The Flame: Questions and Answers

Forged CA certificates involved, what a surprise;http://www.h-online.com/security/ne...-by-forged-Microsoft-certificate-1594388.html

 

Flame Hijacks Microsoft Update.....

Flame Hijacks Microsoft Update to Spread Malware Disguised As Legit Code:

http://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/

 

A Massive Web of Fake Identities and Websites Controlled Flame Malware

A Massive Web of Fake Identities and Websites Controlled Flame Malware:

http://www.wired.com/threatlevel/2012/06/flame-command-and-control/

 

Re: Flame Hijacks Microsoft Update.....

I agree, but i believe that is quite easy to be tricked to install since it appears to be a legit Microsoft update
Personally i wouldn't say that a malware is trivial because it can be blocked with an AE or whatever, social-engineering should also be taken into account, IMHO. If this malware can hijack Microsoft Update to spread, and use a fake Microsoft certificate, i wouldn't say that is just another boring virus... but i'm no expert whatsoever.

http://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/

 

prevx discovered it, not webroot. webroot now own prevx so that is why 'webroot' is being used in discussions. prevx was a British company so they have no allegiance to the USA

 

As an average user who takes reasonable precautions to safeguard my pc (KIS, Sandboxie, DNSCrypt, router, HtmPro, no risky surfing/gaming, good paswords) and still has puzzling issues, I find this quote from Wired very telling:

://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/

"...the immediate risk from Flame is not great. But other attackers could have been exploiting the vulnerability as well. And the fact that this vulnerability existed in the first place is what has security experts all aflame."

If one does not have to be a mechanic to drive a car, should one have to become a security expert just to use the internet? -- or to even use Windows update, which MS urges users to leave on automatic?

 

Rmus, if you mean by "checking manually" that the user checks for updates and chooses which ones to install, I am one of those users. However, is it reasonable to require more and more of the user in the face of a *fail* by the vendor? The quote from Wired in my post implies that security experts suspect that this exploit was expected and /or has been used in other ways.

 

His checking of updates would have gotten him infected had he been targeted by Flame due to Microsoft's error. I think that's the type of fail he's talking about.

 

I must voice a little bit of disagreement with the direction that this discussion is taking. One shouldn't have to be a mechanic to drive a car, and the vast majority of users should leave automatic updates enabled. The automatic update process prevents thousands of known attacks every single day, on systems that largely would have gone unpatched otherwise. Yes, here, on a forum dedicated to security you may find a few like-minded individuals knowledgeable enough and with the inclination and dedication to maintain patched systems manually. (Although, even here, I suspect that much like those that have good intentions of going to the gym 3-4 times a week, far fewer actually successfully translate such well-placed intentions into consistent action.)

No, we all must keep this in perspective. Microsoft's certificate authority, code-signing, and automatic update process has in general been an unmitigated success. Yes, "Flame" or "Flamer" has highlighted the existence of a vulnerability in the automated system and has attacked the integrity of the patching system itself. This attack on the patch and code-signing infrastructure is just one more, of the several unique and interesting qualities of Flame. However, Microsoft largely can and has addressed the issue, and people must retain a degree of faith in the legitimacy of automated OS updates. One esoteric and relatively rare vulnerability here should not undermine the fact that far, far more vulnerabilities are prevented by leaving automated updates enabled.

We must not lose sight of the fact that Flame is a piece of malware developed by individuals with a fairly sizeable amount of resources, with a dedicated and largely limited number of devices targeted, and with dedicated target intent. Given such parameters it is very difficult to guarantee 100% information security on target systems running off-the-shelf operating systems and largely random third-party applications. On the other hand, off-the-shelf operating systems, patched regularly (generally meaning automated), along with off-the-shelf anti-malware security has actually gotten pretty good at screening out the 99.8% of "junk" malware that is daily trolling through the wires.

 

No, just a million other things could happen. But I'm sure we're all immune to social engineering anyways.

 

I wasn't talking about anything specific to Flame.

 

https://www.computerworld.com/s/art..._seriousness_of_Holy_Grail_hack?taxonomyId=17

 

And that already-infected system, how it got infected? Drive-by download?

 

Probably through a targeted attack or through any of the other methods. So even if your machine is fully patched maybe someone else at starbucks is running a super old XP or some such thing and there you go, everyone with a laptop just got infected.

 

http://www.pcworld.com/businesscent...ters_to_remove_all_traces_of_the_malware.html

"The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis, security researchers from Symantec said on Wednesday.Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control, Symantec's security response team said in a blog post."


Translation: This is going to become much more common, and nosy researchers aren't invited to the party.

 

Possibly the same way Stux got its little fingers in the cookie jar, via manual install. You have to remember, working for two teams isn't just an old Cold War tactic.

 

I didn't see details of how the network had to be configured in order for the Flame to infect other machines. Maybe Windows machines connected to the network but using the Public network profile were immune?

I'm talking about this: http://qwertytutorials.com/software_tutorials/windows_7/site_graphics/win7_install_26b.png

 

CWI cryptanalist discovers new cryptographic attack variant in Flame spy malware

'Cryptanalist Marc Stevens from the Centrum Wiskunde & Informatica (CWI) (Centre for mathematics and computer science) in Amsterdam, known for 'breaking' the MD5 hash function for https security in 2008, analyzed the recent Flame virus this week. He discovered that for this spy malware an as yet unknown cryptographic attack variant of his own MD5 attack is used. Stevens analyzed this with new forensic software that he developed. Initially, the researcher assumed that Flame used his own attack, which was made public in June 2009, but this was not the case. “Flame uses a completely new variant of a ‘chosen prefix collision attack’ to impersonate a legitimate security update from Microsoft. The design of this new variant required world-class cryptanalysis,” says Marc Stevens. “It is very important to invest in cryptographic research, to continue to be ahead of these developments in practice.” link

 

A new twist now

http://www.bbc.co.uk/news/technology-18365844

not as simple and unsophisticated as the Prevx researchers seemed to think ?

 

duh

I said this day 1. Anyone dismissing this obviously hadn't looked hard enough. People were so obsessed about making sure they didn't look like they were hyping it they forgot to actually take a reality check and see that it was legitimately worth a bit of hype.

 

Two things:

When 'Magic Lantern' was revealed in the Nicodemo Scarfo case, one US anti-malware company representative indicated that it *wouldn't* add signatures to detect it. His name was Chen, IIRC and I think he was with Norton/Symantec. They're getting harder to find, but Google and you can still find that info ^ I believe it is your duty as an American company, to report and block this (and all things like it)...this can be turned on you in a heartbeat and we aren't supposed to be cheerleaders for whoever spends the most money in the last election.

Concerning updates, Does MS offer individual downloads of each update? I'm disciplined enough to check each week. I know they must, but finding the download links has always been a PITA.

PD

 

https://www.securelist.com/en/blog/208193568/Back_to_Stuxnet_the_missing_link

 

"Flame and Stuxnet makers 'co-operated' on code

By Dave Lee Technology reporter, BBC News

Teams responsible for the Flame and Stuxnet cyber-attacks worked together in the early stages of each threat's development, researchers have said.

Flame, revealed last month, attacked targets in Iran, as did Stuxnet which was discovered in 2010.

Kaspersky Lab said they co-operated "at least once" to share source code.

"What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected," Kaspersky said.

Alexander Gostev, chief security expert at the Russian-based security company added: "The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."

Vitaly Kamluk, the firm's chief malware expert, said: "There is a link proven - it's not just copycats.

"We think that these teams are different, two different teams working with each other, helping each other at different stages."

The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware.

It bears a "striking resemblance" to code used in Flame, Kaspersky said.

"The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming," Mr Gostev said."




http://www.bbc.co.uk/news/technology-18393985

 

The issue highlighted by Prevx researchers is the lack of sophistication concerning the code designed to hide its presence in the system ((and self defense) as compared to Zeus, Spyeye, TDL4 and other related financial malware. As well as how easy is the process of detection and removal. The infection mechanism was not really discussed.

 

How do you interpret this?

People are so quick to jump and dismiss whatever they can it's just as bad as the other side hyping it up as much as possible.

There are multiple examples of this on Wilders alone with Flame the same day news started hitting.