Detecting Flame exploit

Reply
Not applicable

Detecting Flame exploit

It looks like the Snort folks have a signature for Flame, does PAN?  If not, when is it coming?  The CTOs will be asking if we are safe...

http://vrt-blog.snort.org/2012/05/flame-malware-targeted-attacks-and-you.html

L4 Transporter

Re: Detecting Flame exploit

My answer to that question is currently - "Unless we have offices in the Middle East I'm unaware of, are politically active in Middle Eastern politics, or could otherwise be the target for 3 letter acronym Western intelligence agencies, I do not believe Flame is a present threat - unless/until the code is re-worked by cyber-criminals and deployed for other means"...!

Highlighted
Not applicable

Re: Detecting Flame exploit

You prefer to wait until a threat is eminent before protecting yourself?  That seems less than prudent.

L6 Presenter

Re: Detecting Flame exploit

Isnt that much more fun? Like using Microsoft products in your network - every day is a suprise when it comes to security ;-)

I agree with thread starter - since snort have announced a bunch of ips-rules (which I assume also means that their commercial sourcefire IPS can already detect this) hopefully PA could do the same...

I tried threat vault to search for both flame and skywiper but no hits, hopefully someone from PA could inform the community whats going on (like which db update and date will have ips-rules to detect this)?

And dont say "contact your SE" ffs =)

L6 Presenter

Re: Detecting Flame exploit

Hi...We will have an AV update for the flame exploits later today.  Thanks.

Not applicable

Re: Detecting Flame exploit

Thanks for this, specially we have now a variant Shamoon.

IS AV now also updated for Shamoon?

L6 Presenter

Re: Detecting Flame exploit

I cant find anything right now about shamoon in https://threatvault.paloaltonetworks.com/ searching for vuln, spyware and virus (dont forget to change that dropdown to the right).

However plenty of flame variants when searching for flame in the virus container along with two generic signatures in spyware. Perhaps shamoon is already covered by one of the flame variants?

Tricky part of all these names is that the AV community tends to create their own name for each virus which means something that Kaspersky has named could be the very same thing but different name when looking in Symantec db's and so on.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!