Protection against Flame/Skywiper malware

Technote (FAQ)


Question

How do you protect against Flame (also referred to as Flamer, sKyWIper, and Skywiper) malware?

Answer

There are no specific Flame signatures as this attack can use different penetrative methods. In order to provide the best chance of detection against it, IBM Security Systems recommend the following best practices:

  1. Ensure your IBM Intrusion Detection/Prevention Systems are running the latest available XPU version. You can determine the latest content update version via the following URL: http://xforce.iss.net/XPressUpdates.do
  2. Ensure that the X-Force recommended blocks are enabled. This can be confirmed in the X-Force Virtual Patch Policy for the Proventia G/GX and within the Intrusion Prevention policy under the Protection Settings tab on the Proventia M/MX. For IBM Security Host Protection, this is enabled by default.
  3. Ensure your systems are up-to-date with the latest security patches and antivirus signatures.
  4. Activate the MSRPC_Spoolss_GetDocPrinter_Exec signature which detects intrusion as described in the MS10-061 expoit. This is one possible method of exploit used by Flame.
  5. Physical controls will help against USB autorun attacks. Normal system authentication controls and restrictions will prevent a user with administrative privileges executing the malware.

More information about Flame can be found using the links in the Related information section below.



If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.

Related information

sKyWIper or Flame (External link)
Q&A (External link)


Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security Host Protection Not Applicable AIX, HP-UX, Linux, Windows 2.2.2, 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4, 1.0.0, 1.5.0 All Editions
Security Proventia Network Multi-Function Security Not Applicable Firmware 3.14, 3.15, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6 All Editions

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

1.7, 1.8, 2.3, 2.4, 2.5, 3.1, 3.2, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6

Operating system(s):

Platform Independent

Software edition:

Edition Independent

Reference #:

1621360

Modified date:

2013-01-07

Translate my page

Machine Translation

Content navigation