Putting Out the Flame

There's a lot of buzz going around in the security field about a big piece of malware, code named "Flame" or "Skywiper". Let's make some sense and try to extinguish the flame wars. There is an excellent paper that was published by the CrySys team [http://www.crysys.hu/skywiper/skywiper.pdf] and we also included information from an analysis we conducted. So, how does one gets infected with the Flame? Two possible vectors:

1. Physical delivery, like it was with Stuxnet that used the infamous LNK exploit, which
   incidentally is found in Flame as well. Someone had to physically insert a USB
   thumb drive into a victim PC. This vulnerability was a 0-day back when Stuxnet
   was first discovered, but it's patched now. As of now, no 0-day exploits were
   found in Flame.
2. Remote delivery. In this case it could be a malicious link or an email attachment. If
   the Flame authors would try to remotely deliver Flame's primary file to the
   victim machine, this file will get blocked by Trustwave Secure Web Gateway due
   to lack of a proper digital signature.

Even if this malware would get installed in your organization, it would probably try to "call home" – contact the C&C server. Secure Web Gateway will block its attempts to reach those domains.

The SpiderLabs team will continue to monitor this incident closely and provide any necessary updates.