Gauss, the Flame malware's 'cousin', targets banks in Lebanon. “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations”, according to a Kaspersky Lab blog. The name of the malware comes from modules that have internal names paying tribute to famous mathematicians and philosophers, such as Johann Carl Friedrich Gauss, Kurt Godel, and Joseph-Louis Lagrange.
Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system, with the estimated total number of victims of Gauss probably being in tens of thousands. Of those infections, more than 1,600 of them were discovered in Lebanon and nearly 500 in Israel, the blog noted. Kaspersky Lab explained that Gauss was first uncovered by the International Telecommunication Union during an investigation into the Flame malware attacks. Malware Intelligence Lab:More Flame/sKyWIper CNC Behavior Uncovered.
Today, NSS Labs released a report detailing the performance of several vendors’ ability to detect advanced attacks. We declined to participate in this test because we believe the NSS methodology is severely flawed. In fact, the FireEye product they used was not even fully functional, leveraged an old version of our software and didn’t have access to our threat intelligence (unlike our customers). We did participate in the BDS test in 2013 and at that time we also commented on the flaws of the testing methodology. In fact, we insisted that the only way to properly test was to run in a REAL environment. NSS declined to change their testing methodology so we declined to participate in the most recent test, results of which have been published today. When NSS tested our product a year ago, they used a sample set that included 348 total samples.
Clearly, nobody could take this approach seriously—it was a major mismatch versus what we see in the wild. Issue #1: Poor sample selection. Iran says detected massive cyber attack: state TV. Flame authors order infected computers to remove all traces of the malware. The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis, security researchers from Symantec said on Wednesday. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers.
However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control, Symantec's security response team said in a blog post . The module is called browse32.ocx and its most recent version was created on May 9, 2012. "It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module," the Symantec researchers said. Deleting a file in Windows does not remove its actual data from the physical hard disk.
Flame malware hijacks Windows Update to spread from PC to PC. The Flame espionage malware targeting Iranian computers contains code that can completely hijack the Windows update mechanism that Microsoft uses to distribute security patches to hundreds of millions of its users, security researchers said Monday. Flame components known as "Gadget" and "Munch" allow Flame operators to mount a man-in-the-middle attack against computers connected to a local network that hosts at least one machine already infected by the malware, Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday.
By exploiting weaknesses in Microsoft's Terminal Server product—and poor key-management decisions made by Microsoft engineers—the Flame architects were able produce cryptographic seals falsely certifying that their malicious wares had been produced by Microsoft. According to Kaspersky's Gostev, Flame attackers have been using the same fraudulent Microsoft certificates to spoof the company's widely used Windows update mechanism. United Nations views Flame as cybersecurity opportunity | Security & Privacy. The United Nations has seized on the appearance of the Flame worm, which targeted computers in the Middle East, to argue that it should have more authority to deal with cybersecurity threats on the Internet. Last week, the United Nations' International Telecommunication Union circulated a statement about Flame saying the malware "reinforces the need for a coordinated response" that could come from "building a global coalition.
" It took credit for Flame's discovery, saying Kaspersky Lab identified it "following a technical analysis requested by the ITU. " (See CNET's FAQ.) ITU spokesman Paul Conneally told CNET this morning that "the mandate that ITU has with regard to cybersecurity goes back to the World Summit on the Information Society, where world leaders gave ITU the mandate as sole facilitator for 'building confidence and security in the use of information and communication technologies.'" A U.S. "If we are not vigilant," warned Rep. "But nobody trusts the ITU," Lewis says. A Massive Web of Fake Identities and Websites Controlled Flame Malware | Threat Level.
Map showing the number and geographical location of Flame infections on Kaspersky customer machines. Courtesy of Kaspersky Lab The attackers behind the complex Flame cyberespionage toolkit, believed to be a state-sponsored operation, used an extensive list of fake identities to register at least 86 domains, which they used as part of their command-and-control center, according to researchers at Russia-based antivirus firm Kaspersky Lab. Kaspersky says the size of the command-and-control infrastructure, which appears to have been still partially active a few days ago even after the operation was publicly exposed, exceeds anything they’ve seen before. “The huge amount of fake domains and fake identities used to run this infrastructure is pretty much unprecedented and unlike any other malware that we have seen before,” said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab.
Chart showing the domains the attackers registered for Flame and the registration dates. Flame malware's structure among most complex ever seen, says Kaspersky Lab. Network World - Kaspersky Lab Monday shared more details about the sophisticated cyber-espionage Flame malware widely believed to be the work of a nation-state, though the security firm isn't venturing yet to say what country that might be. Kaspersky Lab is working with OpenDNS to investigate Flame malware tied most closely to cyber-espionage against Iran and Lebanon, and today both companies described what has been found in a week of investigation of Flame command and control (C&C) servers around the world. These servers are being "sinkholed" slowly to cut off ties between the C&C server and Windows-based computers infected with Flame malware, which spies on computer use and can upload content back to Flame's C&C operators.
BACKGROUND: Flame Malware: All You Need to Know ANALYSIS: Iran's discovery of Flame malware turning into political hot potato However, Flame appears to be updating itself to possibly reconstitute its capabilities, Schouwenberg warns.
Quick guide to Flame malware attack - IT Analysis from V3.co.uk. The security industry has been alight with the news of the Flame malware attack on Iranian IT systems, which represents a significant advancement on the Stuxnet and Duqu attacks from the last two years. Some security experts have claimed the Flame malware "redefines the notion of cyberwar and cyber-espionage" given its complexity and capabilities.
With so much information and conjecture circling around the development V3 aims to answer some of the key questions being asked about the newly discovered cyber weapon. Who's behind it? No security vendor has pointed out a single country or group as being responsible for Flame's creation. The central matter of contention at the moment is whether the malware was made by a private group or a nation state. Kaspersky Labs chief security expert Aleks Gostev reported in his opening blog post that he believes current evidence indicates a nation state was at the very least involved in funding Flame's creation.
How does it work?
Flame-bait Questions. There are plenty of questions from customers, and also from members of the press. Mikko spoke with Clark Boyd of PRI's The World yesterday about the breaking news. Symantec's Liam O Murchu spoke with Kai Ryssdal of Marketplace in a very "economical" conversation about Flame's functionality. Some good questions have been asked. And plenty of hyperbole has been generated. Here are some questions of our own. • Am I protected from Flame? That's the wrong question. . • Alright then, am I at risk from Flame? Let's see, are you a systems administrator for a Middle Eastern government?
No? The number of computers estimated to be infected with Flame is one thousand and there are more than one billion Windows computers in the world. Additionally: Flame is not a worm. And then there's the fact that Flame is now known to be in the wild. . • Okay, but still — in theory — am I protected? We have detections for Flame and our current software blocks and prevents Flame from functioning based on our tests. Safe? The Flame Virus: Your FAQs Answered. A frightening computer virus called Flame is on the loose in Iran and other parts of the Middle East, infecting PCs and stealing sensitive data. Now, the United Nations' International Telecommunications Union warns that other nations face the risk of attack. But what is Flame, exactly, and is it cause for concern among ordinary PC users? Here's what you need to know about what Kaspersky calls “one of the most complex threats ever discovered.”
Flame Virus: The Basics Kaspersky describes Flame as a backdoor and a Trojan with worm-like features. The initial point of entry for the virus is unknown -- spearphishing or infected websites are possibilities -- but after the initial infection, the virus can spread through USB sticks or local networks. Flame is meant to gather information from infected PCs. The virus is reminiscent of the Stuxnet worm that wreaked havoc on Iran in 2010, but Kaspersky says Flame is much complex, with its modules occupying more than 20 MB of code.
Who is at Risk? Iran 'finds fix' for sophisticated Flame malware. 29 May 2012Last updated at 11:25 ET The sophistication of Flame helped it avoid detection by security software Iran says it has developed tools that can defend against the sophisticated cyber attack tool known as Flame. The country is believed to have been hit hard by the malicious programme which infiltrates networks in order to steal sensitive data. Security companies said Flame, named after one of its attack modules, is one of the most complex threats ever seen. Iran says its home-grown defence could both spot when Flame is present and clean up infected PCs. Hard work Iran's National Computer Emergency Response Team (Maher) said in a statement that the detection and clean-up tool was finished in early May and is now ready for distribution to organisations at risk of infection.
Flame was discovered after the UN's International Telecommunications Union asked for help from security firms to find out what was wiping data from machines across the Middle East. The Flame Virus: Spyware on an Unprecedented Scale. Security researchers recently discovered one of the most complex instances of computer malware on record. Flame, which also goes by the names SkyWiper and Viper, has infected hundreds of computers across the Middle East and Europe. What does it do? Where did it come from? Who unleashed it? What makes Flame so unusual is its size. It's much larger than some of the largest malware instances that researchers have found.
For instance, the infamous Stuxnet virus that was targeted at Iran’s uranium enrichment facilities several years ago was 500 kilobytes, according to Wired. “Flame is a sizable beast," said Graham Cluley of Sophos Security, a publisher of digital security software. Researchers have only scratched the surface of what is hidden in all that code. Flame, at its core, is spyware.
This is not your ordinary spyware, though. Normal spyware is not hard to detect. But the size and uniqueness of Flame may prove to be more than the antivirus companies realize. What's the Meaning of This: Flame Malware. 'No country is safe from Flame super-virus attack' - Kaspersky Labs | Information, Gadgets, Mobile Phones News & Reviews.
The number of locations of flame infections detected by Kaspersky Labs on their customers' machines. Picture: Kaspersky Labs Source: Supplied A POWERFUL new virus has been uncovered which has been sabotaging government systems for at least five years in the Middle East. The "Flame" program is claimed to be at least 20 times more powerful than any previously known cyber warfare programs. That includes the infamous Stuxnet which attacked Iran’s nuclear program in 2010, causing centrifuges in its new uranium enrichment facility at Bushehr to fail just weeks before it was due to start up.
Stuxnet and its successor, Duqu, have been fingered as viruses so powerful they could only have been created by a state. Flame was discovered by security company Kaspersky, which claims it has been mining Middle East government systems since at least 2010. A snippet of malware code shows why the virus has been dubbed 'flame'. How 'flame' spreads like wildfire. Flame: Another Holiday, Another Super Virus. Another holiday here in upstate New York, another roll of the fire trucks while some were supposed to be kicking back and enjoying a barbeque. It's times like this when I'm glad I'm not in the antivirus business anymore and doubly relieved that none of our machines run Windows.
No flames here. Computer security people however may have to reach for the extinguisher this morning as the latest conflagration in the news bounces across their desk, the discovery of yet another "super virus" called "FLAME" as reported by this BBC article. Only problem is that according to Kaspersky, who made the discovery in coordination with the U.N.'s International Telecommunications Union (ITU), this one's been in the wild since at least December of 2010 and has only been detected now. Here we go... again. FLAME is described by Kaspersky as "one of the most complex threats ever discovered". The Maher Center and Iran's CERTCC published this report identifying the worm and its components. Flame virus: United Nations to issue warning against 'world's most powerful computer bug'
'Flame' bug has been used to hack into Iran computersTrojan superbug 100 times bigger than most forms of malicious software By David Gardner Created: 19:47 GMT, 29 May 2012 The virus, called 'Flame' is the third major cyber weapon uncovered after the Stuxnet virus that attacked Iran's nuclear program in 2010, and its data-stealing cousin Duqu, named after the Star Wars villain The United Nations is set to issue an urgent warning to guard against the most powerful computer virus ever unleashed amid fears it could be used to bring countries to a standstill.
In what was being seen last night as the dawn of a new era in cyber warfare, UN computer security chief Marco Obiso said: 'This is the most serious warning we have ever put out.' He was speaking after it was revealed that a massive superbug had been used to hack into computers in Iran. Israel did little to dispute claims yesterday that it was behind the clandestine online assault.
Mr. And the Israelis didn't try and deflect blame. Flame virus: who is behind the world's most complicated espionage software? Attacks on Iranian oil industry led to Flame malware find. Researchers identify Stuxnet-like malware called 'Flame' Virus Infects Computers Across Middle East. Researchers identify Stuxnet-like cyberespionage malware called 'Flame'
Flame: world's most complex computer virus exposed. Meet 'Flame', The Massive Spy Malware Infiltrating Iranian Computers | Threat Level. Skywiper_v1.02.doc.