iTunes 10.7 Update: Heavy On Security Fixes, Short On Details

iTunes 10.7 Update: Heavy On Security Fixes, Short On Details

Yesterday, Apple released an updated version of their popular media player and mobile syncing software, iTunes 10.7. The update adds new features (like support for upcoming iOS 6) and fixes security vulnerabilities.

I must admit, I pretty much ignored Apple’s email about this update at first. After all, iTunes is a media player. Not really your typical business critical software, and not something I see attackers target very often. That said, it’s important to update all of your software, so I took a peek at Apple’s alert.

Wow!

According to Apple’s security bulletin, iTunes 10.7 fixes over 160 different vulnerabilities. I don’t think I’ve ever seen a security update list so many CVE numbers for one patch.

Light Patch Tuesday Brings Two XSS Fixes

Light Patch Tuesday Brings Two XSS Fixes

As I mentioned in last week’s early warning, today’s Patch Day is extremely light with only two updates. According to their September bulletin summary, Microsoft has only released updates for Visual Studio Foundation Server and System Center Configuration Manager. Both updates fix cross-site scripting (XSS) vulnerabilities that Microsoft rates as Important.
If you have either of these products, you should apply today’s patches at your earliest convenience, despite their low severity. If you don’t use either of these products, you’re off the hook this month (whoohoo).  However, don’t forget to check your certificate infrastructure to make sure you are using 1024  bit certificates by October.

Cherwell Software is on the 2012 Gartner ITSSM Magic Quadrant

We have made it!  Cherwell is on the Gartner Magic Quadrant. Click the lick below to view the press release.

Cherwell Software is on the 2012 Gartner ITSSM Magic Quadrant

Crisis Malware Specifically Targets Virtual Machines–Repost from WatchGuard

In a WatchGuard Security week in review from about three weeks ago, Corey highlighted a new cross-platform malware variant called Crisis, which could infect both Windows and Mac computers by using a Java vulnerability that affected both platforms. The cross-platform nature of this malware alone made it pretty unique and interesting. This week, Symantec has uncovered new details about Crisis, which makes it even more impressive and scary; and could also represent an evolutionary new step  for malware. In short, Crisis specifically targets and infects virtual machines. According to Symantec’s blog post, when Crisis executes on a Windows computer, it searches the hard drive for VMware format virtual images. When it finds a VM image, it mounts the image and copies itself to the virtual machine, thus infecting it as well. Since virtual machines pretty much look identical to physical ones, malware has always been able to inadvertently infect virtual machines. However, this is the first time that I have seen malware that specifically targets and infects virtual images.
This is a pretty big deal in malware evolution. Unlike physical computers, virtual images get cloned, copied, and shared quite a bit. Often, IT administrators have pre-set virtual images they use as the base image whenever building a new virtual machine. If one of these base images got infected, you could inadvertently spread that infection to every new virtual image you spun up.
Furthermore, many administrators haven’t yet implemented the same security controls they have on their physical networks, on their virtual ones. This makes their virtual network a black hole, as far as visibility and security are concerned. One of the issues highlighted this year was that SMB’s increased adoption of virtualization technology would reawaken the need for virtual security solutions. Crisis’ new virtual spreading technique reinforces that prediction. The good news is there are solutions out there. For instance, WatchGuard’s own XTMv and XCSv virtual appliances can deliver all the typical layers of security you use today to your virtual network. Today’s malware authors use modular code and like to share. I suspect many other malware authors will adopt this new virtual image infection trick soon, and we will see them more aggressively target virtual machines. If you haven’t already implemented virtual security solutions, I recommend you do so soon.

Security Week in Review–from WatchGuard

This is a text-version of last week’s security news summary. If you’re interested in the important and interesting security stories you may have missed last week, check out the bulleted-list below.  

• Shamoon malware wipes HD and MBR - An Israeli security firm called Seculert discovered a malware variant that steals info, then erases your hard drive (HD) and wipes your master boot record (MBR), preventing your computer from booting. Though the malware has infected at least one Middle Eastern energy company, experts do not think Shamoon comes from the same authors as other APTs.
• Citadel trojan seems to target airline employees - A security company found a version of the Citadel botnet trojan that seems to target airlines, by attempting to steal employees’ VPN credentials. The malware specifically tries to capture some of the additional authentication tokens certain VPN clients require.
• Blizzard credential breach - Blizzard is the latest victim of yet another password/credential breach. Though Blizzard salts their hash, you should still change your Blizzard credentials
• Anonymous claims another PSN hack; Sony says no - In a tweet and Pastebin post, Anonymous claims they breached Sony PSN network again, and stole the information from 10 million PSN users. Sony says the breach didn’t happen. Chalk this one up to an Anonymous hoax.
• Tridium releases ICS software patches – Tridium creates automation software for lighting and HVAC systems. US-CERT warned of many vulnerabilities in their software, and Tridium released updates to fix them this week. Just more evidence of how digital attacks can affect physical infrastructure.
• Android malware triples in a quarter - One of WatchGuard’s partners, Kaspersky, released a security report last week that included some interesting facts about mobile malware. They found that Android malware has increased three-fold, and mostly focuses on SMS trojans that steal money.
• Wikileaks Trapwire release and DDoS attack- A few weekends ago, Wikileaks released information about how certain agencies are leveraging video surveillance systems to track people (codenamed Trapwire). Shortly after this release, the Wikileaks site suffered DDoS attacks from a group called Antileaks. Antileaks says the incidents are unrelated.

So the Windows Phone is not dead yet......RIM is circling the bowl

Windows Phone Will Soon Overtake BlackBerry in the U.S. http://news360.com/article/150024726

Can cloud and security be used in the same sentence?

Hack raises concern about cloud storage http://www.cnn.com/2012/08/06/tech/mobile/icloud-security-hack/index.html

This is a good example if why the cloud is not quite there yet

Hackers Got Into Honan's iCloud Account With Deception, No Password Required [Security] http://news360.com/article/63048236

Seriously? I have been wondering the very same thing.

Did anyone really confuse Samsung products for Apple's? http://news360.com/article/63064733

Do you have your Outlook.com account yet?

Outlook.com Mail: Microsoft Reimagines Webmail http://news360.com/article/62451728

Interesting Read About Getting Hacked

What Getting Hacked Feels Like http://news360.com/article/62995531

Microsoft Black Tuesday: Get the XML Core Services Patch Immediately | WatchGuard Security Center

More fun on patch Tuesday!

Quoted from http://watchguardsecuritycenter.com/2012/07/10/microsoft-black-tuesday-get-the-xml-core-services-patch-immediately/:

 

Microsoft Black Tuesday: Get the XML Core Services PatchImmediately

July 10, 2012 by Corey Nachreiner

Have you been jonesing for Microsoft Patch Day like a kitty anticipating the next hit of that sweet, sweet catnip? Ah… probably not. Nonetheless, Patch Day has arrived, so run off and snort your latest dose of security updates now.

 

Microsoft Patch Day: July 2012

Microsoft’s July bulletin summary highlights nine security bulletins, which fix 16 vulnerabilities in various products including Windows, Office, Internet Explorer (IE), Sharepoint Server, and some of their development tools.They rate three of the bulletins asCritical,and the rest as Important.

The “headlining” issue this month is Microsoft’s fix for the zero day XML Core Services vulnerability. I first warned you about this unpatched code-execution vulnerability last month. In short, if an attacker can entice you to a malicious web site, he could leverage this flaw to force malware on your computer. Microsoft released a “FixIt” workaround for this flaw, but today’s update is the real patch. At the very least, I recommend you download, test, and deploy this update as quickly as you can. Though I’d also recommend you grab all the other updates as well, especially the Critical ones.

New Java Exploit to Debut in BlackHole Exploit Kits

New Java Exploit to Debut in BlackHole Exploit Kits

Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws | WatchGuard Security Center

Exciting new stuff for this month's Patch Tuesday!

Quoted from http://watchguardsecuritycenter.com/2012/06/12/four-windows-bulletins-fix-rdp-net-framework-and-kernel-flaws/:

Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws

June 12, 2012 by Corey Nachreiner

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component.
• How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets or enticing your users to web sites with malicious content
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing nine vulnerabilities affecting Windows and components that ship with it, including its optional .NET Framework component. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates -especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-036: RDP Remote Code Execution Vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from a serious security vulnerability having to do with how  it handles specially crafted sequences of packets (similar to a flaw described in March). By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer.

Luckily, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do enable RDP services. Windows’ Remote Assistance and Remote Web Workplace features also expose RDP. If you manage such any workstations of servers using RDP, we highly recommend you apply the RDP patch immediately.

Microsoft rating: Critical

• MS12-038: .NET Framework Remote Code Execution Vulnerability

The .NET Framework is a software framework used by developers to create new Windows and web applications. The .NET Framework component suffers from a code execution flaw, which has to do with how it handles specially crafted XAML Browser Applications (XBAP). If an attacker can entice a user who’s installed the .NET Framework to a web site containing malicious XBAP, she can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this flaw to gain full control of their computers. This flaw may also affect custom .NET Framework-based programs, which you might develop and run in-house.

Microsoft rating: Critical

• MS12-041 and MS12-042 : Kernel & Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level.

Microsoft released two bulletins today, describing seven local elevation of privilege flaws that affect either the kernel or the kernel-mode driver component. Though these seven flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage any of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer using valid credentials – even if only with “Guest” user access. The requirement for local access significantly lessens the severity of these flaws.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

• MS12-036
• MS12-038
• MS12-041
• MS12-042

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, our appliances mitigate the risk of the Windows RDP vulnerability by blocking external access to the RDP ports (TCP port 3389 and 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting the RDP vulnerability described above.

Furthermore, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can also help protect you. For instance, our GAV service will block much of the malware attackers try do deliver when exploiting these sorts of software vulnerabilities.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS12-036
• Microsoft Security Bulletin MS12-038
• Microsoft Security Bulletin MS12-041
• Microsoft Security Bulletin MS12-042

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Cumulative Patch Plugs 13 Internet Explorer Vulnerabilities | WatchGuard Security Center

Lots of exciting IE patches this month!

Quoted from http://watchguardsecuritycenter.com/2012/06/12/cumulative-patch-plugs-13-internet-explorer-vulnerabilities/:

Cumulative Patch Plugs 13 Internet Explorer Vulnerabilities | WatchGuard Security Center

Cumulative Patch Plugs 13 Internet ExplorerVulnerabilities

June 12, 2012 by Corey Nachreiner

Severity: High

Summary:

• This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
• How an attacker exploits it:Typically, by enticing one of your users to visit a malicious web page
• Impact: Various, in the worst case an attacker can execute code on your user’s computer, gaining complete control of it
• What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes 13 new vulnerabilities in Internet Explorer (IE) 9.0 and earlier, running on all current versions of Windows. Microsoft rates the aggregate severity of these new flaws as Critical.

The 13 vulnerabilities differ technically, but many of them share the same general scope and impact. More than half the flaws are remote code execution vulnerabilities having to do with how IE handles various HTML objects, elements, and properties. If an attacker can lure one of your users to a web page containing malicious code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

The remaining issues include less severe cross-site scripting (XSS) flaws and information disclosure vulnerabilities.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’sbulletin. Technical differences aside, the remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Furthermore, attackers often hijack legitimate web sites and force them to serve this kind of malicious web code. So these types of flaws can affect you no matter what types of web sites you frequent on the Internet. If you use IE, you should download and install the cumulative update immediately.

Solution Path:

These updates fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.You can find links to the various IE updates inthe “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS12-037

This alert was researched and written by Corey Nachreiner, CISSP

LinkedIn Passwords Leaked; Change Your Password | WatchGuard Security Center

Something new and exciting happenning..... this amongst many other reasons is why we recommend passphrases instead of passwords.  It also illustrates the danger of using the same password for every site you have an account on.  Yes "there's an app for that" or program that will allow you to securely store all of those pesky passwords and account names you need for all of your sites.

If you need some ideas, give the office a buzz....724-387-1331

- Mike

Quoted from http://watchguardsecuritycenter.com/2012/06/06/linkedin-passwords-leaked-change-your-password/:

LinkedIn Passwords Leaked; Change YourPassword

June 6, 2012 by Corey Nachreiner

According to many reports, Russian attackers have somehow gotten their hands on 6.5 million hashed LinkedIn passwords. They have posted the hashed passwords to a Russian hacking web site, asking the hacking community to help them crack the hashes. With the increases in computing power and cracking technology, I suspect it’s only a matter of time until they have actual passwords. LinkedIn users; change your passwords immediately!

So far, no one knows exactly how these attackers were able to get their hands on LinkedIn’s password database, though LinkedIn reports they are investigating the incident. If I had to guess, I would place my bet on a SQL injection attack, as it’s a great vector for leeching this kind of data from the database backend behind a complex, insecurely coded web application.

Next, let’s talk about the state of the passwords. As I mention earlier, the stolen LinkedIn password are “hashed.” In computing and cryptography, hash functions are usually one-way crytographicalgorithms that map data sets (of any length) to a unique, fixed-length key. These one-way algorithms are designed so that the key should uniquely match one and only one data set, but also should not help you recreate the original data. Hashes only verify whether the data set you have is valid, it doesn’t encrypt the data.

The good news is that LinkedIn stored their customer’s passwords as hashes, which makes it harder for unauthorized users to figure out the clear text passwords. The bad news is LinkedIn used unsalted SHA-1 hashes. Without getting into all the technical details, a salt is essentially a little more random information you can mix with a one-way function to make it that much harder for certaincryptographicattacks (dictionary attacks)to succeed. At the risk of sounding like a cooking show host, LinkedIn should have salted their hashes.

Back to the state of LinkedIn’s passwords. The passwords posted on the Russian site are still hashed, so the bad guys don’t have your clear text password yet. However, between increased computing power, distributed computing, rainbow tables, and LinkedIn’s lack of salting, I expect motivated attackers will quickly crack many of these passwords any day. So don’t expect the hashes to protect you for long.

As I mentioned at the beginning of this post, if you have a LinkedIn account you should change your password immediately! Furthermore, if you use that password anywhere else (which you shouldn’t), you need to change your passwords on those accounts too. We’ve seen these sort of big password leaks before (Zappos), and will surely see them again. Security professionals have always realized the important of password security, but with so many businesses moving their assets to the cloud, password security has become paramount! So, I’ll leave you with a few “password best practice” tips I’ve dusted off from the last big password breach. If you didn’t follow this advice back then, I truly hope you consider doing so today.

• Change your password(s) after a security breach– If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately.
• Use strong passwords– I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences. WatchGuard’sBud Logs Invideo talks about these concepts in more detail (and is good for basic end users).
• Use different passphrases on different web sites– This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites, attackers could gain access to all those accounts. If you have been using the same password everywhere, you should change it to a different password on every site. That said, many people find this advice hard to implement in practice; which brings me to the next tip…
• Leverage password vault software– Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding passwordmanagementsoftware that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’sextremelyimportant to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. Thisarticlesuggests a few good ones to use (I have used 1password myself).

—Corey Nachreiner, CISSP(@SecAdept)

Microsoft Revokes Certificate Due to Flame Malware | WatchGuard Security Center

More news on Flame Malware

Quoted from http://watchguardsecuritycenter.com/2012/06/04/microsoft-revokes-certificate-due-to-flame-malware/:

Microsoft Revokes Certificate Due to FlameMalware

June 4, 2012 by Corey Nachreiner

Last week, I wrote about a sophisticated new piece of malware called Flame, which infected various organizations in the Middle East. At the time, Antivirus vendors had just begun dissecting this advanced new worm, and expected to unveil even more interesting details about it as time went on. It looks like they won’t disappoint.

Today, two interesting new details have surfaced about Flame. More importantly, onerequiresa Windows update.

First, late Sunday Microsoft released a blog post and Security Advisorywarning that the Flame worm leveraged a previous undiscovered flaw in an older Microsoft cryptographic algorithm. Microsoft’s Terminal Sever Licensing Service previously shipped with an algorithm that allowed you to create certificates and sign code as though it came from Microsoft themselves. Apparently, the Flame worm exploited this fact to sign its code with seemingly legitimate Microsoft certificates, which helps it spread on local networks.More specifically, Flame implements an interesting Man-in-the-Middle (MitM) attack, where it redirects local Windows Update requests through an infected machine. The infected machine then delivers infected “updates” to those new victims. Since the infected update is signed with a perfectly legitimate Microsoft certificate, the victim machine installs the booby-trapped update without any warnings.

Happily, Microsoft has released an updateand taken actions to ensure that bad guys can no longer leverage this flawed cryptographic algorithm to generate rogue certificates in the future. They also have revoked the trust associated with two intermediate CA certificates, which prevents your Windows computers from trusting Flame’s rogue certificates. If you are a Windows user, I recommend you download and install this update as soon as you can, or let Windows Automatic Update do it for you.

The second Flame update has to do with its actual age. In my initial post, I shared that Kaspersky suspected the Flame malware had been around since at least March 2010. New information suggests it’s even older. Over the last week, Kaspersky and OpenDNS have collaborated to furtheranalyseFlame, focusing on its command & control (C&C) domains. OpenDNS reportsthey found at least 85 C&C domains embedded into Flame. More interestingly, the first of these domains was registered as far back as March 2008. This suggests that the Flame attack started two years earlier than first suspected, and also demonstrates just how long advanced malware (or APTs) might hide on a network before being discovered.

This is probably the scariest aspect of these APT malware attacks — that malware can infect protected system and live on those networks for months, or even years, without being noticed. Security experts have long suggested this was possible, but some people have to see it to believe it. So what’s the take away? How about, “visibility is defense.”

As a security industry, we often focus a lot on prevention technologies; things that help keep your network from being breached in the first place. While prevention is very important, the truth is you’ll never block every attack. Even if you have the best network defense in the world, an unsuspecting user could accidentally walk malware through your back door. That’s why administrators also need to focus on visibility tools as part of their security policy. Malware detection, incident handling, and disaster recovery are just as important to security as preventative security controls. If you are not already using graphical network monitors to keep track of what’s happening on your network, start doing so immediately (some of WatchGuard’s real-time monitors can help).

That covers today’s Flame updates. However, I suspect researchers will continue to find interesting new aspects to this headline-grabbing malware for weeks and months to come. I’ll be sure to continue filling you in on the more relevant updates here. —Corey Nachreiner, CISSP(@SecAdept)

Another one bites the dust

Instagram competitor PicPlz to shut down in July http://news360.com/article/55616559

What is the “Flame” Worm and Should I Worry About It? | WatchGuard Security Center

Something we all should be paying attention to......

Quoted from http://watchguardsecuritycenter.com/2012/05/31/what-is-the-flame-worm-and-should-i-worry-about-it/:

What is the “Flame” Worm and Should I Worry About It? | WatchGuard Security Center

What is the “Flame” Worm and Should I Worry AboutIt?

May 31, 2012 by Corey Nachreiner

If you’ve followed security or technical news over the last few days, you’ve probably heard about the “Flame” worm. Thisinterestingnew piece of malware belongs to a class of attack called an Advanced Persistent Threat (APT), and it’s making headlines worldwide. As a result, many of you may be wondering whether or not this nasty sounding malware will affect your organization. My short answer is, “probably not,” but read on to learn more.

Let’s start with the basics. Kaspersky Labs — one of WatchGuard’s Antivirus (AV) partners — was one of thefirst to discoverand analyze the “Flame” worm (Worm.Win32.Flame). According to their analysis so far, Flame is one of the largest and most complex malware samples they have ever seen. As such, they haven’t finished their full investigation of this malware, but here’s a quick summary of what they know so far:

• Flame is primarily an information stealing toolkit and backdoor trojan, but it also has worm-like capabilities that allows it to spread over local networks and USB storage.
• Its information stealing capabilities include network sniffing, keystroke logging, screenshotsnapping,and even audio recording. It also can collect data about Bluetooth devices in the vicinity. It shares all this stolen data over an encrypted Command and Control (C&C) channel.
• It is one of the largest pieces of malware Kaspersky has seen, at around 20MB, and it contains over 20 different modules. Its author also created it using a scripting language (Lua) that malware writers don’t typically use.
• Rather than running as an executable file like typical malware, Flame loads itself as a number of malicious DLL files at boot.
• Kaspersky believes the author originally created the malware in 2010.
• Flame is targeted. Its infections seem limited to various organizations in Middle Eastern countries, with a primary focus on Iran. It also does not appear to have spread widely (under 400 known infections).

All that said, one thing we don’t know yet is how Flame initially infects its victim. Since this is a very targeted attack, I doubt Flame’s initial infection vector is automated in any way, nor launched on a massive scale. Rather, the attackers probably directly target specific organizations, and may even leverage different infection vectors for each target.If you add up all these facts, you can probably see why many experts consider Flame an APT attack similar to Stuxnet and Duqu. While none of the researchers analyzing this malware can prove it yet, most suspect that a nation-state actor created the Flame malware for cyber-espionage.

This brings us back to our original question, “Should I worry about the Flame malware?” Unless you’re an administrator of a state or education related industry in the Middle East, Flame will probably never directly affect you. So, no. I don’t think typical organizations have anything to worry about Flame. Furthermore, now that AV organizations have identified Flame, they have released signatures to detect and remove its known variants. If you use any of the top AV products, and keep those products up-to-date, you are protected from Flame infections. More specifically, if you’re a WatchGuard customer, our XCS and XTM appliances will protect you from the Flame worm. We partner with both Kaspersky and AVG to deliver Gateway Antivirus to these appliances, and both our partners have signatures to detect Flame.

From a security industry perspective, Flame is a very interesting malware sample. It leverages more advanced attack techniques than typical malware and likely comes from a nation-state attacker, which is why it has garnered so much media attention. However, Flame is probably not going to directly affect normalorganizations. If you’ve been worried about this headline-grabbing worm, you can probably stop. Even if this targeted attack started affecting organizations outside the Middle East, WatchGuard and Antivirus products have you covered. —Corey Nachreiner, CISSP(@SecAdept)