The Flame: Questions and Answers

[fax]

Selective quoting is an easy approach to support your statment... you need at least to read a paragraph when quoting
See post #27 above and #44

[Mrkvonic]

Hungry, what is so special about this code?

Written in C/Assembly/whatever?
Compiled?
Runs and does things?

So what's unique?
Apart from the media sensation?

Perhaps the code logic is brilliant, but it has nothing to do with malware, more with pure code design and implementation by whoever designed it; most likely some good math and whatnot.

Mrk

[Hungry Man]

A quote from a different user?

Quote:

“In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it--essentially a 2007 era technology.

Obviously a premature statement considering the unprecedented collision attack. Doesn't even make sense considering they knew how highly modular it is, which even alone makes it new. The fact that it was using Stuxnet exploits and had been around for years should have been a tipoff that there was more to it as well.

And I'm not picking on Prevx, this topic and many others (on all sites) are full of the same thing.

@Mrkvonich, see above.

Things that make Flame something not to be dismissed immediately.

1) The first collision attack used against Windows users in wild. It used a technique that had been adapted from one we know of but still new.
2) Highly modularized, which leads to a massive size
3) It's been around for years without specific detection
4) Combination of it being around for years and it using exploits that were in stuxnet

Anyone dismissing it early on was way premature and it should have been obvious even at that point that it wasn't some typical piece of malware.

[EncryptedBytes]

Quote:

Originally Posted by Mrkvonic

by whoever designed it; most likely some good math and whatnot.

Mrk

Judging by the size of the code, I'd say defense contractors Cheap jap aside, I do agree with you Mrkvonic in that the only unique thing is really the code design. The rest is media sensationalism.

[fax]

Just a a misunderstading or over interpreting the Prevx statements making a comparison with Zues, TLD4, etc not with the infection vehicle in mind...

[Hungry Man]

Really? Ignoring the fact that there was a collision attack used? That this is now confirmed to be linked with Stuxnet - the hints of this being around from day 1?

Anyone calling this malware typical is kidding themselves and articles from some companies played right into that.

Quote:

Just a a misunderstading or over interpreting Prevx statements as already indicated above... comparison with Zues, TLD4, etc was not made with the infection vehicle in mind...

How do you interpret the statement other than "There is nothing sophisticated about this malware at all" ? Because I'm reading it as them saying it's not sophisticated even though it should have been obvious from day 1 that it's doing something different.

[fax]

Quote:

Originally Posted by Hungry Man

Really? Ignoring the fact that there was a collision attack used?

No, simply it was not the subject of the remark by the Prevx researcher. See post 44 for example... I give up... lol

[Hungry Man]

The example is that it's easily removed therefor not advanced?

I give up as well. I think it's simple to understand - some people think that if they dismiss things they look smarter or they even think they are smarter for it. It's hilarious and I see it everywhere.

[PaulyDefran]

I'm not a coder and haven't (still) dug into this. But as an average Joe, would the usual security suspects that 'we' use (OA, CIS, Defense Wall, Avast!, Sandboxie, etc...) have prevented infection with this? If not, it is a big deal. The Windows Update hack seems like a big deal as well...has that ever been leveraged before? Being state sponsored is the biggest deal of them all...there are actually a lot more things to worry about than a criminal getting your bank log on, IMO. I mean F-Secure saying the industry failed is pretty big IMO, they sell AV after all. The companies saying "oh, we had this signature on file since 2007" is all well and good, but what does that mean...would it have been blocked, or not?

PD

Edit: I also find something else curious (and this depends on if current consumer anti-malware, pre-discovery, would have stopped this or not) - I wouldn't expect the current crop of anti-malware company's *to* say this is a big deal if it sailed right through the defenses...that would be fiscal suicide. Ie.

Big AV Company: "This is a huge discovery!"

Reporter: "Would your product have stopped infection?"

Big AV Company: "No, it would have sailed right through".

[siljaline]

Quote:

Discovery of new "zero-day" exploit links developers of Stuxnet, Flame.

Security researchers say they've found a conclusive link between the Flame espionage malware and Stuxnet, the powerful cyberweapon that US and Israeli officials recently confirmed they designed to sabotage Iran's nuclear program.

An early version of Stuxnet dating back to 2009 contained executable code that targeted what was then an unknown security flaw in Microsoft Windows, a discovery that brings the number of zero-day vulnerabilities exploited by the malware to at least five, researchers from Kaspersky Lab said Monday morning. Even more significantly, they discovered that a 6MB chunk of code found in the Stuxnet.A (1.0) variant contained the guts of today's Flame. In addition to unearthing previously overlooked data about how Stuxnet hijacked targeted networks, the discovery is important because it establishes the first positive connection between the developers of Stuxnet and those behind Flame, which came to light two weeks ago as a highly sophisticated espionage platform that targeted computers in Iran and other Middle Eastern countries.

Article

[Alec]

Quote:

Originally Posted by Hungry Man

Quote:

How do you interpret this?

People are so quick to jump and dismiss whatever they can it's just as bad as the other side hyping it up as much as possible.

There are multiple examples of this on Wilders alone with Flame the same day news started hitting.

I have to agree with Hungry Man 100% in this argument.

I find it ironic that those most interested in information security were often those most quick to dismiss Flame. While it is understandable that the news and mass media outlets may have been quick to overhype the threat because they profit from sensationalism, that does not mean that any security professional or enthusiast should jump to the other side and become immediately dismissive of the threat without a full analysis having been completed.

[tomazyk]

Quote:

Originally Posted by Alec

I have to agree with Hungry Man 100% in this argument.

I find it ironic that those most interested in information security were often those most quick to dismiss Flame. While it is understandable that the news and mass media outlets may have been quick to overhype the threat because they profit from sensationalism, that does not mean that any security professional or enthusiast should jump to the other side and become immediately dismissive of the threat without a full analysis having been completed.

Couldn't say it better.

A full analysis of this huge pile of code will take some time. Let's just wait and see what they'll find.

[CloneRanger]

Quote:

Analyzing the MD5 collision in Flame

One of the more interesting aspects of the Flame malware was the MD5 collision attack that was used to infect new machines through Windows Update. MD5 collisions are not new, but this is the first attack discovered in the wild and deserves a more in-depth look. Trail of Bits is uniquely qualified to perform this analysis, because our co-founder Alex Sotirov was one of the members in the academic collaboration that first demonstrated the practicality of this class of attacks in 2008. Our preliminary findings were presented on June 9th at the SummerCon conference in New York and are available online or as a PDF download

https://speakerdeck.com/u/asotirov/p...ision-in-flame

[TheWindBringeth]

Quote:

Originally Posted by Alec

I have to agree with Hungry Man 100% in this argument.

I find it ironic that those most interested in information security were often those most quick to dismiss Flame. While it is understandable that the news and mass media outlets may have been quick to overhype the threat because they profit from sensationalism, that does not mean that any security professional or enthusiast should jump to the other side and become immediately dismissive of the threat without a full analysis having been completed.

An interesting aspect, which I think we're sure to never appreciate, is the degree to which the primary actors (key agencies responsible) and/or any secondary actors (say agencies in other countries) influenced the news and the extent to which entities in the security community were involved (knowingly or unknowingly).

[Mrkvonic]

Like I said, MD5 = good math
Mrk

[AlexC]

Is there any standalone tool(s) to check for this malware?

[PaulyDefran]

Yes, Bit Defender has one...the link is earlier in the thread IIRC.

PD

[funkydude]

Flame's crypto attack may have needed $200,000 worth of compute power

Quote:

The cryptographic attack that Flame engineers used to hijack Microsoft's Windows Update process was so computationally demanding, it would have required the equivalent of $200,000 worth of computing time from Amazon's EC2 Web service for most people to carry it out.

http://arstechnica.com/security/2012...compute-power/

[AlexC]

Quote:

Originally Posted by PaulyDefran

Yes, Bit Defender has one...the link is earlier in the thread IIRC.

PD

Thanks. I didn´t found it in this thread but i found it here:

hxxp://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/

[siljaline]

Quote:

Microsoft overhauls certificate management in response to Flame PKI hack

As part of its monthly “Patch Tuesday” security updates for June, Microsoft announced changes in how Windows manages certificates. These changes include a new automatic updater tool for Windows 7 and Windows Vista that will flag stolen or known forged certificates. This shift will have a huge impact on companies and software vendors who use Microsoft’s implementation of public key infrastructure as part of their authentication and software distribution—especially if they haven’t followed best practices for certificates in the past.

The changes come on the heels of revelations about the recently discovered Flame malware, which used a rogue certificate authority that masqueraded as Microsoft in order to hijack the Windows Update mechanism. On June 8, Microsoft made changes to it's Update service to prevent such attacks in the future. The changes announced on June 11 go even further, moving to blunt the use of stolen or forged certificates of any kind from being used by malware writers and other attackers.

Article

[Ranget]

the thing that make me a bit anxes that if that a 5year old malware
maybe just maybe we are running something like it now

anyway just want to Know how popular was the infection i saw some Limited computer in Middle east but as you say that it's very sophisticated i thought
there should be more computers infected with

Something like the Flashback trojan Number

[Hungry Man]

Yep, it's very sophisticated and there was obviously a massive budget behind it. Probably the US government as well.

This was a more targeted attack so it makes sense that it stayed in one location. It wasn't something hosted on a webpage it was spread through local networks after an initial targeted infection.

But, yes, it's entirely possible and even likely that there are more malware (wtf is the plural of malware) out there like Flame with large budgets behind them, which is why it's important to go beyond simply patching.

There are people willing to spend a lot of money on these things.

[Ranget]

Quote:

Originally Posted by Hungry Man

Yep, it's very sophisticated and there was obviously a massive budget behind it. Probably the US government as well.

This was a more targeted attack so it makes sense that it stayed in one location. It wasn't something hosted on a webpage it was spread through local networks after an initial targeted infection.

But, yes, it's entirely possible and even likely that there are more malware (wtf is the plural of malware) out there like Flame with large budgets behind them, which is why it's important to go beyond simply patching.

There are people willing to spend a lot of money on these things.

i think someday in the Future i will Buy a Computer forensic company just for the Peace of MIND xD

Dude this world is twisted beyond our imagination

[tomazyk]

Kaspersky Lab researchers find out that Stuxnet and Flame developers were connected:

http://www.kaspersky.co.uk/about/new..._are_connected

[Tarnak]

I remember when I was interested, once...ho-hum!