Today Palo Alto Networks released emergency antivirus release #756 to provide coverage for the recently discovered Flame malware. This update includes multiple signatures to detect the main module of Flame as well as its subcomponents including dvnetcfg.ocx, advnetcfg.ocx, and soapr32.ocx. Symantec has published a very good summary of these components and their role in the overall functionality of the malware.
As has been widely reported, Flame is the latest example of very sophisticated malware that at least appears to be the work of a nation-state or states. While there are no shortage of interesting aspects to Flame, there are a few trends that I think are particularly note-worthy as we think about the evolution of security.
The Eroding Boundary Between Applications and Malware
Those of you who are familiar with the Palo Alto Networks approach to malware are well aware of the inter-relationships between applications and malware. Not only can applications increase the attack surface of a network if not properly managed, but most modern malware are sophisticated networked applications themselves with their own unique methods of communicating and hiding from security. Flame takes this trend and extends it several steps. Unlike previous malware that was characteristically small and reused components within the host system, Flame looks more like a proper, full-sized application. Weighing in at up 20MB with multiple self-contained libraries and modules the only difference between the Flame malware and an application is malicious intent. Again this is why it is fundamentally important to truly understand and recognize all the traffic on your network at an application level. Our recent Threat Review addressed this topic of the inter-relationship between monitoring application traffic and the ability to find and control modern malware, which you can view here: http://www.youtube.com/watch?v=S9nGJ_vtpnk&feature=youtu.be
Encryption is King
An analysis of the Flame malware shows just how important encryption is for malware that wants to remain hidden. This includes not only encrypting the malware and its modules, but its traffic as well. The malware encrypts its configuration files and modules that it creates on the system using its own keys, making the files difficult to analyze. Additionally, Flame includes its own SSL and SSH libraries for encrypting its own traffic as well as digging deeper into compromised networks. This brings up two important next-generation controls. SSH should be controlled and limited to specific users and security teams should have the ability to decrypt and analyze the contents of SSL encrypted communications with the ability to drop custom SSL that cannot be decrypted.
The Incredible Impact of Nation-States
It’s hard to overstate just how significant the arrival of nation-states will have on the evolution of malware. With Stuxnet and Duqu, we saw malware that was easily the most sophisticated malware that the industry had ever seen. Now with Flame, we see yet another example of malware that is just as sophisticated if not more, but which is entirely different from Stuxnet and Duqu. Malware has demonstrated an impressive evolutionary ramp while organized crime has largely been the engine of change. Now we see the work of nation-states to make repeated evolutionary leaps that significantly advance the state of the art in the industry. It’s probably impossible to truly predict the impact this new breed of malware will have on the industry, but one thing is certain. Information security is becoming both more challenging and more valuable every day. May we live in interesting times.