|
[ 'Skywiper' Keeps Cyber Arms Race Alive ] Q: Where do the names come from? A: The names come from filenames found in the malware's sourcecode. "FLAME" appears to be the name of a module that spreadsthe bug along internal networks, and Moscow-based Kaspersky Lab decided to call the entire package "Flame" because ofthat. Similarly, the Iranian government cybersecurity bureau MAHER decided to call it "Flamer." CrySyS , a cybersecurity research lab at Budapest University of Technologyand Economics in Hungary, calls the entire package"sKyWIper" after "~KWI," a filename the malwareuses to store temporary files. Q: Is Flame/Skywiper a virus? A: Technically, no. Unlike viruses , Flame/Skywiper doesn't infect already existing files. Its methodof infection isn't completely known yet, but it appears so far tobe a worm in that it can spread independently using internal networks andUSB drives. Overall, though, Flame/Skywiper is a malware toolkit — apackage of several different kinds of malware that combine tooverwhelm the defenses as of many targets as possible. Q: What sort of computers does Flame/Skywiper infect? A: It infects machines running Windows XP, Windows Vista andWindows 7. Q: Is there any chance that my computer could be infected? A: It's not likely, unless you're a government official or weaponsresearcher in the Middle East. Q: Is this really the biggest computer malware ever? A: If you're counting in terms of file size, yes. Depending on theconfiguration, Flame/Skywiper can reach 20 megabytes in size, whichis enormous for a piece of malware. Most pieces of malware take up less than one megabyte. For example, Stuxnet , which sabotaged an Iranian nuclear facility in 2010, was prettycomplex, yet came in at about half a megabyte. Q: Most news reports say a Russian security firm foundFlame/Skywiper first. A: That's not entirely true. Three different research teams foundFlame/Skywiper independently. Kaspersky, the Russian firm in question, had been analyzing"Flame" for several weeks at the behest of the UnitedNations' International Telecommunication Union. The ITU wanted toknow more about a malware attack in March and April at Iran'sgovernment oil ministry that deleted information from severalcomputers. CrySyS had been conducting its own analysis into"Skywiper" on behalf of "several parties" who"want to remain anonymous." MAHER, the Iranian government agency, had also been conducting aninvestigation into what it called "Flamer," and was thefirst to publish its results in a blog posting early on Monday (May28). The MAHER posting forced Kaspersky and CrySyS to quickly put theirown findings online later that day. Kaspersky posted a long Q&Aabout the malware, and CrySyS posted a very detailed 64-pagetechnical report. Q: When did Flame/Skywiper first appear? A: The bug's age is not clearly known, but the March/April malwareattack at the Iranian oil ministry seems to be the first indicationthat something was up. Q: Is Flame/Skywiper spreading rapidly? A: No. It's spreading very slowly. Only a few hundred computers,mostly in the Middle East, are known to have been infected.Flame/Skywiper seems to avoid the Internet and prefers to spreadalong an organization's internal network. It hops from one internalnetwork by catching rides on USB flash drives. (Stuxnet also used USB drives to spread.) That's really a very small malware infection, indicating thatFlame/Skywiper is highly targeted and that most people will neverhave to worry about it. Q: Which countries are affected? A: Iran has been the most affected, with nearly 200 machinesinfected, according to Kaspersky's figures, which also show about100 machines are infected in Israel and the Palestinianterritories, with lesser numbers in Sudan, Syria, Lebanon, SaudiArabia and Egypt. CrySyS has also found evidence of infections in the United ArabEmirates and in unnamed European countries, as well as its own homecountry of Hungary. Q: How long has Flame/Skywiper been around? A: At least two years, according to Kaspersky, and possibly as manyas eight years, according to CrySyS. Both teams analyzed archivesof malware reports to reach those conclusions. Flame/Skywiper's creators also placed fake dates inside thesoftware, which make it seem like some components date back to theearly '90s. Q: What does Flame/Skywiper do to an infected computer? A: Heck, you could ask "What DOESN'T it do?" It's one ofthe most comprehensive spyware programs ever found. Flame/Skywiper buries itself deep in the Windows operating system,makes sure it runs upon computer startup, tailors itself to hidefrom specific brands of anti-virus software , turns on the computer's built-in microphone to record audioconversations, logs keyboard typing, changes the Bluetoothconfiguration to spy upon nearby cellphones, tablets and laptops,takes screenshots, monitors wired and wireless network activity andsends whatever information it's gathered off to command-and-controlservers in a dozen different countries. Q: Does Flame/Skywiper have a "kill switch" or expirationdate? It doesn't seem to, but once its controllers have decided that aFlame/Skywiper installation on a specific target machine has servedits purpose, they can remotely activate a "SUICIDE"command (that's really what it's called in the code) that deletesall the Flame/Skywiper files from the machine. Since many of those files use names identical or very similar toauthentic Windows system files, it's possible that the spontaneousdeletion of information on Iranian oil ministry computers was aresult of the "SUICIDE" command being activated. Q: Who would want to create Flame/Skywiper? A: Flame/Skywiper was almost certainly created by a nationalgovernment with the resources to devote months, if not years, ofexpert programming and millions of dollars in expenses to createextremely sophisticated, multipurpose spyware. (Cybercriminalsdon't have that much money or time.) In the Middle East, which Flame/Skywiper clearly targets, the onlycountries with such capabilities are Iran and Israel. Q: Doesn't the United States have the capability to have developedFlame/Skywiper? A: Yes, and so do Russia, China, Canada, Brazil, Germany, Britain,France and maybe even North Korea. But Flame/Skywiper doesn'ttarget those countries' areas of interest. For example, if Flame/Skywiper were a Chinese creation, you'dexpect it to snoop on computers in Taiwan, Japan, India and theWest. If it were American, it would be in many other areas of theworld besides the Middle East. Q: The Flame/Skywiper source code seems to use English-language filenames. A: It does, and it even references American pop culture. One fileis named "BEETLEJUICE." That could mean the coders wereAmerican — or it could mean that they've watched a lot ofAmerican TV shows and movies. Q: Were the Stuxnet creators behind Flame/Skywiper? A: We don"t know. The two packages don't share much code, atleast not in the way the Duqu Trojan shared a lot of code with Stuxnet. But Flame/Skywiper and Stuxnet share an otherwise unmatched degreeof sophistication and complexity, and both target Iran, leadingmost analysts to presume that Flame/Skywiper may have been createdin parallel to Stuxnet. Q: Does this mean we're on the brink of cyberwar? A. No. There's a big difference between espionage and outright warfare . No one's been killed by Flame/Skywiper, at least not that we'reaware of. Q: Can I protect myself against Flame/Skywiper? A: Yes. The good news is that most of the major anti-virus softwarevendors, including Norton Symantec, McAfee, Bitdefender,TrendMicro, Sophos and Avast, have already updated their malwaredefinitions to protect against Flame/Skywiper. Bitdefender has also issued a Flame/Skywiper removal tool in case you think you're already infected. This story was provided by SecurityNewsDaily , a sister site to TechNewsDaily. We are high quality suppliers, our products such as China Outdoor LED Flood Lamps , Dimmable LED Light Bulbs for oversee buyer. To know more, please visits LED Street Lighting Fixtures.
Related Articles -
China Outdoor LED Flood Lamps, Dimmable LED Light Bulbs,
|
