Flame or sKyWIper has multiple associated threats that have been discussed as a part of the initial diagnostic and informatory research however on one hand it is important to do a threat analysis and understand the impact that this malware can actually have, it is also important to complete the discussion by researching the solution and the methods that can be used in order to check this type of attack (sKyWIper Analysis Team, 2012). The solution that we will identify will be in two phases, as a part of the initial discussion the symptoms and prevention will be discussed which will be followed by a discussion on whether it can be completely quarantined (Kelly, 2012).
It is important to understand that this malware only infects PCs that are running Win XP, Windows Vista and Windows 7 unlike other virus or malware infections, Flame requires knowledge of the code of infection as its mechanism is stealthier (Kelly, 2012). The primary issue with this type of attack that determination of the presence of code is not possible through conventional methods which are used on corresponding system processes like (win logon, services, and explorer) (sKyWIper Analysis Team, 2012).
Mentioned below are the four most well identified Flame threats and we will proceed with the discussions related to their identification and prevention.
Identification and Prevention
All the above mentioned worms use multiple actions in order to perform the malicious payload which is process, where information within the infected system is systematically collected. Worm:Win32/Flame!cfg targets screen shots of the infected system (microsoft.com, 2012). Worm:Win32/Flame.gen!A performs various actions to gather the collected information together, Worm:Win32/Flame.gen!B is a part that initiates the connection with the remote host where the information is to be sent and Worm:Win32/Flame.gen!C ultimately steals the information from the infected computer (microsoft.com, 2012).
The above mentioned information is arranged as a part of the overall attack and therefore the files that get infected in the process are
Once the attack completes the process, the below mentioned files are created within the system which can be identified as they become a part of the the system directory. The main component of the malware, mssecmgr.ocx (detected as Worm:Win32/Flame.gen!A), is a DLL which conforms to the requirements and therefore since it is an identified component now the prevention steps can be defined as follows (microsoft.com, 2012).
A firewall must be enabled on the computer are all windows updates should be applied as they download the definitions for these new threats that get identified. User privileges must be minimum, so that if installed by mistake Flame attack may not be able to gain all the available access on the system (microsoft.com, 2012). Unknown files should not be downloaded and file transfers must not be accepted. The links to website which take a user to unknown zone should be avoided unless it refers to a previously viewed page or a trusted partner. It is always beneficial to have a combination of windows update along with an anti-virus that automatically updates its definitions in order to ensure that the latest threats can be identified and blocked before the actual intended actions start (microsoft.com, 2012).
Removing a ‘Flame’: Quarantine Action
Although, once installed it may not be able to easily detect or know that any such event has taken place, through conventional methods however the diagnosis process may include a manual trace activity which requires mapping of certain memory regions which are suspiciously rated with READ, WRITE and EXECUTE protection flag, the only way by which it can be grasped is via the Virtual Address Descriptor (VAD) kernel data structure(sKyWIper Analysis Team, 2012). Once the infection takes place, it is expected that there is a virtual dynamic allocation of the memory regions using VirtualAllocEx() or WriteProcessMemory(). The reason behind these memory changes is that they have the type of Vad Short. The code which operates as a part of this attack uses a combination of RWE flags and type VadS and this is helpful in the identification of the code injection that takes place. This method of identification and removal of code is known as volatility (microsoft.com, 2012).
In another method using the knowledge of the above file system the actual presence of the worm can be traced after which it becomes easier to target the infection system and to find out wince when the worm has been operating. It may not be possible to identify the possible damage however the infected system can be formatted in order to remove all the files that corrupt the system (Kelly, 2012).
Flame is not a recent threat, however its identification has taken a very long time and even as of now, the research continues to explore its impact and methods of removal. The best possible way to fight this is to keep system and anti-virus updated with latest worms and virus definitions so that the threat can be effectively handled as per the latest available quarantine techniques.
Kelly, S. (June 7, 2012). Decoding the ‘Flame’ Virus. CNN. Accessed 24 July, 2012 from
sKyWIper Analysis Team. (May 31, 2012). A Complex Malware for Targeted Attacks.
Laboratory of Cryptography and System Security (CRYSyS Lab). Budapest University of
Technology and Economics Department of Telecommunications. Accessed 25 July 2012
Microsoft.com. (2012, June 05). Worm:Win32/Flame. Retrieved August 15, 2012, from microsoft.com: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fFlame.gen%21C