The Flame: Questions and Answers

Selective quoting is an easy approach to support your statment... you need at least to read a paragraph when quoting
See post #27 above and #44

 

Hungry, what is so special about this code?

Written in C/Assembly/whatever?
Compiled?
Runs and does things?

So what's unique?
Apart from the media sensation?

Perhaps the code logic is brilliant, but it has nothing to do with malware, more with pure code design and implementation by whoever designed it; most likely some good math and whatnot.

Mrk

 

A quote from a different user?

Obviously a premature statement considering the unprecedented collision attack. Doesn't even make sense considering they knew how highly modular it is, which even alone makes it new. The fact that it was using Stuxnet exploits and had been around for years should have been a tipoff that there was more to it as well.

And I'm not picking on Prevx, this topic and many others (on all sites) are full of the same thing.

@Mrkvonich, see above.

Things that make Flame something not to be dismissed immediately.

1) The first collision attack used against Windows users in wild. It used a technique that had been adapted from one we know of but still new.
2) Highly modularized, which leads to a massive size
3) It's been around for years without specific detection
4) Combination of it being around for years and it using exploits that were in stuxnet

Anyone dismissing it early on was way premature and it should have been obvious even at that point that it wasn't some typical piece of malware.

 

Judging by the size of the code, I'd say defense contractors Cheap jap aside, I do agree with you Mrkvonic in that the only unique thing is really the code design. The rest is media sensationalism.

 

Just a a misunderstading or over interpreting the Prevx statements making a comparison with Zues, TLD4, etc not with the infection vehicle in mind...

 

Really? Ignoring the fact that there was a collision attack used? That this is now confirmed to be linked with Stuxnet - the hints of this being around from day 1?

Anyone calling this malware typical is kidding themselves and articles from some companies played right into that.

How do you interpret the statement other than "There is nothing sophisticated about this malware at all" ? Because I'm reading it as them saying it's not sophisticated even though it should have been obvious from day 1 that it's doing something different.

 

No, simply it was not the subject of the remark by the Prevx researcher. See post 44 for example... I give up... lol

 

The example is that it's easily removed therefor not advanced?

I give up as well. I think it's simple to understand - some people think that if they dismiss things they look smarter or they even think they are smarter for it. It's hilarious and I see it everywhere.

 

I'm not a coder and haven't (still) dug into this. But as an average Joe, would the usual security suspects that 'we' use (OA, CIS, Defense Wall, Avast!, Sandboxie, etc...) have prevented infection with this? If not, it is a big deal. The Windows Update hack seems like a big deal as well...has that ever been leveraged before? Being state sponsored is the biggest deal of them all...there are actually a lot more things to worry about than a criminal getting your bank log on, IMO. I mean F-Secure saying the industry failed is pretty big IMO, they sell AV after all. The companies saying "oh, we had this signature on file since 2007" is all well and good, but what does that mean...would it have been blocked, or not?

PD

Edit: I also find something else curious (and this depends on if current consumer anti-malware, pre-discovery, would have stopped this or not) - I wouldn't expect the current crop of anti-malware company's *to* say this is a big deal if it sailed right through the defenses...that would be fiscal suicide. Ie.

Big AV Company: "This is a huge discovery!"

Reporter: "Would your product have stopped infection?"

Big AV Company: "No, it would have sailed right through".

 

Article

 

I have to agree with Hungry Man 100% in this argument.

I find it ironic that those most interested in information security were often those most quick to dismiss Flame. While it is understandable that the news and mass media outlets may have been quick to overhype the threat because they profit from sensationalism, that does not mean that any security professional or enthusiast should jump to the other side and become immediately dismissive of the threat without a full analysis having been completed.

 

Couldn't say it better.

A full analysis of this huge pile of code will take some time. Let's just wait and see what they'll find.

 

https://speakerdeck.com/u/asotirov/p/analyzing-the-md5-collision-in-flame

 

An interesting aspect, which I think we're sure to never appreciate, is the degree to which the primary actors (key agencies responsible) and/or any secondary actors (say agencies in other countries) influenced the news and the extent to which entities in the security community were involved (knowingly or unknowingly).

 

Like I said, MD5 = good math
Mrk

 

Is there any standalone tool(s) to check for this malware?

 

Yes, Bit Defender has one...the link is earlier in the thread IIRC.

PD

 

Flame's crypto attack may have needed $200,000 worth of compute power

http://arstechnica.com/security/2012/06/flame-crypto-attack-may-have-needed-massive-compute-power/

 

Thanks. I didn´t found it in this thread but i found it here:

hxxp://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/

 

Article

 

the thing that make me a bit anxes that if that a 5year old malware
maybe just maybe we are running something like it now

anyway just want to Know how popular was the infection i saw some Limited computer in Middle east but as you say that it's very sophisticated i thought
there should be more computers infected with

Something like the Flashback trojan Number

 

Yep, it's very sophisticated and there was obviously a massive budget behind it. Probably the US government as well.

This was a more targeted attack so it makes sense that it stayed in one location. It wasn't something hosted on a webpage it was spread through local networks after an initial targeted infection.

But, yes, it's entirely possible and even likely that there are more malware (wtf is the plural of malware) out there like Flame with large budgets behind them, which is why it's important to go beyond simply patching.

There are people willing to spend a lot of money on these things.

 

i think someday in the Future i will Buy a Computer forensic company just for the Peace of MIND xD

Dude this world is twisted beyond our imagination

 

Kaspersky Lab researchers find out that Stuxnet and Flame developers were connected:

http://www.kaspersky.co.uk/about/ne...at_Stuxnet_and_Flame_developers_are_connected

 

I remember when I was interested, once...ho-hum!