The Flame threat is basically a virtual, digitized spy tool that does what a human spy would do: recording phone calls, snapping photos, and siphoning information. Often times this traffic pattern to the internet is initiated by the infected host and ultimately slides right by even next generation firewalls. How can it be detected?
First, we should outline how this infection is spread.
“The emails are often tailored for specific victims and contain malicious attachments that are almost always “weaponized” .PDF files with known exploits that drop malware executables onto targeted systems. In addition, the IXESHE attackers conducted two specific attacks that leveraged zero-day exploits—one in 2009 and another in 2011.” Trend Micro
Jimmy Ray Purser does a great job explaining pdf exploits in a youtube video.
Once the threat is underway, most sophisticated malware employs stronger encryption, but the trade-off for the attacker is that its traffic can trigger a red flag at the network layer. Flame’s creators either used easily cracked encryption to camouflage the attack, or it could be a function of the size of the overall code… says Lance James, Director of Intelligence at Vigilant
“They didn’t want you to detect that they were hiding anything. They wanted to look like common data,”
It is starting to become clear that the question of “how to detect flame” or similar malware such as detecting Advanced Persistent Threats isn’t addressed with a new firewall, antivirus or an intrusion detection system (IDS). This is because it is a type of malware that usually can’t be identified with digital signatures. In this case, one of the best detection methods is through the use of IP Host Reputation systems and NetFlow collection. Comparing the source and destination IP address in a flow to a host reputation database is another layer of security that can help detect Flame and other similar types of threats.
Network Monitoring Solutions should include host reputation in their regular threat detection routines. Make sure you ask for it in your next threat detection solution.