The Flame: Questions and Answers

And some organization, somewhere, is willing to pay ~$300,000 to take advantage of their stupidity and take control of their entire network. Is this not worthy of interest?

Secondly, certificates are a cornerstone of many security approaches, and with good reason - they are, usually, for all intents and purposes unbreakable. Unless, apparently, you rely on an old algorithm like MD5. This story is important for spreading awareness to ensure that everyone migrates forward.

 

SHA1 is theoretically breakable too.

 

"I'm with Stupid" album > http://en.wikipedia.org/wiki/I'm_with_Stupid_(album)...all the time!

 

It updates itself automatically. Old versions can't check.

 

Isn't that a different matter? Someone, willing to pay whatever amount of money, to take advantage of MD5 weakness, doesn't change the fact that patient zero can be stopped either.

As I previously mentioned the only great thing that this shows, is that certain people don't mind spending lots of money to attack certain parties.

Other than that... nothing dangerous. It would be an entirely different thing if it couldn't be stopped.

I'd be far more concerned with a kernel exploit, that nothing could stop it.

 

Anything can be stopped including a kernel exploit, it's irrelevant. Patient zero is irrelevant too. They could use their own targeted zero days/ kernel exploits for that, does that change whether or not Flame/ the MD5 collision is impressive? Not even slightly.

All that's required for the MD5 attack to work is that there's a shared network. You don't even need that first victim, honestly, because if you're on the network you can already do it

 

There are two things from this quote to point out, and both those things I pointed them out already. One being that any exploit doesn't necessarily have to result in an infection, which is something you agree with. The other one being that you still believe that patient zero doesn't matter, when it matters 100%.

Try to understand this: Without patient zero, there is no infection. Period. No patient zero infection = no spreading to any network.

Of course, all of this has as a basis, that the very same people who are suppose to take care of things, actually do them, and properly secure their infrastructures.

But, the same applies to any other piece of malware.

The only amazing thing about Flame is the amount of money they spent to do it. Other than that, it can be stopped upfront.

And, who would be that you? As I previously mentioned in one of my posts, with proper security measures in place, and that includes human security measures, how will malware spread? Spontaneous combustion?

 

Yes, without patient zero there is no spread of infection. But, again, that's irrelevant because if all you need is to hack a single computer... that's nothing. You can use social engineering or a 0 day or a known exploit, who cares? It's unimportant, they're the boring one that doesn't matter beacuse they're by far the easiest. The interesting thing is that it's spreading across networks.

You can not stop the first person from being infected. IT is not your machine. And as soon as that person is infected you're no longer in control because any other user on their network will also become infected, even if fully patched.

Exploits? Seems kinda obvious.

 

I'm sorry but i will repeat my question one more time since it seems to have been lost in the ongoing convo.

Can it infect you if Windows update is set to check and notify? Will it pose as a regular update in this under a made up KB or will it assume the place of another legit update? Is the suggestion of checking each update enough to guard against something slipping thru?

I guess since Microsoft is being impersonated, all the bets are off...

 

I would think so.

It probably doesn't pose as an update at all. But I haven't heard anything about htis.

Again, I haven't heard any information. If it's just using the service then that means checking won't help. If it's a fake update it will help.

 

Why spread panic, why.

Can it infect? Who exactly?

You're connected to your ISP and you route to MS servers.
It's not an enterprise environment where you can setup nice MITM thingie.
Any decent ISP prohibits routing to vlans/subnets beyond next hop and do not allow promiscuous mode in their networks, so there's nothing to listen and intercept.

Mrk

 

lol what the hell are you talking about

 

All I know is that to be flamed cannot happen to me, in standalone (workgroup), non-domain, and never to be connected to a (enterprise) network.

 

I brought up the CLSID issue regarding Flame in this thread, & elsewhere on here. So it's interesting to note what KM says

 

No it can't. Microsoft fixed the small possibility (which wasn't abused, btw).

 

I'm answering your claim:

Can it infect you if Windows update is set to check and notify? - I would think so.

People should stop giving opinions and focus on technical facts.
You would think so based on what? The tcp/ip stack topology and how it works?
The knowledge how ISP networks are configured?
No, based on hunches and fear, nothing more.

Mrk

 

I dislike saying this, specially coming from you, but you're doing nothing but spreading FUD. Sorry to say that, but it does sound like it. And no, patient zero is not irrevelant; it's actually very relevant. In this very specific case, Flame had to infect a first system - patient zero -, and then one of its components would divert some of the Windows Update updates, so that it wouldn't raise any suspicion, and it would spread the infection using that method to other computers in the network.

So, how the heck can you say patient zero doesn't matter? It does matter. Why does it matter? Because if this first infection is stopped, then how the bloody hell will it spread to other computers in the same network? A non-infection cannot spread.

And no, the interesting thing is not that it can spread over networks. Flame is not the first, and certaintly won't be the last, to spread over networks. The only interesting thing about Flame is the money spent in it.

What the heck are you talking about? ONLY stupid people behind organizations, companies, etc DO NOT CARE enough to implement serious security implementations. In this case, I totally agree with you.

Other than that, saying that the first infection cannot be stopped is, again, FUD. Can you provide facts for such a statement? Are you saying/affirming that Flame's first infection - patient zero - cannot be stopped? It sounds like it. lol

Now, that's kind of hilarious, isn't it? I mean, considering that in post #131 you replied this to one of my posts (which is something I had mentioned):

So, again... if even exploits can be stopped, how's the infection going to happen? Spontaneous combustion?

 

Emsisoft article about Flame:
http://www.emsisoft.com/en/kb/articles/ticker120614/

 

Article

 

Against this sort of attack, about the only thing that would help is filling the USB plugs with epoxy.

The double standard behind this makes me want to vomit.

 

You've got to admit though, it's an improvement on using bombs. (Which in this case would have a dozen ways of becoming a worldwide disaster.)

 

I can't agree with that statement. This particular malware was supposed to target one type of facility, yet they lost control of it. A different version targeting something else could hit infrastructure without differentiating between military or civilian targets. This could get far worse than physical bombs.

 

You're thinking of something that could hit the power/utilities infrastructure? Good point. I generally assume such infrastructure runs on obscure realtime OSes and is disconnected from the internet at large, but I'm not sure to what extent reality reflects my assumption.

OTOH, I'm glad to see at least a minscule effort on my government's part to avoid killing innocents and possibly starting a third World War. Even if it's rather ill thought out, and in all likelihood only a matter of saving face.

 

That's exactly what I'm thinking of. The original target was supposedly inaccessible as well, but the malware reached the net. From what I've read, most of our infrastructure is hopelessly dependent on the web. What could happen if some of their miscoded malware (or a retalitory strike) hit natural gas pumps or power generators? What would large increases in gas pressure do on equipment not designed to handle it?

My real fear is what happens when someone decides to send something like that back our way. IMO, this isn't avoiding a 3rd world war. It's an underhanded attempt to start one.

 

No need to think Die Hard 4. Such things don't happen
Mrk