In our recent post about the Flame malware, we promised to update you with information from our ongoing investigation. Today we wanted to give you the latest information on the threat itself, protections available for Trend Micro customers and results from our analysis so far. In a nutshell, while Flame is a very interesting piece of malware, it’s not a broad threat.
Flame has been noteworthy the past few days. But it’s noteworthy because of the nature of the malware and what appears to be its very limited and specific targets. Flame right now is not a significant threat to users more broadly. Information from our Smart Protection Network™ and working with customers show actual numbers of infections to be extremely low and confined to the Middle East and Africa regions.
The threat from Flame is lessened even more for Trend Micro customers because they are protected against the attack both through current signatures (which detect the malware as WORM_FLAMER.A and the configuration files as TROJ_FLAMER.CFG) and URL blocking of identified command and control (C&C) servers.
In terms of analysis, our focus is on protecting Trend Micro customers, so our ongoing analysis is focused on identifying additional C&C servers because these are geographically disbursed and can move. Interestingly, our analysis is showing C&C servers located primarily in Europe and Asia.
The malware itself is focused on stealing data and is very large, making thorough analysis slow. In this case, the largeness is due to the multi-faceted capabilities of the malware: it has been equipped with a variety of tools to accomplish its mission once it’s made its way into the target network. Some of the components that it includes date back to 2009.
As Rik Ferguson also noted, the malware is also unusual because it appears to be written in the Lua programming language which is often used as a scripting language by game developers (and not typically used for malware).
Our analysts are continuing to work to understand all the components in this malware, particularly to continue adding URL blocking as new C&C servers are identified. While Flame itself doesn’t represent a broad risk right now, there is a risk that the malware will be taken up by others and repurposed for broader attacks like we’ve seen in other attacks like this such as Stuxnet. Our worldwide teams are watching for that and if we see that, will add protections and provide information for Trend Micro customers on this blog as soon as possible.
Update as of June 1, 2012 3:17 AM PST
Trend Micro protects enterprises from the malicious network packets related to FLAME via Trend Micro Deep Discovery.
Update as of June 4, 2012 2:49 AM PST
Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).
Update as of June 4, 2012 7:21 PM PST
Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.