Does CIS detect the newly discovered Flame virus?

The Flame virus like its predecessor Stuxnet uses a fake Microsoft certificate to fool Windows Update into installing it on a PC. Since CIS thinks the certificate is a genuine Microsoft certificate, CIS allows the installation to take place. So the big questions for you guys at COMODO are:

  1. have you worked out how to identify if a Windows system has become infected?
  2. how to remove it?

I hope only some of the devs or someone with a sample can tell this…

The AV detects all of the files, the ones not code signed are sandboxed if not detected by the av (Though I don’t know if it can hold them) and TVL list turn off is going to make a comeback for future threats that are signed.

Hold on. I installed some update from Windows Update. It looked like a fixed patch or certificate. Do you want to say that I installed flame?

It is a very good Q’s. Comodo staff we need your answers.

The Microsoft update from a few days ago was actually pushed out to fix the problem that allowed Flame to infect computers the way it did.

Whew! That’s what I was thinking it revoked few certificates it was about 91-93kb. While flame virus I hear is 20mg! Still with all this Windows update to update and from update I was very ???

Thank you

Last night done some research all major AV’s like Norton, Eset and others already have sig for this. Comodo has sig as well from what I hear now. Bitdefender have removal tool for this virus for both ver 32 and 64. What scare most of the AV corporations is not this as it’s targeting specific organisations and ppl. It’s what other hackers can use now as a blueprint to create new viruses. The cyber war is coming…

There are reports that this file has been in the “file database” of some antivirus companies for up to ~ two years (auto submission).
The mechanism failed to see the malicious nature.

You should not be too happy if a “burned” file found itself to be put in the detection list. That only prevents the “later use of an old sample”.
In fact, actually you should worry NOT less.

Antivirus demands often victims to exist prior to protection.
You can only hope, it will be someone else.
And that hope is giving bad karma.

Yes they failed to see this was a bad file. But the chances getting infected with flame is like being stuck by the lightning. The virus is not even online yet. It only affecting Iran gov and other linked organisations. How many more such things out there still waiting to get detected?

I do agree with you that Flame appears to be a targeted cyber-espionage tool and that the chance of the typical home and small business user being infected is remote. However, the worry thing is that it has exposed a serious loophole in the validation procedures for obtaining and trusting digital certificates. CIS is built on the foundation of white-listed trusted vendors and their trusted digital certificates.

Clearly, the perpetrators of Flame were able to counterfeit a Microsoft certificate. They were also able to redirect users Windows updates to a fake Microsoft site from which the unsuspecting user downloaded the virus in a fake Windows update.

It’s true that Microsoft has closed, or will very shortly close, the loophole that allowed Flame to spread. However, the issues raised are far more wide reaching. Unless the the whole process for the issue of certificates can truly be made watertight the risk is that criminals may exploit this loophole and derivatives in producing cyber-crime viruses.

Sadly, that statement only holds true if people install the patch that MS released. If they don’t install the patch, then the CRL is unchanged and the system is still vulnerable.

Ewen :slight_smile:

To be honest I knew this weakness in Comodo, Microsoft and others from day one. White-listed trusted vendors can get hacked into, hackers can use their name and certificates or the company itself might become untrusted because of some people who work for them. I seen this coming. The Q is how to adapt now? Use more authentication? What?

But because flame was created by the gov let’s hope it stay that way and normal criminal hackers struggle to match this complex programming.

As I reference in this post https://forums.comodo.com/general-security-questions-and-comments/malware-flame-spread-via-rogue-microsoft-security-certificate-t84722.0.html;msg604981#msg604981, Microsoft is taking the problem seriously and is taking steps to solve it at the Windows update level.

Microsoft also said that it will roll out some hardening changes to its Windows Update infrastructure to prevent the kind of man-in-the-middle attack that Flame used. "Our hardening introduces two defense-in-depth changes. First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way," the company said.

But of course, the Flame “developers” may use the update process of well spread software like Adobe, Java,…

True. I was thinking to myself when I updated my Windows system all the time what if you can inject something into Windows update and cause the mass infection. I was right.

■■■■! Something out of James Bond movie :o

Flame malware makers send ‘suicide’ code. The creators of the Flame malware have sent a “suicide” command that removes it from some infected computers.

I made a wish, which can be found here, in which I propose a process which I believe could counteract these sort of problems quite well with very little loss in usability.

Please let me know what you think.

Thanks.