How to Check for Flame

Thursday, May 31, 2012 @ 10:05 AM gHale

By Jacob Kitchel
The biggest cyber security related news story this week has been about the Flame/Wiper malware. The event has gotten high profile coverage by several media outlets.

So far, there have been no strong indicators the Flame virus is tied to anything ICS or SCADA related. There has been plenty of speculation in the media coverage that Flame does target ICS environments based on its apparent sophistication and the countries in which infected machines were detected.

Flame and SCADA Security
Flame: ‘More Powerful than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

After reading through several pieces of analysis, including the original analysis performed by CrySyS Lab, it appears Flame is highly modular and has some pieces of technology that are not normally associated with malware.

These facts only indicate there is a possible connection to ICS environments – in the way that it is possible for any malware to end up infecting an ICS environment. Based on what has been reported so far, it is not probable that Flame is targeting ICS environments.

That being said, there are still several things that you can do to check your environment for Flame infections.

First begin by gathering file names, module names, and other infection-related information from the CrySys Lab and Kaspersky analysis. Once some indicators of compromise have been gathered, search and scan your environment in the various ways that are available to you such as the following:
• Search files, directories, and disk space on Windows OS based assets through whichever means are available. This can often be performed remotely. Additionally, your environment may already have tools which allow you to perform this search over a wide group of machines at once. If recent backups have been performed, some environments may be able to leverage the backup store to search against so as to lessen the effect of the search on primary assets.
• Search file monitoring or host-based security product logs. CrySyS Lab provides several lists of md5 and sha1 hashes of the files involved in a Flame infection.
• Search Windows Event logs for process creation events related to the indicators of compromise.
• Update your A/V signatures and perform a scan on Windows OS based assets. It’s important to first detect the infections and not take any automatic steps to remove the infection. Automatically removing the infection may cause instability in your environment and threaten your physical process. Remember, set phasers to stun when using A/V on production assets. Additionally, you may want to identify certain file types and locations to exclude in your scan such as database files in-use. Scanning high I/O files such as database files can cause interruptions in both the scanning and the physical process.

Leave a Reply

You must be logged in to post a comment.