On an infected system, among many other things, Flame can sniff network traffic, take screenshots, and capture keystrokes.
The most in-triguing of them all is its ability to record audio conversations and Bluetooth
usage on top of what it already does. It’s the size of the worm, an unusually
large 20Mb and the complexity of the code that has made it hard for security
professionals to get their heads around its complete capability. All this data is
periodically available, even after the detection of the worm, to a handful of
command-and-control command-and-control servers through a covert SSL channel. The latest
known number of these CnC’s was 11.
The Flame worm was signed by a forged Microsoft certificate. When an infected machine ran a Microsoft’s Windows Update, the worm enabled the connection to get redirected through an infected machine which sent a fake, malicious Windows update to client, using a server. Microsoft further elaborated this on their MSRC website and issued a Security Advisory (2718704). The advisory stated that the creators of the virus obtained that certificate by manipulating a component of the Windows OS known as terminal services licensing. A bug in TS licensing allowed the hackers to use it to create fake certificates that identified Flame as being from Microsoft. Who Who is behind it? - A statement was issued by a senior administration source from the hacktivist group, “Anonymous” in the New York Times that President Barack Obama sped up the initiative launched by his predecessor, George W Bush aiming to use computer viruses to attack Tehran's uranium-enrichment program. Other reports point fingers at rival countries like Iraq. At this point in time, nothing can be said with certainty. Majority of the people are not entirely at risk since Flame has been aimed at highly specific and targeted attacks. Even geographi-cally, the attack has been confined to middle-east nations. Steps taken to prevent further attacks - Researchers at Kaspersky lab have found thatFlame has been maintaining a log of information on server connec-tions and have taken steps to cut off Internet access for machines infected with the Flame worm. Microsoft too has issued a Security Advisory to alert people of the forged certificate and has released a path to counter its impact. Several Antivirus firms have updated their antivirus to enable detecting this worm.
usage on top of what it already does. It’s the size of the worm, an unusually
large 20Mb and the complexity of the code that has made it hard for security
professionals to get their heads around its complete capability. All this data is
periodically available, even after the detection of the worm, to a handful of
command-and-control command-and-control servers through a covert SSL channel. The latest
known number of these CnC’s was 11.
The Flame worm was signed by a forged Microsoft certificate. When an infected machine ran a Microsoft’s Windows Update, the worm enabled the connection to get redirected through an infected machine which sent a fake, malicious Windows update to client, using a server. Microsoft further elaborated this on their MSRC website and issued a Security Advisory (2718704). The advisory stated that the creators of the virus obtained that certificate by manipulating a component of the Windows OS known as terminal services licensing. A bug in TS licensing allowed the hackers to use it to create fake certificates that identified Flame as being from Microsoft. Who Who is behind it? - A statement was issued by a senior administration source from the hacktivist group, “Anonymous” in the New York Times that President Barack Obama sped up the initiative launched by his predecessor, George W Bush aiming to use computer viruses to attack Tehran's uranium-enrichment program. Other reports point fingers at rival countries like Iraq. At this point in time, nothing can be said with certainty. Majority of the people are not entirely at risk since Flame has been aimed at highly specific and targeted attacks. Even geographi-cally, the attack has been confined to middle-east nations. Steps taken to prevent further attacks - Researchers at Kaspersky lab have found thatFlame has been maintaining a log of information on server connec-tions and have taken steps to cut off Internet access for machines infected with the Flame worm. Microsoft too has issued a Security Advisory to alert people of the forged certificate and has released a path to counter its impact. Several Antivirus firms have updated their antivirus to enable detecting this worm.
No comments:
Post a Comment