The incredibly sophisticated and dangerous Flame virus has already been responsible for impacting the oil industry and spying on Mideast computers. But what happens if it spreads even further, and who is to blame? Researchers are still looking for clues, but few are surprised by the outbreak.
Last week, McAfee -- which dubs itself as the world's largest dedicated technology company -- released its first-quarter 2012 threats report, highlighting an increase in malware across all platforms. The report shows that, in the first quarter, PC malware reached its highest levels in four years, with a steep increase in malware targeting the Android platform. Mac malware was also on the rise, indicating that total malware could reach the 100 million mark within the year.
"In the first quarter of 2012, we have already detected 8 million new malware samples, showing that malware authors are continuing their unrelenting development of new malware," said Vincent Weafer, senior vice president of McAfee Labs.
A U.S. Threat?
It appears that the Flame virus, which has been topping news reports for the past week, may have been used for espionage in the Middle East for years. Iran has disclosed that Flame infected computer systems controlling the flow of oil in that country, and it was forced to cut Internet links to its main oil export terminal to try to contain the virus.
The virus appears to be the work of a well-funded organization, possibly a national government. It is reportedly capable of logging keystrokes, taking screen shots, using a computer's audio system to listen into conversations or Skype calls, and even to tap into nearby Bluetooth-enabled cellphones.
We caught up with Neil Roiter, director of research at Corero, about Flame. He told us Flame is remarkably sophisticated and can be used against a variety of targets.
"Learning that Flame has been in use for two years, perhaps longer, underscores concerns that similarly complex malware could be directed against U.S. companies, institutions and government agencies," he said.
"Organizations should not be lulled by the fact that this particular malware has been used against selected targets -- primarily in the Middle East," Roiter said. Instead, they need to "increase vigilance in network monitoring and analysis to detect anomalous, surreptitious activity within their perimeters."
Keeping a Low Profile
We also asked Gunter Ollmann, Damballa's vice president of research, to discuss his insights regarding Flame. He cautions our readers against some of the jumps people are making related to where the threat is coming from. As he sees it, the actors behind this threat have successfully managed their targets and victims, keeping a low profile and not going for the masses or complex setups.
"The collection of files doesn't point to anything not already seen in most common banking Trojans or everyday hacking tools," Ollmann said. "This doesn't make it less dangerous, it reflects the state of malware development -- where 'advanced' features are standard components and can be incorporated through checkbox-like selection options at compile time."
Protecting Against Flame
Troy Gill, a security analyst at AppRiver, offers some wisdom in the form of dos and don'ts when dealing with the likes of Flame. For example, Gill said busy network admins should keep up-to-date with the organization's disaster recovery plan, keep systems upgraded and give employees access only to the information that's required to perform their jobs.
"Know your employees and educate them. So many employees are unaware of the threats that are out there. Take the time to educate them on these threats," Gill said. "The use of a reliable Web filter can block malicious Web pages when an unknowing victim is attempting to access them. Many of these infections lay in wait on trusted Web sites that would ordinarily be harmless."