The Flame: Questions and Answers

Discussion in 'malware problems & news' started by Dermot7, May 28, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    And some organization, somewhere, is willing to pay ~$300,000 to take advantage of their stupidity and take control of their entire network. Is this not worthy of interest?

    Secondly, certificates are a cornerstone of many security approaches, and with good reason - they are, usually, for all intents and purposes unbreakable. Unless, apparently, you rely on an old algorithm like MD5. This story is important for spreading awareness to ensure that everyone migrates forward.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    SHA1 is theoretically breakable too.
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,960
    "I'm with Stupid" album > http://en.wikipedia.org/wiki/I'm_with_Stupid_(album)...all the time! :D
     
  4. guest

    guest Guest

    It updates itself automatically. Old versions can't check.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Isn't that a different matter? Someone, willing to pay whatever amount of money, to take advantage of MD5 weakness, doesn't change the fact that patient zero can be stopped either.

    As I previously mentioned the only great thing that this shows, is that certain people don't mind spending lots of money to attack certain parties.

    Other than that... nothing dangerous. It would be an entirely different thing if it couldn't be stopped.

    I'd be far more concerned with a kernel exploit, that nothing could stop it. ;)
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Anything can be stopped including a kernel exploit, it's irrelevant. Patient zero is irrelevant too. They could use their own targeted zero days/ kernel exploits for that, does that change whether or not Flame/ the MD5 collision is impressive? Not even slightly.

    All that's required for the MD5 attack to work is that there's a shared network. You don't even need that first victim, honestly, because if you're on the network you can already do it
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There are two things from this quote to point out, and both those things I pointed them out already. One being that any exploit doesn't necessarily have to result in an infection, which is something you agree with. The other one being that you still believe that patient zero doesn't matter, when it matters 100%.

    Try to understand this: Without patient zero, there is no infection. Period. No patient zero infection = no spreading to any network.

    Of course, all of this has as a basis, that the very same people who are suppose to take care of things, actually do them, and properly secure their infrastructures.

    But, the same applies to any other piece of malware.

    The only amazing thing about Flame is the amount of money they spent to do it. Other than that, it can be stopped upfront.

    And, who would be that you? As I previously mentioned in one of my posts, with proper security measures in place, and that includes human security measures, how will malware spread? Spontaneous combustion?
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, without patient zero there is no spread of infection. But, again, that's irrelevant because if all you need is to hack a single computer... that's nothing. You can use social engineering or a 0 day or a known exploit, who cares? It's unimportant, they're the boring one that doesn't matter beacuse they're by far the easiest. The interesting thing is that it's spreading across networks.

    You can not stop the first person from being infected. IT is not your machine. And as soon as that person is infected you're no longer in control because any other user on their network will also become infected, even if fully patched.

    Exploits? Seems kinda obvious.
     
  9. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    I'm sorry but i will repeat my question one more time since it seems to have been lost in the ongoing convo.

    Can it infect you if Windows update is set to check and notify? Will it pose as a regular update in this under a made up KB or will it assume the place of another legit update? Is the suggestion of checking each update enough to guard against something slipping thru?

    I guess since Microsoft is being impersonated, all the bets are off...
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I would think so.

    It probably doesn't pose as an update at all. But I haven't heard anything about htis.

    Again, I haven't heard any information. If it's just using the service then that means checking won't help. If it's a fake update it will help.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,995
    Why spread panic, why.

    Can it infect? Who exactly?

    You're connected to your ISP and you route to MS servers.
    It's not an enterprise environment where you can setup nice MITM thingie.
    Any decent ISP prohibits routing to vlans/subnets beyond next hop and do not allow promiscuous mode in their networks, so there's nothing to listen and intercept.

    Mrk
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    lol what the hell are you talking about
     
  13. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,960
    All I know is that to be flamed cannot happen to me, in standalone (workgroup), non-domain, and never to be connected to a (enterprise) network. :D
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
  15. guest

    guest Guest

    No it can't. Microsoft fixed the small possibility (which wasn't abused, btw).
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,995
    I'm answering your claim:

    Can it infect you if Windows update is set to check and notify? - I would think so.

    People should stop giving opinions and focus on technical facts.
    You would think so based on what? The tcp/ip stack topology and how it works?
    The knowledge how ISP networks are configured?
    No, based on hunches and fear, nothing more.

    Mrk
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I dislike saying this, specially coming from you, but you're doing nothing but spreading FUD. Sorry to say that, but it does sound like it. And no, patient zero is not irrevelant; it's actually very relevant. In this very specific case, Flame had to infect a first system - patient zero -, and then one of its components would divert some of the Windows Update updates, so that it wouldn't raise any suspicion, and it would spread the infection using that method to other computers in the network.

    So, how the heck can you say patient zero doesn't matter? It does matter. Why does it matter? Because if this first infection is stopped, then how the bloody hell will it spread to other computers in the same network? A non-infection cannot spread.

    And no, the interesting thing is not that it can spread over networks. Flame is not the first, and certaintly won't be the last, to spread over networks. The only interesting thing about Flame is the money spent in it.

    What the heck are you talking about? ONLY stupid people behind organizations, companies, etc DO NOT CARE enough to implement serious security implementations. In this case, I totally agree with you.

    Other than that, saying that the first infection cannot be stopped is, again, FUD. Can you provide facts for such a statement? Are you saying/affirming that Flame's first infection - patient zero - cannot be stopped? It sounds like it. lol

    Now, that's kind of hilarious, isn't it? I mean, considering that in post #131 you replied this to one of my posts (which is something I had mentioned):

    So, again... if even exploits can be stopped, how's the infection going to happen? Spontaneous combustion?
     
  18. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
  19. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Article
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Against this sort of attack, about the only thing that would help is filling the USB plugs with epoxy.

    The double standard behind this makes me want to vomit.
     
  21. You've got to admit though, it's an improvement on using bombs. (Which in this case would have a dozen ways of becoming a worldwide disaster.)
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I can't agree with that statement. This particular malware was supposed to target one type of facility, yet they lost control of it. A different version targeting something else could hit infrastructure without differentiating between military or civilian targets. This could get far worse than physical bombs.
     
  23. You're thinking of something that could hit the power/utilities infrastructure? Good point. I generally assume such infrastructure runs on obscure realtime OSes and is disconnected from the internet at large, but I'm not sure to what extent reality reflects my assumption.

    OTOH, I'm glad to see at least a minscule effort on my government's part to avoid killing innocents and possibly starting a third World War. Even if it's rather ill thought out, and in all likelihood only a matter of saving face.
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's exactly what I'm thinking of. The original target was supposedly inaccessible as well, but the malware reached the net. From what I've read, most of our infrastructure is hopelessly dependent on the web. What could happen if some of their miscoded malware (or a retalitory strike) hit natural gas pumps or power generators? What would large increases in gas pressure do on equipment not designed to handle it?

    My real fear is what happens when someone decides to send something like that back our way. IMO, this isn't avoiding a 3rd world war. It's an underhanded attempt to start one.
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,995
    No need to think Die Hard 4. Such things don't happen :)
    Mrk
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.