Flame virus sensationalism

The virus, named Flame or Skywiper, has been in headlines this week. In good and in bad. Flame came to light when the U.N. International Telecommunications Union (which oversees cyberactivities for the body) received reports of unusual activity. A Russian security firm first identified it, noting that the virus has apparently existed in these networks for several years undetected. UN issues Flame warning to member nations as Iran confirms attack.

Flame will be the third major cyber weapon uncover following the discovery of the Stuxnet virus in 2010, which attacked Iran’s nuclear program, and its data-stealing cousin Duqu. It seems that Flame is a cyberespionage operation than actual attacking weapon.
Iran targeted by ‘Flame’ espionage virus article tells that Iranian computer networks have been targeted by a cyber espionage virus many times more complicated than any malicious software ever seen before, security experts have said.

Flame: world’s most complex computer virus exposed article boasts that the world’s most complex computer virus, possessing a range of complex espionage capabilities, including the ability to secretly record conversations, has been exposed. Middle Eastern states were targeted and Iran ordered an emergency review of official computer installation. It is the third cyber attack weapon targeting systems in the Middle East to be exposed in recent years.

Meet ‘Flame’, The Massive Spy Malware Infiltrating Iranian Computers article tells that a massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years. Flame Virus is Most Complex Threat Ever Discovered article tells that the primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world.

I think the worst sensationalistic headline is this Fox News headline: Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game. The article tells that the most sophisticated and powerful cyberweapon uncovered to date was written in the LUA computer language, cyber security experts tell Fox News — the same one used to make the incredibly popular Angry Birds game. LUA is favored by game programmers because it’s easy to use and easy to embed. And it is used in many other applications as well from embedded systems to Wireshark network analyzer. The fact that both Flame and Angry Birds happen to use some programming language on some parts it pretty weak link between then, and quite sensational to link those two together to headline!

Flame is described as enormously powerful and large, containing some 250,000 lines of code. Cyber experts tell Fox News that once in a computer network, Flame is powerful enough to initiate webcams, microphones, and Bluetooth connections in order to extract contact lists, record conversations and more.

cybergedeon_flame_color

The news were full of security related commend spreading security related FUD on the topic (that serves as marketing for companies selling security solutions):

“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about,” Roel Schouwenberg, a Kaspersky security senior researcher, said.

Kaspersky added: “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

“The important thing about Flame is that it represents what else might be out there… the threats that are still unknown.”

After some research it seems that ‘Super-powerful’ Flame worm actually boring BLOATWARE article tells that initial analysis of Flame may be big in size but it’s nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code.

Flame/Skywiper is 20MB file, which infects Microsoft Windows computers, has five encryption algorithms, exotic data storage formats and the ability to steal documents, spy on computer users and more. Crysys Lab said the technical evidence for a link between Flame/Skywiper and Stuxnet or Duqu was inconclusive, however. While they shared many common components, the newly-discovered virus bears little resemblance; for instance Flame/Skywiper does not spread itself automatically but only when hidden controllers allow it. Flame is not a worm. Its architecture includes wormable functionality but those functions are disabled by default. So Flame isn’t spreading like a worm and therefore you won’t be infected unless you’ve been specifically targeted.

Software size is far less important than how many systems it has infected and what damage it causes. Game changer? Maybe not. Flame is a precise attack toolkit rather than a general-purpose cyber-weapon. Flame is bloated and overhyped, according to rival security vendors.

Flame is big. It’s complex (just as lots of legitimate software are complex). But it’s not advanced crimeware. Flame on the other hand is a “limited edition” spy tool with a limited scope that was used very carefully. Clearly there was advanced planning involved, but that doesn’t necessarily make it what we would call advanced technology. The application was built for information gathering. And not just data from the computer, but also conversations and chats, contacts — intelligence.

yves_guillou_Fire_forbidden_sign

There has been some search going on who might be behind Flame. Vitaly Kamluk, Kaspersky’s chief malware expert, told the BBC that more than 600 specific targets were hit, ranging from individuals, businesses, academic institutions and government systems. He also: “The geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it”.

Flame-bait Questions post from F-secure tells that Flame isn’t designed for profit. It is too big and “complex” to have been designed by “hackers”. So that leaves us with a nation state. Nation states spy. It shouldn’t be surprising to anybody that they use digital espionage tools these days. It’s evident that significant resources went into crafting Flame. Given that, we think a better question is what defense contractor developed Flame. The way in which Flame is structured suggests to us that it was written by a contractor — an organization that is being paid.

Fox news article claims that It was likely built by the same nation-state responsible for the Stuxnet virus that targeted Iran’s nuclear power plant. One of the leading candidates, is Israel, because Flame has been found in Saudi Arabia, Palestinian territories, Syria, Iran and Hungary. Fox News also claims that Israeli Vice Premier Moshe Ya’alon on Tuesday hinted to a local radio station that his country was indeed responsible for it.

What is the truth it is hard to say.

For final thought look at F-secure Flame-bait Questions article that gives good details on how worried you should be: Am I protected from Flame? That’s the wrong question. I at risk from Flame? Are you a systems administrator for a Middle Eastern government? No? Then no… you aren’t at risk. And Flame is now a known quantity. You don’t need to worry about it. Flame has been extinguished.

31 Comments

  1. Flame virus sensationalism | Webmaster Gurus says:

    [...] more here: Flame virus sensationalism └ Tags: first-identified, flame, flame-or-skywiper, received-reports, russian, security, [...]

    Reply
  2. Tomi Engdahl says:

    Microsoft douses “Flame”
    Redmond smothers fake certificates fingering it as the spark
    http://www.theregister.co.uk/2012/06/04/microsoft_douses_flame/

    Redmond’s chief concern, according to Mike Reavey, a Senior Director of the Microsoft Trustworthy Computing effort, is that Flame pretends it’s a legitimate piece of Redmond-written code. Reavey uses this blog post to describe how Flame pulls that off

    The company also feels the unsigned certificates could be used to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks” on all versions of Windows.

    There’s also a new security advisory, lucky number 2718704, that starves Flame of oxygen before it can seriously singe your Windows setup. In what may well be the non-surprise of the year, Redmond suggests you apply the patch ASAP, lest you go up in smoke.

    Reply
  3. Tomi Engdahl says:

    Expert Issues a Cyberwar Warning
    http://www.nytimes.com/2012/06/04/technology/cyberweapon-warning-from-kaspersky-a-computer-security-expert.html?_r=1&pagewanted=all

    When Eugene Kaspersky, the founder of Europe’s largest antivirus company, discovered the Flame virus that is afflicting computers in Iran and the Middle East, he recognized it as a technologically sophisticated virus that only a government could create.

    He also recognized that the virus, which he compares to the Stuxnet virus built by programmers employed by the United States and Israel, adds weight to his warnings of the grave dangers posed by governments that manufacture and release viruses on the Internet.

    “Cyberweapons are the most dangerous innovation of this century,”

    Computer security companies have for years used their discovery of a new virus or worm to call attention to themselves and win more business from companies seeking computer protection. Mr. Kaspersky, a Russian computer security expert, and his company, Kaspersky Lab, are no different in that regard.

    Kaspersky commands 8 percent of the world’s software security market for businesses, with revenue reaching $612 million last year.

    Kaspersky Lab, he said, felt justified exposing the Flame virus because the company was working under the auspices of a United Nations agency.

    Some computer security firms say Mr. Kaspersky’s researchers have hyped Flame. It is too early, his critics say, to call the virus a “cyberweapon” and to suggest it was sponsored by a state.

    Mr. Sullivan, from F-Secure, said: “It’s interesting and complex, but not sleek and stealthy. It could be the work of a military contractor — Northrop Grumman, Lockheed Martin, Raytheon and other contractors are developing programs like these for different intelligence services. To call it a cyberweapon says more about Kaspersky’s cold war mentality than anything else. It has to be taken with a grain of salt.”

    cracking Flame, Mr. Kaspersky said, might hurt his business in one regard. “For the next five years, we can forget about government contracts in the United States.”

    The wide disclosure of the details of the Flame virus by Kaspersky Lab also seems intended to promote the Russian call for a ban on cyberweapons

    “There is no broad international support for a cyberweapon ban,”

    Reply
  4. Tomi Engdahl says:

    Antivirus Firms Out of Their League With Stuxnet, Flame
    http://it.slashdot.org/story/12/06/04/0316208/antivirus-firms-out-of-their-league-with-stuxnet-flame

    “Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. ‘What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.”

    In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware.

    “Flame was a failure for the antivirus industry.”

    Reply
  5. Tomi Engdahl says:

    Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
    By Mikko Hypponen
    http://www.wired.com/threatlevel/2012/06/internet-security-fail/

    When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.

    “What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.”

    It wasn’t the first time this has happened, either. Stuxnet went undetected for more than a year after it was unleashed in the wild, and was only discovered after an antivirus firm in Belarus was called in to look at machines in Iran that were having problems.

    A related malware called DuQu also went undetected by antivirus firms for over a year.

    Stuxnet, Duqu and Flame are not normal, everyday malware, of course. All three of them were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered. The fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications.

    In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware.

    Someone might argue that it’s good we failed to find these pieces of code.

    We want to detect malware, regardless of its source or purpose.

    Yet we failed to do that with Stuxnet and DuQu and Flame. This makes our customers nervous.

    The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected.

    This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we haven’t detected yet. Put simply, attacks like these work.

    Reply
  6. Tomi Engdahl says:

    comment from http://it.slashdot.org/story/12/06/04/0316208/antivirus-firms-out-of-their-league-with-stuxnet-flame

    … write their warez. And they were easily disassembled, and recognized for the evil they were.

    Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.

    But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have…

    So, now they went back to using generic tools and libraries. Full circle!

    Reply
  7. Tomi Engdahl says:

    Microsoft Certificate Was Used to Sign “Flame” Malware
    http://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware

    Microsoft: Techniques Used By Flame Could Be Used By Less Sophisticated Attackers to Launch Widespread Attacks

    On Sunday, Microsoft reached out to customers and notified the public that it had discovered unauthorized digital certificates that “chain up” to a Microsoft sub-certification authority issued under the Microsoft Root Authority.

    Interestingly, there is a direct connection between this discovery and the recently discovered “Flame” malware (also known as Flamer and sKyWIper). While many have said the enterprise threat posed by “Flame” is minimal, Microsoft is now warning that some of the techniques used by components of Flame could be leveraged by less sophisticated attackers to conduct more widespread attacks, namely in malware using unauthorized certificates in order to appear to be legitimate software coming from Microsoft.

    “We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,

    “This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise,” Ness explained. “Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.”

    Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed.

    The update revokes three intermediate certificate authorities, pushing the following certificates into the “Untrusted Certificates Store”

    Reply
  8. Portrait Photography says:

    Computer security companies have for years used their discovery of a new virus or worm to call attention to themselves and win more business from companies seeking computer protection. Mr. Kaspersky, a Russian computer security expert, and his company, Kaspersky Lab, are no different in that regard.

    Kaspersky commands 8 percent of the world’s software security market for businesses, with revenue reaching $612 million last year.

    Reply
  9. Tomi Engdahl says:

    Microsoft Update and The Nightmare Scenario
    http://www.f-secure.com/weblog/archives/00002377.html

    About 900 million Windows computers get their updates from Microsoft Update. In addition to the DNS root servers, this update system has always been considered one of the weak points of the net. Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it.

    Turns out, it looks like this has now been done. And not by just any malware, but by Flame.

    The full mechanism isn’t yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.

    This file is signed by Microsoft with a certificate that is chained up to Microsoft root.

    Except it isn’t signed really by Microsoft.

    Microsoft has announced an urgent security fix to revoke three certificates used in the attack.

    The fix is available via — you guessed it — Microsoft Update.

    Reply
  10. Tomi Engdahl says:

    Flame Hijacks Microsoft Update to Spread Malware Disguised As Legit Code
    http://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/

    It’s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.

    And that’s exactly what turns out to have occurred with the recent Flame cyberespionage tool that has been infecting machines primarily in the Middle East and is believed to have been crafted by a nation-state.

    According to Microsoft, which has been analyzing Flame, along with numerous antivirus researchers since it was publicly exposed last Monday, researchers there discovered that a component of Flame was designed to spread from one infected computer to other machines on the same network using a rogue certificate obtained via such a man-in-the-middle attack. When uninfected computers update themselves, Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.

    “We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center Senior Director Mike Reavey wrote in a blog post published Sunday.

    Microsoft has provided information to explain how the flaw occurred in its system.

    Reavey notes that since Flame is a highly targeted piece of malware that is believed to have infected fewer than 1,000 machines, the immediate risk from Flame is not great. But other attackers could have been exploiting the vulnerability as well. And the fact that this vulnerability existed in the first place is what has security experts all aflame. Code that is officially signed by Microsoft is considered safe by millions of machines around the world, something that put them all at risk.

    Here’s how it works:

    When a machine on a network attempts to connect to Microsoft’s Windows Update service, the connection gets redirected through an infected machine first, which sends a fake, malicious Windows Update to the requesting machine. The fake update claims to be code that will help display gadgets on a user’s desktop.

    The fake update looks like this:

    “update description=”Allows you to display gadgets on your desktop.”
    displayName=”Desktop Gadget Platform” name=”WindowsGadgetPlatform”>

    If the ruse works, a malicious file called WuSetupV.exe gets deposited on the machine. Since the file is signed with a fake Microsoft certificate, it appears to the user to be legitimate, and therefore the user’s machine allows the program to run on the machine without issuing a desktop warning.

    Reply
  11. Tomi Engdahl says:

    United Nations views Flame as cybersecurity opportunity
    http://news.cnet.com/8301-1009_3-57446906-83/united-nations-views-flame-as-cybersecurity-opportunity/

    Representative for United Nations agency, which has taken credit for helping to discover the Flame malware, tells CNET that world leaders gave agency the “mandate as sole facilitator” for boosting Internet security.

    The United Nations has seized on the appearance of the Flame worm, which targeted computers in the Middle East, to argue that it should have more authority to deal with cybersecurity threats on the Internet.

    Last week, the United Nations’ International Telecommunication Union circulated a statement about Flame saying the malware “reinforces the need for a coordinated response” that could come from “building a global coalition.” It took credit for Flame’s discovery, saying Kaspersky Lab identified it “following a technical analysis requested by the ITU.”

    The prospect of greater ITU involvement in Internet governance and cybersecurity — the topic of an international summit in Dubai in December and something the agency has increasingly focused on — is not likely to be uniformly applauded.

    “But nobody trusts the ITU,” Lewis says. “That doesn’t justify the hysteria we saw on the Hill, but it does justify not giving the ITU greater responsibility.”

    “The Flame story indicates that governments aren’t cybersecurity experts,” Harper says. “There are lots of cybersecurity experts. The ITU and the U.S. Congress are not two of them.”

    Reply
  12. Tomi says:

    Stuxnet/Flame/Duqu Uses GPL Code
    http://yro.slashdot.org/story/12/06/06/1256217/stuxnetflameduqu-uses-gpl-code

    “It seems the authors of Stuxnet/Duqu/Flame used the LZO library, which is straight-up GPL. And so, someone has asked the U.S. government to release the code under the GPL.”

    Reply
  13. Tomi Engdahl says:

    A Pandora’s Box We Will Regret Opening
    http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12/a-pandoras-box-we-will-regret-opening

    If somebody would have told me five years ago that by 2012 it would be commonplace for countries to launch cyberattacks against each other, I would not have believed it. If somebody would have told me that a Western government would be using cybersabotage to attack the nuclear program of another government, I would have thought that’s a Hollywood movie plot. Yet, that’s exactly what’s happening, for real.

    Cyberattacks have several advantages over traditional espionage or sabotage. Cyber attacks are effective, cheap and deniable. This is why governments like them.

    In that sense, it’s a bit surprising that the U.S. government seems to have taken the credit ­ and the blame ­ for Stuxnet. Why did they do it? The most obvious answer seems to be that it’s an election year

    The downside for owning up to cyberattacks is that other governments can now feel free to do the same. And the United States has the most to lose from attacks like these. No other country has so much of its economy linked to the online world.

    Reply
  14. Tomi Engdahl says:

    sKyWIper (a.k.a. Flame a.k.a. Flamer):
    A complex malware for targeted attacks
    Technical Report
    by
    Laboratory of Cryptography and System Security (CrySyS Lab)
    http://www.crysys.hu/skywiper/skywiper.pdf

    Reply
  15. Tomi Engdahl says:

    Microsoft ‘hardens’ Windows Update from Flame penetration
    How the hot malware burned a new hole in Redmond’s backside
    http://www.theregister.co.uk/2012/06/07/microsoft_combats_flame_with_additional_hardening/

    Microsoft has “hardened” its Windows Update system after researchers discovered the Flame virus can infect PCs by offering itself as an update masquerading as official Microsoft software.

    Redmond said in a blog post yesterday that it was continuing to analyse Flame and repeated that it would “evaluate additional hardening of both the Windows Update channel and our code signing certificate controls”.

    It warned any customers who do no have their Windows Update software set to automatic configuration to install the latest patch immediately, which will thwart Flame’s man-in-the-middle attack.

    Microsoft added that it had waited until it was clear that most of its customers were protected against the malware before publishing more details about how so-called “cryptographic collisions” had been used in those attacks.

    Hence, all the panic coming out of Redmond towers to ensure that its customers have all updated their Windows software to prevent their systems being compromised by Flame.

    Reply
  16. Tomi Engdahl says:

    Flame gets suicide command
    Symantec honeypot spots ‘flame-out’
    http://www.theregister.co.uk/2012/06/07/flame_suicide_command/

    The controllers of the Flame malware have apparently reacted to the publicity surrounding the attack by sending a self-destruct command.

    According to Symantec, some command-and-control machines have sent a command designed to wipe Flame from compromised computers.

    The command, which Symantec has dubbed “urgent suicide”, was captured on honeypots (since an ordinary machine would have the malware removed without the user noticing).

    Reply
  17. Tomi Engdahl says:

    Flame: UN urges co-operation to prevent global cyberwar
    http://www.bbc.com/news/technology-18351995

    The UN has urged countries to seek a “peaceful resolution” in cyberspace to avoid the threat of global cyberwar.

    The comments by the head of the UN’s telecommunications agency came a week after Flame, one of the most complex cyber-attacks to date, was uncovered.

    Dr Hamadoun Toure told the BBC that he did not suspect the US of being behind the attack.

    He added that developing countries were being helped to defend themselves more adequately against threats.

    He said he did not consider Flame to be an act of cyberwar.

    “It hasn’t reached that level yet as it has been detected in time,” he added.

    When asked about the attack’s possible source, he said: “All indications are that Flame has been created by a nation state, that’s clear.

    “The ITU is not mandated to make a judgement on who is responsible. Our role is to work with partners to promote better co-operation.”

    Reply
  18. Tomi Engdahl says:

    Re: [cryptography] Microsoft Sub-CA used in malware signing
    http://www.mail-archive.com/[email protected]/msg02928.html

    Reply
  19. Tomi Engdahl says:

    Crypto breakthrough shows Flame was designed by world-class scientists
    http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/

    The spy malware achieved an attack unlike any cryptographers have seen before.

    The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world’s foremost cryptography experts said.

    “We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack,”

    “Collision” attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn’t until late 2008 that a team of researchers made one truly practical.

    Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.

    According to Stevens and de Weger, the collision attack performed by Flame has substantial scientific novelty.

    The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a wealthy nation-state.

    Reply
  20. Tomi Engdahl says:

    Discovery of new “zero-day” exploit links developers of Stuxnet, Flame
    http://arstechnica.com/security/2012/06/zero-day-exploit-links-stuxnet-flame/

    Security researchers say they’ve found a conclusive link between the Flame espionage malware and Stuxnet, the powerful cyberweapon that US and Israeli officials recently confirmed they designed to sabotage Iran’s nuclear program.

    An early version of Stuxnet dating back to 2009 contained executable code that targeted what was then an unknown security flaw in Microsoft Windows, a discovery that brings the number of zero-day vulnerabilities exploited by the malware to at least five, researchers from Kaspersky Lab said Monday morning

    Even more significantly, they discovered that a 6MB chunk of code found in the Stuxnet.A (1.0) variant contained the guts of today’s Flame.

    “The fact that the Flame group shared their source code, their intellectual property, with the Stuxnet group proves that there is an actual link,” Roel Schouwenberg , a senior researcher at Kaspersky Lab, said during an online press conference. “They actually cooperated at least once. That’s, I think, huge news. It confirms our beliefs we’ve had all along, that the Flame operation and the Stuxnet operation were two parallel projects fashioned by the same entities.”

    “We firmly believe that the Flame platform predates the Stuxnet platform,” Schouwenberg continued. “It kind of looks like the Flame platform was used as a kick-starter of sorts to get the Stuxnet project going. After 2009, this resource 207 was actually removed from Stuxnet, and the Flame operation and the Stuxnet operation each went their separate ways. Maybe this was because the Stuxnet code was now mature enough to be deployed in the wild.”

    Reply
  21. Tomi Engdahl says:

    Source code smoking gun links Stuxnet AND Flame
    Kaspersky: Devious cyber-weapons share software DNA
    http://www.theregister.co.uk/2012/06/12/stuxnet_flame_links_discovered_by_security_researchers/

    Russian virus protection outfit Kaspersky Lab said in a blog post yesterday that although two separate teams worked on Stuxnet and Flame, the viruses’ programmers “cooperated at least once during the early stages of development”.

    Here’s a quick rundown of what Kaspersky Lab found during its research

    A module from the early 2009-version of Stuxnet, known as “Resource 207″, was actually a Flame plugin.
    Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.
    Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new ‘zero-day’ vulnerabilities.

    Reply
  22. Tomi Engdahl says:

    Microsoft overhauls certificate management in response to Flame PKI hack
    A new Windows auto-update will flag certs that are “no longer trustworthy.”
    http://arstechnica.com/security/2012/06/microsoft-overhauls-certificate-management-in-response-to-flame-pki-hack/

    As part of its monthly “Patch Tuesday” security updates for June, Microsoft announced changes in how Windows manages certificates. These changes include a new automatic updater tool for Windows 7 and Windows Vista that will flag stolen or known forged certificates. This shift will have a huge impact on companies and software vendors who use Microsoft’s implementation of public key infrastructure as part of their authentication and software distribution—especially if they haven’t followed best practices for certificates in the past.

    The changes come on the heels of revelations about the recently discovered Flame malware, which used a rogue certificate authority that masqueraded as Microsoft in order to hijack the Windows Update mechanism.

    On June 8, Microsoft made changes to its Update service to prevent such attacks in the future. The changes announced on June 11 go even further

    Reply
  23. Tomi Engdahl says:

    Report: US and Israel Behind Flame Espionage Tool
    http://www.wired.com/threatlevel/2012/06/us-and-israel-behind-flame/

    The United States and Israel are responsible for developing the sophisticated espionage rootkit known as Flame, according to anonymous Western sources quoted in a news report.

    The malware was designed to provide intelligence about Iran’s computer networks and spy on Iranian officials through their computers as part of an ongoing cyberwarfare campaign, according to the Washington Post.

    The program was a joint effort of the National Security Agency, the CIA and Israel’s military, which also produced the Stuxnet worm that is believed to have sabotaged centrifuges used for Iran’s uranium enrichment program in 2009 and 2010.

    “This is about preparing the battlefield for another type of covert action,” a former high-ranking US intelligence official told the Post. “Cyber collection against the Iranian program is way further down the road than this.”

    Kaspersky disclosed last week that Flame in fact contained some of the same code as Stuxnet, directly tying the two pieces of malware together.

    According to the Post Flame was designed to infiltrate highly secure networks in order to siphon intelligence from them, including information that would help the attackers map a target network. Flame, as previously reported, can activate a computer’s internal microphone to record conversations conducted via Skype or in the vicinity of the computer. It also contains modules that log keyboard strokes, take screen shots of what’s occurring on a machine, extract geolocation data from images and turn an infected computer into a Bluetooth beacon to siphon information from Bluetooth-enabled phones that are near the computer.

    Flame exploited a vulnerability in Microsoft’s terminal service system to allow the attackers to obtain a fraudulent Microsoft digital certificate to sign their code, so that it could masquerade as legitimate Microsoft code and be installed on a target machine via the Microsoft software update function.

    Flame was developed at least five years ago as part of a classified program code-named Olympic Games, the same program that produced Stuxnet.

    “It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael V. Hayden, a former NSA director and CIA director who left office in 2009, told the Post.

    It’s still unclear whether the malware used to attack computers in Iran’s oil ministry is the same malware now known as Flame.

    Reply
  24. Tomi Engdahl says:

    Former CIA Director Michael Hayden had industrial malware a good idea of ​​the 60 Minutes program. He thinks that Stuxnet worm, which caused problems in Iran’s nuclear program is a good idea. According to him, the world will see that there is someone who clearly had decided to be acceptable in such activities. Hayden said that he did not know who was behind Stuxnet.

    Hayden was director of the CIA from April 2005 to May 2006. Before that, he was the head of NSA since 1999.

    Source: http://www.itviikko.fi/uutiset/2012/03/05/entinen-cia-johtaja-tykkaa-stuxnetista/201224554/7

    Reply
  25. Tomi Engdahl says:

    Security biz U-turns on Gauss, Flame joint cyberspy hub claim
    http://www.theregister.co.uk/2012/08/24/fireeye_gauss_reverse_ferret/

    Computer security biz FireEye has withdrawn claims that the Gauss and Flame super-viruses may be linked.

    This is after it emerged that what FireEye had thought was a shared command-and-control server, used to send instructions to PCs compromised by the malware, was actually a “sinkhole” maintained by rival researchers at Kaspersky Lab.

    FireEye had noticed communications from both virus strains were heading to the same IP address – but this was a system set up by the Russian lab, which had asked DNS providers to redirect data sent from the two software nasties so as to examine their network traffic.

    “In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates,” FireEye researchers conceded in an updated blog post.

    Reply
  26. The traditional antivirus era is over? « Tomi Engdahl’s ePanorama blog says:

    [...] points out that conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started. “There’s nothing you can [...]

    Reply
  27. Tomi says:

    Flame espionage weapon linked to MORE mystery malware
    Command systems weren’t just directing data-raiding worm
    http://www.theregister.co.uk/2012/09/17/flame_analysis/

    Forensic analysis of two command-and-control servers behind the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected

    Flame was built by a group of at least four developers as early at December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations’ International Telecommunication Union.

    Over the last six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks

    C&C servers were disguised to look like a common content management system

    “They [the command servers] are all dead,”

    There’s no evidence to suggest that Flame’s command servers were used to control other known cyber-weapons – such as Stuxnet or Gauss – but they were used to operate a mystery malware strain, codenamed “SPE” by its authors.

    Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran’s controversial nuclear enrichment programme. This information was used by Stuxnet to target its nuke centrifuge cyber-sabotage mission.

    Reply
  28. Tomi Engdahl says:

    Kaspersky finds three Flame-related malware threats
    Firm warns at least one is still operating in the wild
    http://www.theinquirer.net/inquirer/news/2206078/kaspersky-finds-three-flame-related-malware-threats

    SECURITY OUTFIT Kaspersky Lab has discovered three Flame spyware related malware threats that it said use “sophisticated encryption methods”.

    “Sophisticated encryption methods were utilised so that no one, but the attackers, could obtain the data uploaded from infected machines,” the firm’s statement read.

    Following the discovery of the three new related programs, Kaspersky’s chief malware expert Vitaly Kamluk told The INQUIRER that Flame is not the only one in this big family.

    “There are others and they aren’t just other known malwares such as Stuxnet, Gauss or Duqu,” he said. “They stay in the shadows and no one has published anything about them yet. Others were probably used for different campaigns.”

    Kamluk added that it is “very possible” there are more than the three listed in Kaspersky’s report.

    Reply
  29. Tomi Engdahl says:

    Kaspersky Lab researchers have discovered a new malicious program “MiniFlame”/”SPE”, which was probably part of cyber operation against Iran. Code suggests that it is built on the same platform as its “big brother” and was designed to carry out continuous monitoring.

    “We can assume that this program was part of the same operation as the Flame and Gauss, and that the operation was carried out in several waves,” Kaspersky told.

    In the first wave as many computers as possible was infected. They were used to collect information to attack important targets.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/tietoturvayritys+loysi+vakoiluohjelma+flamen+pikkuveljen/a847541?s=r&wtm=tietoviikko/-16102012&

    Reply
  30. Karen Millen says:

    You should not enhance and even preserve energy prior to you understand is actually.

    Reply
  31. nice says:

    magnificent issues altogether, you simply received a new reader.
    What would you recommend about your put up that you simply made some days ago?
    Any positive?

    Reply

Leave a Reply to The traditional antivirus era is over? « Tomi Engdahl’s ePanorama blog Cancel reply

Your email address will not be published. Required fields are marked *

*

*