The Flame: Questions and Answers

Discussion in 'malware problems & news' started by Dermot7, May 28, 2012.

Thread Status:
Not open for further replies.
  1. Togg

    Togg Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    177
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
  3. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
  4. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Re: Flame Hijacks Microsoft Update.....

    I agree, but i believe that is quite easy to be tricked to install since it appears to be a legit Microsoft update :doubt:
    Personally i wouldn't say that a malware is trivial because it can be blocked with an AE or whatever, social-engineering should also be taken into account, IMHO. If this malware can hijack Microsoft Update to spread, and use a fake Microsoft certificate, i wouldn't say that is just another boring virus... but i'm no expert whatsoever.

    http://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/
     
    Last edited: Jun 5, 2012
  5. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    prevx discovered it, not webroot. webroot now own prevx so that is why 'webroot' is being used in discussions. prevx was a British company so they have no allegiance to the USA
     
  6. learningcurve

    learningcurve Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    47
    Location:
    usa
    As an average user who takes reasonable precautions to safeguard my pc (KIS, Sandboxie, DNSCrypt, router, HtmPro, no risky surfing/gaming, good paswords) and still has puzzling issues, I find this quote from Wired very telling:

    ://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/

    "...the immediate risk from Flame is not great. But other attackers could have been exploiting the vulnerability as well. And the fact that this vulnerability existed in the first place is what has security experts all aflame."

    If one does not have to be a mechanic to drive a car, should one have to become a security expert just to use the internet? -- or to even use Windows update, which MS urges users to leave on automatic?
     
  7. learningcurve

    learningcurve Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    47
    Location:
    usa
    Rmus, if you mean by "checking manually" that the user checks for updates and chooses which ones to install, I am one of those users. However, is it reasonable to require more and more of the user in the face of a *fail* by the vendor? The quote from Wired in my post implies that security experts suspect that this exploit was expected and /or has been used in other ways.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    His checking of updates would have gotten him infected had he been targeted by Flame due to Microsoft's error. I think that's the type of fail he's talking about.
     
  9. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    475
    Location:
    Dallas, TX
    I must voice a little bit of disagreement with the direction that this discussion is taking. One shouldn't have to be a mechanic to drive a car, and the vast majority of users should leave automatic updates enabled. The automatic update process prevents thousands of known attacks every single day, on systems that largely would have gone unpatched otherwise. Yes, here, on a forum dedicated to security you may find a few like-minded individuals knowledgeable enough and with the inclination and dedication to maintain patched systems manually. (Although, even here, I suspect that much like those that have good intentions of going to the gym 3-4 times a week, far fewer actually successfully translate such well-placed intentions into consistent action.)

    No, we all must keep this in perspective. Microsoft's certificate authority, code-signing, and automatic update process has in general been an unmitigated success. Yes, "Flame" or "Flamer" has highlighted the existence of a vulnerability in the automated system and has attacked the integrity of the patching system itself. This attack on the patch and code-signing infrastructure is just one more, of the several unique and interesting qualities of Flame. However, Microsoft largely can and has addressed the issue, and people must retain a degree of faith in the legitimacy of automated OS updates. One esoteric and relatively rare vulnerability here should not undermine the fact that far, far more vulnerabilities are prevented by leaving automated updates enabled.

    We must not lose sight of the fact that Flame is a piece of malware developed by individuals with a fairly sizeable amount of resources, with a dedicated and largely limited number of devices targeted, and with dedicated target intent. Given such parameters it is very difficult to guarantee 100% information security on target systems running off-the-shelf operating systems and largely random third-party applications. On the other hand, off-the-shelf operating systems, patched regularly (generally meaning automated), along with off-the-shelf anti-malware security has actually gotten pretty good at screening out the 99.8% of "junk" malware that is daily trolling through the wires.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No, just a million other things could happen. But I'm sure we're all immune to social engineering anyways.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I wasn't talking about anything specific to Flame.
     
  12. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,411
    Location:
    Surrey, England.
  13. guest

    guest Guest

    And that already-infected system, how it got infected? Drive-by download?
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Probably through a targeted attack or through any of the other methods. So even if your machine is fully patched maybe someone else at starbucks is running a super old XP or some such thing and there you go, everyone with a laptop just got infected.
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    http://www.pcworld.com/businesscent...ters_to_remove_all_traces_of_the_malware.html

    "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis, security researchers from Symantec said on Wednesday.Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control, Symantec's security response team said in a blog post."


    Translation: This is going to become much more common, and nosy researchers aren't invited to the party.
     
  16. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Possibly the same way Stux got its little fingers in the cookie jar, via manual install. You have to remember, working for two teams isn't just an old Cold War tactic.
     
  17. guest

    guest Guest

    I didn't see details of how the network had to be configured in order for the Flame to infect other machines. Maybe Windows machines connected to the network but using the Public network profile were immune?

    I'm talking about this: http://qwertytutorials.com/software_tutorials/windows_7/site_graphics/win7_install_26b.png
     
  18. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    CWI cryptanalist discovers new cryptographic attack variant in Flame spy malware

    'Cryptanalist Marc Stevens from the Centrum Wiskunde & Informatica (CWI) (Centre for mathematics and computer science) in Amsterdam, known for 'breaking' the MD5 hash function for https security in 2008, analyzed the recent Flame virus this week. He discovered that for this spy malware an as yet unknown cryptographic attack variant of his own MD5 attack is used. Stevens analyzed this with new forensic software that he developed. Initially, the researcher assumed that Flame used his own attack, which was made public in June 2009, but this was not the case. “Flame uses a completely new variant of a ‘chosen prefix collision attack’ to impersonate a legitimate security update from Microsoft. The design of this new variant required world-class cryptanalysis,” says Marc Stevens. “It is very important to invest in cryptographic research, to continue to be ahead of these developments in practice.” link
     
    Last edited: Jun 8, 2012
  19. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    duh

    I said this day 1. Anyone dismissing this obviously hadn't looked hard enough. People were so obsessed about making sure they didn't look like they were hyping it they forgot to actually take a reality check and see that it was legitimately worth a bit of hype.
     
  21. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Two things:

    When 'Magic Lantern' was revealed in the Nicodemo Scarfo case, one US anti-malware company representative indicated that it *wouldn't* add signatures to detect it. His name was Chen, IIRC and I think he was with Norton/Symantec. They're getting harder to find, but Google and you can still find that info ^ I believe it is your duty as an American company, to report and block this (and all things like it)...this can be turned on you in a heartbeat and we aren't supposed to be cheerleaders for whoever spends the most money in the last election.

    Concerning updates, Does MS offer individual downloads of each update? I'm disciplined enough to check each week. I know they must, but finding the download links has always been a PITA.

    PD
     
  22. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,411
    Location:
    Surrey, England.
  23. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,600
    Location:
    DC Metro Area
    "Flame and Stuxnet makers 'co-operated' on code

    By Dave Lee Technology reporter, BBC News

    Teams responsible for the Flame and Stuxnet cyber-attacks worked together in the early stages of each threat's development, researchers have said.

    Flame, revealed last month, attacked targets in Iran, as did Stuxnet which was discovered in 2010.

    Kaspersky Lab said they co-operated "at least once" to share source code.

    "What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected," Kaspersky said.

    Alexander Gostev, chief security expert at the Russian-based security company added: "The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."

    Vitaly Kamluk, the firm's chief malware expert, said: "There is a link proven - it's not just copycats.

    "We think that these teams are different, two different teams working with each other, helping each other at different stages."

    The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware.

    It bears a "striking resemblance" to code used in Flame, Kaspersky said.

    "The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming," Mr Gostev said."




    http://www.bbc.co.uk/news/technology-18393985
     
  24. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    The issue highlighted by Prevx researchers is the lack of sophistication concerning the code designed to hide its presence in the system ((and self defense) as compared to Zeus, Spyeye, TDL4 and other related financial malware. As well as how easy is the process of detection and removal. The infection mechanism was not really discussed.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    How do you interpret this?

    People are so quick to jump and dismiss whatever they can it's just as bad as the other side hyping it up as much as possible.

    There are multiple examples of this on Wilders alone with Flame the same day news started hitting.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.