News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Malware Traditions on Fire: What you need to know about Flame
Posted by Patrik Runald on 31 May 2012 04:17 AM


Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame. It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to collect and upload information.


While it really doesn't do anything we haven't seen before in other malware attacks—what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system. Also, Flame has been operating under the radar for at least two years, which counter intuitively may partially be attributed to its large size.


Flame has been found mainly in the Middle East, specifically: Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria. Based on historical APT patterns, the target region, and complexity/quality of the code, our guess is that Flame was created by one or more Western intelligence agencies. I don't think we'll see too many copycats of Flame, but we will see more targeted attacks against nations. This is following the trend we have been seeing of nation vs. nation web threats that go beyond off-the-shelf Remote Access Kits.


How effective Flame has been remains to be determined, as there still have only been a small number of infections discovered. While we have identified it in approximately eight countries, it is targeted and on only a select number of systems. We will be sure to keep our readers updated on our findings.


It’s also important to mention that our Websense Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security, and Email Security Gateway (Anywhere) customers all have protection in place for known samples of Flame. All of these solutions leverage our ACE (Advanced Classification Engine) technology.


Do you have any questions on Flame? If so, leave a comment and we can discuss.


Read more »

Flame/Flamer/Skywiper - one of the most advanced malware found yet
Posted by Elad Sharf on 29 May 2012 07:51 PM

Yesterday, news broke that a new strain of highly advanced malware (APT), dubbed Flame (Flamer/Skywiper), has been identified. The variant was found to be prevalent in the Middle East. Recent well-known malware that was also found in the Middle East are Stuxnet and Duqu, both very advanced and ground-breaking. Flame has most likely been in circulation since 2010, but has just been identified. The primary function of Flame is to collect and upload information, which it does in several ways, including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more.


The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB. One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks.


Flame's main module name and some debugging data that suggests when that module was compiled:


Some runtime data in Flame at the infection stage: 

Does Websense protect customers?

Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security and Email Security Gateway (Anywhere) and Websense Email Security all have protection in place for known samples of Flame.

More information

Analysis throughout the security industry is ongoing. This additional analysis is available right now at CrySys (PDF).



Read more »