Flame ON
June 4, 2012
By Roger Thompson

This morning’s revelation that Flame used a Microsoft certificate to sign update code underscores exactly what I said earlier about the real issue being that Flame had apparently been on the victim’s systems for at least a couple of years.

Put another way, some folk lampooned Flame for being big and clunky, as opposed to Stuxnet, which was positively sleek by comparison, and certainly much more sophisticated, but in my mind the point was always that it was there, and no one has any way of knowing what else it might have done while it was there.

This certificate exploit/manipulation (I’m not sure which is more correct at this point), allowed Flame to install whatever software it wanted, whenever it wanted, and it would have looked like an official Microsoft update. For probably two years.

This gave the attackers a way to insert code into a fully-patched Windows 7 operating system, and neither Windows nor the machine’s owner would have been able to see anything suspicious.

This sort of attack is really hard to defend against.

You simply have to stop this code before it gets running, and again, the only way to do this is with integrity management and behavior monitoring.

It’s a new world, folks.  Are you prepared?

Terms: Anti-Malware

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.