The biggest cyber security related news story this week has been about the Flame/Wiper malware. The event has gotten high profile coverage by several media outlets (included below). So far, there have been no strong indicators that the Flame virus is tied to anything ICS or SCADA related. There has been plenty of speculation in the media coverage that Flame does target ICS environments based on its apparent sophistication and the countries in which infected machines were detected.
After reading through several pieces of analysis, including the original analysis performed by CrySyS Lab, it appears that Flame is highly modular and has some pieces of technology that are not normally associated with malware. These facts only indicate that there is a possible connection to ICS environments – in the way that it is possible for any malware to end up infecting an ICS environment. Based on what has been reported so far, it is not probable that Flame is targeting ICS environments.
That being said, there are still several things that you can do to check your environment for Flame infections.
First begin by gathering file names, module names, and other infection-related information from the CrySys Lab and Kaspersky analysis. Once some indicators of compromise have been gathered, search and scan your environment in the various ways that are available to you such as the following:
- Search files, directories, and disk space on Windows OS based assets through whichever means are available. This can often be performed remotely. Additionally, your environment may already have tools which allow you to perform this search over a wide group of machines at once. If recent backups have been performed, some environments may be able to leverage the backup store to search against so as to lessen the effect of the search on primary assets.
- Search file monitoring or host-based security product logs. CrySyS Lab provides several lists of md5 and sha1 hashes of the files involved in a Flame infection.
- Search Windows Event logs for process creation events related to the indicators of compromise.
- Update your A/V signatures and perform a scan on Windows OS based assets. It’s important to first detect the infections and not take any automatic steps to remove the infection. Automatically removing the infection may cause instability in your environment and threaten your physical process. Remember, set phasers to stun when using A/V on production assets! Additionally, you may want to identify certain file types and locations to exclude in your scan such as database files in-use. Scanning high I/O files such as database files can cause interruptions in both the scanning and the physical process.
- Original analysis by Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics, .PDF via CrySys
- The Flame: Questions and Answers , Kaspersky Lab Expert via Securelist.com
- Flame: Bunny, Frog, Munch and BeetleJuice…, Kaspersky Lab Expert via Securelist.com
- Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers. WIRED
- Flame: ‘20 Times Larger than Stuxnet’, ISS Source
- Meet Flame, the Ebola Virus of Malware, CIO
- Super-virus Flame raises the cyberwar stakes, CNN Money
- What’s the Meaning of This: Flame Malware, Threatpost