microsoft Terminal Server Licensing certificate that had been accidentally authorized for code signing. Because this certificate used a relatively weak MD5 hash, the Flame developers were able to reverse engineer the certificate and use it to digitally sign their own code, giving the illusion that the code had come from Microsoft.
Risk of Flame impacting an organization
The odds of an organization becoming infected with Flame are slim. After all, Flame was designed for use against very specific targets. Even so, other malware authors now know that someone succeeded in creating a sophisticated form of malware that appeared to have come from a reputable source and that alluded detection for years. With that in mind, the big question is how organizations can protect themselves from similar, copycat malware that might be discovered in the future and that could potentially already exist.
How to protect against malware attacks
The best way to protect against such a sophisticated form of malware is to practice defense in depth. There is no such thing as a perfect security product. None of the antivirus products were able to detect Flame. The only way to guard against this sort of malware is to follow a very rigid set of security best practices.
Keeping your systems up to date with the latest patches is a good first step in preventing malware from being able to steal sensitive data. It is equally important however, to use a reputable patch management system. Remember, Flame posed as legitimate Microsoft code. It is therefore conceivable that a future exploit could pose as a Microsoft patch. As such, it is critically important to use a patch management system that can be trusted to download patches directly from Microsoft. It is also a good idea to get into the habit of cross referencing patch numbers with TechNet to make sure that patches are legitimate prior to deploying them.
Another lesson learned from the Flame exploit is to be careful about where you download software from. Patches, drivers, and other updates should be downloaded directly from the vendor, not from a third party Web site. Flame posed as a legitimate CMS platform. While I don’t know where Flame was downloaded from, I am relatively confident that it was not downloaded directly from the Microsoft Web site. Microsoft and most other reputable software vendors go to great lengths to make sure that the code that they make available for download is not infected with malware. If you attempt to download a Microsoft patch from a non Microsoft Web site, there is a very good chance that you will end up downloading malicious code.
Although there is no method that is 100% guaranteed to keep malware off of your systems, being careful to download code from reliable sources and scrutinizing applications, drivers, and patches prior to installing them can go a long way toward keeping you safe from infection.