The Flame: Questions and Answers

https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

 

Another article on Flame here:

http://www.jpost.com/MiddleEast/Article.aspx?id=271709

 

Depending on who's behind it this may become a trend. While it's definitely easier to just exploit 3 month old Java vulnerabilities and get some money clickjacking an advanced campaign like this can apparently go on for years unnoticed.

Flashback trojan was massive but they burnt out fast. Something like this (and there have been others like this in the past) would take longer to develop but could potentially provide long term cash flow.

 

http://www.securelist.com/en/blog?weblogid=208193522#

~ Copyrighted Image Removed ~

 

http://www.crysys.hu/skywiper/skywiper.pdf

edit: Pretty cool actually.

 

Wow. Nice find Hungry Man. That is mostly over my head, but still an extremely interesting read.

 

Use of Windows in "important" facilities = hmmmmm.
USB drives allowed in "important" facilities = fail.
Mrk

 

There goes the hype of Windows 7 being a secure OS. I really wonder if Windows 7 has a back door. If this was created 5 years ago, I wonder whats floating around now.

 

No backdoor, just user negligence.
Nothing special there.
Mrk

 

Hey guys,


Just wanted to let you know that Bitdefender released a tool to find and remove this complex spy tool.

To determine whether your computer is infected with Flamer, download the Bitdefender removal tool from: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/

 

Right. Exploits in Microsoft code = the users fault. You know it's very likely there's a 0day involved here?

 

https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

Active and unknown since 2010
Hopefully this malware isn't targeting home users in large scale...

 

I'm bored.

Windows 7 being a secure operating system differs from being an impenetrable operating system.

Flame being active since 2010 has nothing to do with Windows being insecure or not. I ask: Those who are victimized, did they have proper security measures in place, even if some 0-day existed? Just because a 0-day may have existed, the same is not to say nothing could be done about it. Did they have anti-execution measures, etc? We know nothing about the security implementation in those facilities, except that they allowed external USB devices.

You know, you can't always blame the system.

Then again, I doubt Linux kernel servers are running on Windows..., still they got hacked... by script kiddies.

At least these hyped Windows events are targeted attacks and done by very clever people.

 

Why not?

lol well... hacking a server is not like hacking a user. Especially since it's usually the service running on top of the server that allows for entry.

 

The only zero day is someone plugging in their stupid USB in an important machine, which was configured to run every piece of crap, plus probably unpatched, plus most likely Windows. Sensational, wooooow!

You can enjoy the fictional drama if you want.

Mrk

 

Yes there is no 0-day malware out there. AHEM *cough*. Doesn't suprise me, there is probably a lot more out there than this.

 

Uh, no. That's the long-patched exploit Stuxnet used. Fully patched Windows 7 machines have been infected.

If you don't understand why this piece of malware is different you either aren't looking or... I really don't know.

 

Now it's out we can look forward to every script kiddie/bot owner using it or a variant.

 

Sophos analysis: http://www.sophos.com/en-us/threat-...nd-spyware/W32~Flame-A/detailed-analysis.aspx

 

And from F-secure: http://www.f-secure.com/weblog/archives/00002371.html

There is even something we can understand as mea culpa:

 

Because someone in the security industry says so doesn't make it true.
It says "might have been infected" which is equal to "wild speculation."
I am looking and it's no different than any other piece of code. OK, code, so?
Apparently, the security scene is boring now, so someone needs a bit of news.
Remember conficker, how it was so awesome and superb and ... boring.

And all of that is irrelevant. The whole point is - someone is using Windows, badly secured at that, for their critical installations. Right. That's the whole point.

Mrk

 

Hungry Man: you do realize there have been Linux zero-days? This local one for instance allowed all security mechanisms, including SELinux, to be bypassed in one go. If anyone had been interested they could have written a Linux trojan.

If OSes were cheeses, Windows would be casu marzu... But Linux would still be Swiss.

 

I'm well aware of Linux having exploits lol I'm just explaining that hacking a server is different. edit: If I recall correctly the SELinux bypass was because of a really stupid configuration - part of the reason I don't like SELinux, the policy is too complicated. But removing a single line was enough to stop that. There have been a few local SELinux bypasses so I may be confusing them.

IDK how to even respond to this. Duh? We're taking it at face value as with virtually every other piece of information we obtain online.

Or, it's equal to "might have been infected."

I'm sure the media will hype it and try to profit. That doesn't somehow mean that this malware isn't sophisticated or different from what we typically see.

Except, according to the source, you can have a fully patched OS and still be infected. What being patched does is prevents some of the propagation methods. This malware is pretty large.

 

What has a fully patched os got to do with?
You take a binary and execute!
Boom, end of story.

You plug in your USB. You let Autorun run ... done. Simple.

Mrk

 

Disabling Autorun is perhaps a key "patch"