The effectiveness of Flame still remains to be determined, since the number of infections discovered is still relatively small, says Websense spokesman
BANGALORE, INDIA: In an interview with CIOL, Carl Leonard, Senior Manager, Websense Security Labs talks about the complexity of the Flame malware recently discovered by security experts. Here are excerpts:
CIOL: Do you think the Flame virus indicates a new era of targeted attacks against countries or regions?
Carl Leonard: Based on the Advanced Persistent Threat (APT) patterns seen previously, the target region and vast functionality of the code, it is being alleged that Flame was created by a group that has the resources to construct such a project - such as a foreign nation state government. This follows the trend of going beyond off-the-shelf Remote Access Kits and using customized tools as normally expected from an APT. APT’s against nations are already deemed one the most dangerous innovation of the century with the potential power to affect and attack critical infrastructure. Nations realize the potential of cyber warfare and arm themselves with cyber weapons. The APT’s and targeted attacks are a hot buzzword in the security community these days and the truth is that these kinds of attacks have existed for over five years already. Since the Aurora attacks, the trend shows that more companies have been “coming out” to reveal that they’ve been breached. This trend creates more awareness to APTs and further conscious to cyber security and to a phenomenon that exists for quite a while now.
CIOL: Is there any chances of Flame virus infecting PCs Asia _Pacific or India ( As in case of Stuxnet which was found in several vital Indian installations)
Leonard: The effectiveness of Flame still remains to be determined, since the number of infections discovered is still relatively small. There is always a chance of Flame infections in any area- it all depends if there’s any interest or gain that the group behind Flame can obtain by targeting a system in that area. APT’s are covert and they come in many flavours – Flame is just one of them. It’s very likely that APTs are resident in most if not all modern countries today. In a lot of cases - once an advanced persistent is revealed, it usually means that this is only the beginning –, persistent attacks stay persistent on systems although some of their components get detected. So, once an APT is discovered, systems need to be checked thoroughly for other remains or other code or network traffic that may suggest threat persistence. To summarize: APTs are a challenge to detect and sometimes hard to get rid of.
CIOL: How effective do you think are the protection offered by security vendors for the known samples of Flame?
Leonard: Some security solutions are more effective than others in their protection against Flame. Websense’s customers for Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security, and Email Security Gateway (Anywhere) all have protection in place for known samples of Flame.
It’s relatively easy to apply protection once a sample is well known. Different AVs vary in terms of time to detect known binaries and that happens in no particular order and depends on the vendor. In the end, and after some time, there’s consolidation. Importantly, companies should make sure they have the layered defences by ensuring they’re using a real-time in-line security solution.
CIOL: In your estimate what can be the consequences of the Flame virus compared to Stuxnet?
Leonard: Flame is considered to be one of the most advanced malware to date in terms of functionality it offers to its perpetrator. – All of Flame’s joint components found on infected systems are unusually large at ~20MB when compared to most attacks that contain smaller files of under 1MB. It incorporates a broad set of capabilities. Stuxnet and Duqu had a specific target and aim while Flame appears to be more of a generic tool filled with different functionality aimed to gather intelligence and persist on the target network – it’s important to remember that the Flame platform could act as a hub to initiate more specific attacks that can have more specific context.
(This interview was originally published in CIOL on June, 11, 2012)