The Flame: Questions and Answers

Discussion in 'malware problems & news' started by Dermot7, May 28, 2012.

Thread Status:
Not open for further replies.
  1. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Selective quoting is an easy approach to support your statment... you need at least to read a paragraph when quoting :D
    See post #27 above and #44
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,014
    Hungry, what is so special about this code?

    Written in C/Assembly/whatever?
    Compiled?
    Runs and does things?

    So what's unique?
    Apart from the media sensation?

    Perhaps the code logic is brilliant, but it has nothing to do with malware, more with pure code design and implementation by whoever designed it; most likely some good math and whatnot.

    Mrk
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    A quote from a different user?

    Obviously a premature statement considering the unprecedented collision attack. Doesn't even make sense considering they knew how highly modular it is, which even alone makes it new. The fact that it was using Stuxnet exploits and had been around for years should have been a tipoff that there was more to it as well.

    And I'm not picking on Prevx, this topic and many others (on all sites) are full of the same thing.

    @Mrkvonich, see above.

    Things that make Flame something not to be dismissed immediately.

    1) The first collision attack used against Windows users in wild. It used a technique that had been adapted from one we know of but still new.
    2) Highly modularized, which leads to a massive size
    3) It's been around for years without specific detection
    4) Combination of it being around for years and it using exploits that were in stuxnet

    Anyone dismissing it early on was way premature and it should have been obvious even at that point that it wasn't some typical piece of malware.
     
  4. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Judging by the size of the code, I'd say defense contractors :D Cheap jap aside, I do agree with you Mrkvonic in that the only unique thing is really the code design. The rest is media sensationalism.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Just a a misunderstading or over interpreting the Prevx statements making a comparison with Zues, TLD4, etc not with the infection vehicle in mind...
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Really? Ignoring the fact that there was a collision attack used? That this is now confirmed to be linked with Stuxnet - the hints of this being around from day 1?

    Anyone calling this malware typical is kidding themselves and articles from some companies played right into that.

    How do you interpret the statement other than "There is nothing sophisticated about this malware at all" ? Because I'm reading it as them saying it's not sophisticated even though it should have been obvious from day 1 that it's doing something different.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    No, simply it was not the subject of the remark by the Prevx researcher. See post 44 for example... I give up... lol
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The example is that it's easily removed therefor not advanced?

    I give up as well. I think it's simple to understand - some people think that if they dismiss things they look smarter or they even think they are smarter for it. It's hilarious and I see it everywhere.
     
  9. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I'm not a coder and haven't (still) dug into this. But as an average Joe, would the usual security suspects that 'we' use (OA, CIS, Defense Wall, Avast!, Sandboxie, etc...) have prevented infection with this? If not, it is a big deal. The Windows Update hack seems like a big deal as well...has that ever been leveraged before? Being state sponsored is the biggest deal of them all...there are actually a lot more things to worry about than a criminal getting your bank log on, IMO. I mean F-Secure saying the industry failed is pretty big IMO, they sell AV after all. The companies saying "oh, we had this signature on file since 2007" is all well and good, but what does that mean...would it have been blocked, or not?

    PD

    Edit: I also find something else curious (and this depends on if current consumer anti-malware, pre-discovery, would have stopped this or not) - I wouldn't expect the current crop of anti-malware company's *to* say this is a big deal if it sailed right through the defenses...that would be fiscal suicide. Ie.

    Big AV Company: "This is a huge discovery!"

    Reporter: "Would your product have stopped infection?"

    Big AV Company: "No, it would have sailed right through".
     
    Last edited: Jun 11, 2012
  10. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Article
     
  11. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    476
    Location:
    Dallas, TX
    I have to agree with Hungry Man 100% in this argument.

    I find it ironic that those most interested in information security were often those most quick to dismiss Flame. While it is understandable that the news and mass media outlets may have been quick to overhype the threat because they profit from sensationalism, that does not mean that any security professional or enthusiast should jump to the other side and become immediately dismissive of the threat without a full analysis having been completed.
     
  12. tomazyk

    tomazyk Guest

    Couldn't say it better.

    A full analysis of this huge pile of code will take some time. Let's just wait and see what they'll find.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    https://speakerdeck.com/u/asotirov/p/analyzing-the-md5-collision-in-flame
     
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    An interesting aspect, which I think we're sure to never appreciate, is the degree to which the primary actors (key agencies responsible) and/or any secondary actors (say agencies in other countries) influenced the news and the extent to which entities in the security community were involved (knowingly or unknowingly).
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,014
    Like I said, MD5 = good math :)
    Mrk
     
  16. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Is there any standalone tool(s) to check for this malware?
     
  17. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Yes, Bit Defender has one...the link is earlier in the thread IIRC.

    PD
     
  18. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
  19. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Thanks. I didn´t found it in this thread but i found it here:

    hxxp://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/
     
  20. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Article
     
  21. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    the thing that make me a bit anxes that if that a 5year old malware
    maybe just maybe we are running something like it now

    anyway just want to Know how popular was the infection i saw some Limited computer in Middle east but as you say that it's very sophisticated i thought
    there should be more computers infected with

    Something like the Flashback trojan Number o_O
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yep, it's very sophisticated and there was obviously a massive budget behind it. Probably the US government as well.

    This was a more targeted attack so it makes sense that it stayed in one location. It wasn't something hosted on a webpage it was spread through local networks after an initial targeted infection.

    But, yes, it's entirely possible and even likely that there are more malware (wtf is the plural of malware) out there like Flame with large budgets behind them, which is why it's important to go beyond simply patching.

    There are people willing to spend a lot of money on these things.
     
  23. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    i think someday in the Future i will Buy a Computer forensic company just for the Peace of MIND xD

    Dude this world is twisted beyond our imagination
     
  24. tomazyk

    tomazyk Guest

  25. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,967
    I remember when I was interested, once...ho-hum! ;)

    ScreenShot_Stuxnet_info_01.jpg
     
    Last edited: Jun 13, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.