main

Application SecurityAttack MitigationSecurity

Radware ERT helps fight Flame at the Enterprise Level

June 8, 2012 — by Ziv Gadot0

Security specialists describe the malware Flame, also known as Flamer, as the most advanced computer virus ever found and a new level of sophistication in cyber warfare. Flame is able to extract large volumes of information from its victim and send the information back to its operators. The information that Flamer extracts includes key strokes, directory structure, files and documents, activation of audio recording by demand, scan for neighboring Bluetooth devices and much more.

The method used by Flame operators for initial infection of a victim computer is still unclear, and the assumptions of security specialists vary from network intrusion to physical infection of a computer through USB key. While security companies are still researching methods to block Flame’s initial infection, Radware ERT has generated a signature that blocks Flame spreading attempts within the victim’s organization. It was discovered that Flame is able to spread across a victim’s organization through a sophisticated ‘Man in the Middle attack’ on the Windows Update service. As soon as Flame tries to spread from one infected computer to another, Radware’s Attack Mitigation System identifies the spreading attempt and blocks it. In addition, an immediate alert is sent to the security operation center in the organization, so they become aware that Flame exists in their network.

Organizations deploying Radware’s Attack Mitigation System significantly reduce the risk of data extraction by Flame and are notified of its existence as soon as it tries to spread in the organization. In addition there is evidence that Flame may be also be using Microsoft LNK Exploit MS10-046. Radware signatures already protect against its network manifestation of this vulnerability.

ERT Recommendations

Install the latest signature file from Radware on the DefensePro devices to block Flame spreading attempts. In addition, customers are advised to use host-based protection such as AntiVirus to remove Flame from infected computers, and detect or prevent its host-based activities.

Radware’s customers are encouraged to contact our support team and to receive immediate assistance from our ERT team. Non-Radware customers can contact our ERT through a Radware representative.

Ziv Gadot

Ziv Gadot is Senior Security Researcher for Radware and manages Radware’s Security Operations Center (SOC) , a unit performing analysis and research on DDoS related subjects and the Emergency Response Team (ERT), a 24/7 service intended to assist organizations under DDoS attacks on a daily basis. Mr. Gadot joined Radware in 2003 and is actively involved in security research and service strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *