There’s a lot of buzz going around in the security field about a big piece of malware, code named “Flame” or “Skywiper”. Let’s make some sense and try to extinguish the flame wars. There is an excellent paper that was published by the CrySys team [http://www.crysys.hu/skywiper/skywiper.pdf] and we also included information from an analysis we conducted. So, how does one gets infected with the Flame? Two possible vectors:
- Physical delivery, like it was with Stuxnet that used the infamous LNK exploit, which
incidentally is found in Flame as well. Someone had to physically insert a USB
thumb drive into a victim PC. This vulnerability was a 0-day back when Stuxnet
was first discovered, but it’s patched now. As of now, no 0-day exploits were
found in Flame.
- Remote delivery. In this case it could be a malicious link or an email attachment. If
the Flame authors would try to remotely deliver Flame’s primary file to the
victim machine, this file will get blocked by Trustwave Secure Web Gateway due
to lack of a proper digital signature.
Even if this malware would get installed in your organization, it would probably try to “call home” – contact the C&C server. Secure Web Gateway will block its attempts to reach those domains.
The SpiderLabs team will continue to monitor this incident closely and provide any necessary updates.