IBM Support

Protection against Flame/Skywiper malware

Technote (FAQ)


Question

How do you protect against Flame (also referred to as Flamer, sKyWIper, and Skywiper) malware?

Answer

There are no specific Flame signatures as this attack can use different penetrative methods. To provide the best chance of detection against it, IBM Security Systems recommends the following best practices:

  1. Ensure your IBM Intrusion Detection/Prevention Systems are running the latest available XPU version.
  2. Ensure that the X-Force recommended blocks are enabled. This can be confirmed in the X-Force Virtual Patch Policy for the Network IPS.
  3. Ensure that your systems are up-to-date with the latest security patches and antivirus signatures.
  4. Activate the MSRPC_Spoolss_GetDocPrinter_Exec signature, which detects intrusion as described in the MSRPC_Spoolss_GetDocPrinter_Exec signature information. This is one possible method of exploit used by Flame.
  5. Physical controls help against USB autorun attacks. Normal system authentication controls and restrictions prevent a user with administrative privileges executing the malware.

More information about Flame can be found by using the links in the Related information section below.



Related information

sKyWIper or Flame (External link)
Q&A (External link)

Document information

More support for: IBM Security Network Intrusion Prevention System
Protocol Analysis Module (PAM)

Software version: Version Independent

Operating system(s): Firmware

Reference #: 1621360

Modified date: 07 January 2013


Translate this page: