Security specialists describe the malware Flame, also known as Flamer, as the most advanced computer virus ever found and a new level of sophistication in cyber warfare. Flame is able to extract large volumes of information from its victim and send the information back to its operators. The information that Flamer extracts includes key strokes, directory structure, files and documents, activation of audio recording by demand, scan for neighboring Bluetooth devices and much more.
The method used by Flame operators for initial infection of a victim computer is still unclear, and the assumptions of security specialists vary from network intrusion to physical infection of a computer through USB key. While security companies are still researching methods to block Flame’s initial infection, Radware ERT has generated a signature that blocks Flame spreading attempts within the victim's organization. It was discovered that Flame is able to spread across a victim’s organization through a sophisticated ‘Man in the Middle attack’ on the Windows Update service. As soon as Flame tries to spread from one infected computer to another, Radware's Attack Mitigation System identifies the spreading attempt and blocks it. In addition, an immediate alert is sent to the security operation center in the organization, so they become aware that Flame exists in their network.
Organizations deploying Radware’s Attack Mitigation System significantly reduce the risk of data extraction by Flame and are notified of its existence as soon as it tries to spread in the organization. In addition there is evidence that Flame may be also be using Microsoft LNK Exploit MS10-046. Radware signatures already protect against its network manifestation of this vulnerability.
ERT Recommendations
Install the latest signature file from Radware on the DefensePro devices to block Flame spreading attempts. In addition, customers are advised to use host-based protection such as AntiVirus to remove Flame from infected computers, and detect or prevent its host-based activities.
Radware’s customers are encouraged to contact our support team and to receive immediate assistance from our ERT team. Non-Radware customers can contact our ERT through a Radware representative.