There’s been a lot of chatter lately in the media about the new flame malware. The FortiGuard team has created a Q&A document to give customers information on what flame is, how it acts and how they’re protected from it.
Q: I have been reading about the new flame malware in the media recently. What is it exactly?
A: At a high level, flame is a fairly lightweight (20MB) virus that was first detected by Kaspersky Lab last Monday. The malware appeared to have gained traction on hundreds of targets in the Middle East, particularly Iran, Syria and Palestine. From what we have been able to ascertain, Flame exploits some of the same Windows vulnerabilities as its predecessor Stuxnet and is armed with a slew of unique tools. Some defining characteristics include the ability to record audio around the victim’s computer, capture screenshots and upload copious amounts of data to remote servers via encrypted channels, all while stealthily dodging some of the most robust anti-virus solutions on the market. Additional background on the newer variant can be found here.
Q: As a Fortinet customer, am I protected against an infection of this malware variant?
A: Fortinet FortiGate customers will automatically be protected if they allow updates to be pushed to their FortiGate appliances. Customers using the free version FortiClient will get the latest AV signatures without any active subscription.
Q: Am I automatically protected or do I have to download new signatures?
A: Customers should automatically be protected once FortiGuard Labs pushes out an update. Customers don`t need to download new signatures. Once the sample has been detected and a customer has a properly configured FortiGate, the customer should be protected.
Q: How does the latest Flame variant work?
A: Please note that FortiGuard Labs has set-up different scenarios to analyze and monitor how Flame works and the team’s findings may differ from reports made by other researchers.
C&C CONNECTIVITY
FortiGuard has gathered different variations of the Flame malware that slightly varies in file size. These samples are variations of the main modules of the Flame malware. FortiGuard has also observed that these samples also try to connect to different domain names.
The figure below shows the list of samples with the list of domain names they have tried to connect to.
FortiGuard has also observed that the Flame malware will not try to connect to those domain names if the user is using a network sniffer or network monitoring tools such as wireshark. FortiGuard believes this is one of the malware’s ways of avoiding detection.
SECURITY APPLICATION DETECTIONS
Contrary to some reports that Flame malware terminates the execution of some security applications, FortiGuard has observed that instead of terminating the security applications’ processes, Flame malware will not install itself nor will it drop its components onto the system. If the list of processes below is seen running on the system, the malware will simply exit and not proceed with malicious activity. This is assuming that those processes are already running before the initial setup of the Flame malware.
If the Flame malware is already on a system and a security application is installed, the malware will just ignore them. FortiGuard believes this is another way for the malware to avoid detection.
Below are the processes FortiGuard has observed. Note: This is not a comprehensive list.
- snsupd.exe
- snsmcon.exe
- sndsrvc.exe
- siteadv.exe
- sdtrayapp.exe
- protect.exe
- pgaccount.exe
- persfw.exe
- pcviper.exe
- pctavsvc.exe
- onlinent.exe
- omnitray.exe
- oasclnt.exe
- lookout.exe
- livehelp.exe
- licwiz.exe
- kpf4gui.exe
Leave a reply
