Sophos Cloud Optix
The media has gone crazy about the Flame worm which has been seen infecting computers in the Middle East (Iran, in particular).
Are the news headlines doing a good job of educating the public about the seriousness of the incident, however?
Flame has been called “the most complex threat”, the world’s “most sophisticated cyber weapon”, and we’ve even been told it’s “much bigger than Stuxnet”.
But what does that actually mean?
Yes, Flame is bigger than Stuxnet. If you’re counting bytes.
Flame, with all of its modules and libraries, can come in at close to 20MBytes. That’s about 40 times larger than Stuxnet – which was itself portly by malware standards. So, yes, Flame is much bigger.
But my guess is that number of bytes wasn’t what you were thinking of when you read the headline.
After all, as we should always remind ourselves, size doesn’t matter. What matters to most computer users is whether they are likely to become infected by the malware or not, and how many computers it has infected.
Kaspersky, which made the biggest media splash regarding Flame has only discovered a few hundred computers infected by the malware.
That’s not that big.
Certainly, it’s pretty insignificant when you compare it to the 600,000 Mac computers which were infected by the Flashback malware earlier this year.
In fact, there were said to be 274 Flashback-infected computers in Apple’s home town of Cupertino alone – that’s more infections than there have been found of Flame in *all* of Iran!
And let’s not forget other malware outbreaks of past years – Conficker, Sasser, Sobig, Code Red – all much more significant in terms of number of infections than Flame.
20MB is a hefty piece of code by malware standards, there’s no doubt about that – even if much of it is made up of code libraries.
But it’s worth realising that it’s much *much* easier writing protection for a piece of malware than *analysing* what it actually does.
What’s going to take a while is dissecting Flame to find out all of its quirks and functionality, not protecting against it. When you hear anti-virus experts talk about Flame’s complexity, chances are that that’s what they’re referring to.
Because, at its simplest level, Flame isn’t doing anything different from the vast majority of other malware we see on a typical day.
Every day, we see approximately 100,000 new pieces of malware and most of them have the ability to steal information (by grabbing keypresses, taking screenshots, stealing your files) just like Flame.
Of course, Flame doesn’t really represent much of a threat anymore. Every anti-virus worth its salt (and even a few crummy ones I expect) now detect it and protect against it.
Whoever was behind it will likely be feeling pretty grumpy, or working hard on a new version which they hope will be able to skirt past defences.
So let’s keep things in perspective. Chances are that your computer is more at threat from some of the many other examples of malware that are in existence out there.
Furthermore, you shouldn’t need to be doing anything out of the ordinary to protect against these threats – keep your anti-virus and security patches up to date, take care over what software you install and the USB sticks you insert into your PC, run a layered defence inside your organisation. You know the drill by now.
I’m not saying that Flame isn’t newsworthy. It clearly is.
If I was a betting man, I’d probably put money on a state agency being involved in the creation of Flame. This seems to be being reported as fact, but there certainly isn’t any proof yet.
Not that the absence of evidence will stop some of the reports – after all, Flame has all the familiar ingredients to add to the ongoing narrative of how states could be using the internet to spy upon each other.
But that’s nothing we haven’t heard before, and it’s hard to think of anything new that typical computer users should be doing to protect themselves.
Sophos products protect users against the Flame threat, identifying it as W32/Flame-A.
Evil flames and apple bite image courtesy of Shutterstock.
http://www.haaretz.com/news/diplomacy-defense/net…
The CBC called it the "most lethal cyberweapon to date" (http://www.cbc.ca/news/technology/story/2012/05/28/tech-malware-flame-cyberattack.html).
Lethal? Really, CBC?
A measure of how big/serious/dangerous some malware is can the length of time it takes to be discovered. Once identified it can be protected against and it doesn't matter how many harmful features it has.
If there is a way of quantifying the (potential) damage of those features though, you would multiply that by the time the malware is active to get a measure of total (potential) damage/how serious it was. I'm not sure how old malware normally is before it is detected but it's already been said that evading detection is what makes this case so sophisticated and a big deal.
There's not much new a typical user should do to protect themselves but is there anything new that antivirus companies can or need to do in light of this (particularly the ability to hide)?
So what are we doing now: In the 21st century we have supposed legitimate governments or companies doing malicious activities in some attempt to get money under the table?
Perhaps the importance of these discoveries is that it changes the tone of the wider discussions about cyberwarfare. They have already made the step from talking in terms of 'if' to 'when'. Widespread knowledge of these tools might help people to understand that the time frame is 'right now'.
Well despite being a Mac user I'm still alive… and still waiting for Sophos to find some Malware so that I can join the 600,000 Club.
The way to defend yourself against this new Malware is to do what's good practice anyway. So people should be being educated about that… but it's difficult to herd cats.
"The way to defend yourself against this new Malware is to do what's good practice anyway."
How can you ever hope to join the 600,000 Club with an attitude like that? 😉
Then what is the reason for UN to issue a virus warning for the first time in its history !?
Do you all think that Iranian users or government can take a cool and realxed view about Flame as the writer ? or they are under the influence of the same hype and craziness ?
Find 10 differences:
http://nakedsecurity.sophos.com/2010/10/06/stuxnet-hype-what-do-i-need-to-know/
Was stuxnet that terrible after all? What the big deal to destroy a half of hundreds of some centrifuges somewhere? Who cares? Average users have not been exposed, that’s ok! The rest is insignificant.
MY MAC HAS SOMETHING!! HELP! it acts like any of these described above. yeah, yeah, i live in the USA, but i do deal with the middle east with my computer. they send me videos, pics, utubes, twitters, ustreams, but i'm not on facebook, thank goodness, but they can read my google+, which i rarely use. i am not friendly with some of them, we have some heated discussions sometimes.
i've been amazed at the hiding places my original files are, and have no idea which versions of everything on the computer are the ones i should have, including all system files, and i can't get permission to delete them.
it took Sophos off line, with a special remove tool, does it's ridiculous job, during my power up – whether i'm on line or not (at least i'm pretty sure it does.) it still adds new modules if it can get in. i have to get offline asap, hackers work late at night, i don't want to be seen.
anyway, it made a new, modified version on my machine, and i can't get rid of it. if i download a new version of anti-virus, it just gets eaten up by the first one ruined on may 1 of this year. i downloaded new copies today, after i tried to remove all traces of sophos and naked security, the fakes it made can't be moved or deleted.
it is slowly driving me insane.
any suggestions will be greatly appreciated. i know i have no clue about what i'm doing, so any nasty comments will be a waste of your time, not mine. but if you're including nastiness with a good help, bring it on, with many thanks!
i hope anyone can make sense of what i just wrote. and thank any/all of you in advance.