W32.Flame is a trojan that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.
Aliases/Variants
None
Virus Name:
W32.Flame (Aliases include Flamer, sKyWIper)
Description
W32.Flame is a trojan that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.
The malicious software embeds itself on infected systems and gathers data in the form of application screen shots, targeted programs such as instant messaging applications, and audio recordings created using a system microphone (if present). The malicious software stores data in a SQL database and periodically uploads gathered data to a command-and-control host using HTTPS connections.
Impact
W32.Flame attempts to steal information from the system, including local files, screen shots, and audio recorded via system microphones.
Warning Indicators
The presence of the following files may indicate an infection:
W32.Flame consists primarily of a main module, msgsecmgr.ocx, that loads other modules into memory.
Upon execution, the malicious software registers the msgsecmgr.ocx module. When the malicious software initiates, the msgsecmgr.ocx module loads additional modules, including nteps32.ocx and advnetcfg.ocx, using the Windows services.exe process. The malicious software then creates a number of temporary files, including wpgfilter.dat, to store captured information from the system. Finally, the malicious software loads boot32drv.sys.
The files loaded by the malicious software allow the capture of screen shots, audio data, and file data.
W32.Flame stores stolen images and files in a SQL database for later transport to command-and-control servers. The malicious software communicates with command-and-control servers using SSL-protected HTTP connections.
IntelliShield Analysis
W32.Flame attempts to steal confidential information from infected systems, specifically targeting instant message conversations. Because the malicious software appears not to damage a targeted system and communicates via HTTPS to command-and-control systems, infections may be difficult to detect.
Overall infection rates of the malicious software appear to be low and mostly targeted at states in the Middle East, with infections reported in Iran, Israel, Syria, and Egypt.
The malicious software may spread through the use of multiple methods, including targeted e-mail campaigns, USB devices, and vulnerabilities in Microsoft Windows.
Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and processes to access the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.
Most host intrusion detection/prevention system software can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this trojan from attempting to execute its infection routines. Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.
Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.
Safeguards
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.
Block all file attachments except those that are specifically required for business purposes.
Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.
Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.
Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.
Provide initial and continuing education to all levels of users throughout the organization.
Patches/Software
Patches and software updates are not available.
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Malicious Code Alert
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
