Update on FLAME
In our recent post about the Flame malware, we promised to update you with information from our ongoing investigation. Today we wanted to give you the latest information on the threat itself, protections available for Trend Micro customers and results from our analysis so far. In a nutshell, while Flame is a very interesting piece of malware, it’s not a broad threat.
Flame has been noteworthy the past few days. But it’s noteworthy because of the nature of the malware and what appears to be its very limited and specific targets. Flame right now is not a significant threat to users more broadly. Information from our Smart Protection Network™ and working with customers show actual numbers of infections to be extremely low and confined to the Middle East and Africa regions.
The threat from Flame is lessened even more for Trend Micro customers because they are protected against the attack both through current signatures (which detect the malware as WORM_FLAMER.A and the configuration files as TROJ_FLAMER.CFG) and URL blocking of identified command and control (C&C) servers.
In terms of analysis, our focus is on protecting Trend Micro customers, so our ongoing analysis is focused on identifying additional C&C servers because these are geographically disbursed and can move. Interestingly, our analysis is showing C&C servers located primarily in Europe and Asia.
The malware itself is focused on stealing data and is very large, making thorough analysis slow. In this case, the largeness is due to the multi-faceted capabilities of the malware: it has been equipped with a variety of tools to accomplish its mission once it’s made its way into the target network. Some of the components that it includes date back to 2009.
As Rik Ferguson also noted, the malware is also unusual because it appears to be written in the Lua programming language which is often used as a scripting language by game developers (and not typically used for malware).
Our analysts are continuing to work to understand all the components in this malware, particularly to continue adding URL blocking as new C&C servers are identified. While Flame itself doesn’t represent a broad risk right now, there is a risk that the malware will be taken up by others and repurposed for broader attacks like we’ve seen in other attacks like this such as Stuxnet. Our worldwide teams are watching for that and if we see that, will add protections and provide information for Trend Micro customers on this blog as soon as possible.
Post from: TrendLabs | Malware Blog – by Trend Micro