As someone who doesn't keep up with the crypto/security communities, one thing that has surprised me is how the cutting-edge news on this Flame story has been coming from antivirus vendors like Kaspersky Lab and Symantec. General sentiment seems to be that AV vendors are low-tech operations that don't have the best people when it comes to security. Other comments even on this very thread reflect this sentiment "timaelliott: Symantec is just jealous these guys can remove viruses from a machine so damn efficiently." Do these guys deserve more respect than we give them?
I'm not sure where the cutting edge work is being done in this case, but generally speaking we 'hear' from Kaspersky/Symantec in these sorts of press stories primarily because they have notable press/marketing operations with tight relationships to mainstream news organizations.
Even if they were doing little more than independently confirming the cutting edge work of other firms, their voice is massively 'louder' and today's mass media landscape is tilted away from the independent investigation that we could rely upon to properly attribute the work being done in such technical situations.
Ralph Langner did most of the research then Symantec refused to credit him. Also on many points the wikipedia article disagrees with your statements. Care to disclose if you have a vested interest? http://en.wikipedia.org/wiki/Stuxnet
Firstly, there is nothing at all special or interesting about how flame removes itself. It deletes a list of files that the author knows they created.
Secondly, you have to remember that these companies employ many free-thinking humans with varied jobs and abilities. Among those are some skilled analysts who simply take apart viruses for a paycheck. A lot of AV companies have at least a few people who are best of breed at this stuff. They post writeups and share the work of what is interesting. Marketing is generally not involved in the technical blog posts that you see.
> Firstly, there is nothing at all special or interesting about how flame removes itself.
Actually I'd disagree. The interesting thing for me is that it overwrites memory locations to thwart memory forensics. This isn't a common thing at all, but is something that I covered in a talk at a DC4420 meeting a year or two ago.
IMHO, the antivirus makers deserve even less credit than we give them. They have been demonstrating their competence, so why is their software a bloated mess that slows computers to a crawl and still lets through unsophisticated crapware like the fake antivirus stuff?
My biggest problem with all this media is that with knowledge of how it works, and having control of the C&C software, none of those idiots are just saying "For a day let's spoof all of their update centers and spam suicide signal to anyone who comms during that day." Which would kill a majority if not ALL of the virus out there.
Another option is to not sit around proudly on their C&C centers, but that's an obvious start on reversing them as well as a relay point for data. Finding WHAT data EXACTLY they're hunting is the first step in finding who is doing it.
> My biggest problem with all this media is that with knowledge of how it works, and having control of the C&C software, none of those idiots are just saying "For a day let's spoof all of their update centers and spam suicide signal to anyone who comms during that day." Which would kill a majority if not ALL of the virus out there.
It should be pointed out that they're not actually allowed to do that. As silly as it sounds, controlling another person's computer without their permission is illegal, no matter the reason. The best they can do is take over the /entire/ C&C chain, a monumental task, and then not send any commands to the infected machines, thereby rendering the virus inert.
I'll read it but know this, and I'm willing to sign a document to the effect publicly, regardless of it's damage to my reputation.
If a virus was spreading and I could counter it (especially without writing my own virus just for that) then my first action would be to do so and document it well.
A doctor would be clapped for, if he/she diagnosed an illness and treated someone. There would be some mumblings of doubt but who would take action against good will and humanitarianism?
If a mechanic saw someone's break lines cut, isn't it their duty just the same to use their information to help people?
We can't learn everything in life, we specialize. Society is no good if we don't use our differed knowledge in tandem with one another. As a specialist if you're not willing to help people with your knowledge then likely you're just a specialist for the purpose of profit, not passion. With that said, perhaps you should reconsider a few things.
I remember encountering this same issue back during the Code Red/nimda worm days. When my webserver would get hit with the query string that demonstrated an infected machine trying to find another victim, I would fire off a callback to that machine exploiting the same vector that would reboot it in the hopes that someone would notice their machine was infected.
I knew I was technically in violation of the law (contra certain amusing "self-defense" rationalizations) however.
I don't now much about Flame, but I would assume that messages are sent using public-key cryptography in such a way that they can't be spoofed. Maybe a replay attack would be possible though.
You don't spoof the messages, you spoof the destinations.
In a closed system if you can get ahold of the destination as they have, you can redirect everything else to that center temporarily and just let it keep spamming suicide modules. If it's still confusing I can try to explain it better.
Kaspersky runs a security news operation, competing with trade press operations like "Dark Reading", staffed with former writers from places like ZDNet. It is from what I can tell an extraordinarily effective marketing tool.
Symantec is gobbling up headlines specifically to make you believe they are a high-tech operation. There are many other private firms and state operations which you will never hear about, running rings around Symantec.
It could be a case of PhDs who can't code. Basically being smart in one area doesn't make you smart in another, and in fact will often blind you to other areas. So poor UX and the always behind nature of AV(attackers can see what you have done but you can't see what they are up to until it is too late) means you always appear incompetent no matter how good you are.
Flame sounds awesome. I am always fascinated by clever bits of kit like this.
I read a piece about conficker a while ago. I thought it was super cool that it patched the security vulnerability on infected conputers to protect itself. Its just really clever. Now you have Flame which has done what it has done and is now trying to kill itself to make it look like it never existed.
Obviously though it is also deeply concerning. States are investing more and more into cyber warfare. If anything more money needs to be spent hardening computer networks and systems to protect from exactly these kind of threats.
> The command located every Flame file sitting on a PC, removed it and then overwrote memory locations with gibberish to thwart forensic examination.
I'd like to know how many writes it did since this would finally settle the issue of whether FBI / NSA can read erased data. If one write is good enough for them, you know they can't recover anything with one write either.
Researchers already have samples of Flame saved. Nobody needs to do forensic analysis to try and recover deleted files here.
In all likelihood, all the Flame authors are trying to do is prevent computer owners from casually detecting that they were infected, now that Flame is public knowledge.
Presumably it is purging machine specific (targeted) configuration, code updates, and spooled data too, i.e. not just the virus code.
Knowing specfically what the virus was looking for, which machines were infected, and what data was snarfed is of critical importance to the targets.
Purging makes the targets job of forensics much much harder.
Edit: flame code is not monolithic - forensics would be very interested in getting code for all modules:
"Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated." - http://www.richardsilverstein.com/tikun_olam/2012/05/28/flam...
Well, it could have been funded by Martians :) But the main suspect right now is Israel, not the US. This guy clearly has an agenda, but claims "My major scoop is that my senior Israeli source confirms that it is a product of Israeli cyberwarfare experts." http://www.richardsilverstein.com/tikun_olam/2012/05/28/flam...
If it was Israel, I'd bet dollars to donuts that they got help from American agencies. Either way, a professional government agency somewhere, which apparently knows a lot about cryptology and presumably computer forensics, designed this thing and issued a data shredding command. My point still stands in that the number (and types) of writes they did would be very informative.
Silverstein often quotes a senior Israeli official to say it's Israel's fault whenever something goes wrong in the Middle East, but he never produces evidence and his assertions are rarely backed up by independent reporting. I suspect he's making it all up, or his senior official source is a senior official in a political action group and not the government. In any case, he is not a reliable source.
You know nothing about me or my source. But I'll correct your many errors. My source doesn't say it's Israel's fault "whenever something goes wrong in the Middle East." That's only your distorted interpretation. But when he does inform me of an imporant development related to Israeli national security, I report it. Sometimes I agree with my source, sometimes not. My source, for example, supports Israel's covert war against Iran. I don't. But I report it because I'm a good journalist.
Second, my source has extensive Israeli military, political & intelligence experience. Third, almost all his scoops have turned out to be true. None have been proven false. Now, what are your bona fides & do they match his?
There is also the little fact that Flame seems to have been targeting Iran, Syria, and the West Bank. Not proof that a nation state was involved, but surely there are more profitable targets for a criminal master mind capable of inventing new cryptographic methods.
There are lots of academic crypto researchers, there are some state-sponsored (i.e. secret-service) crypto researchers, and there are even a scant few commercial crypto researchers; the academics and commercial entities are usually reasonably open about their work, so that leaves state-sponsored cryptographers.
(Of course, they could be criminals. But there are other reasons to suspect that that is unlikely, most importantly the fact that Flame doesn't appear to steal credit cards.)
It depends on what the malware is designed to do. Cui bono, as they say.
If the malware is designed to grab bank passwords or steal money, then you can assume there's a criminal enterprise behind it.
But if the malware is specifically targeting certain "problem" countries; and stealing documents and other things of non-monetary value, then it's very likely that there's a government behind it. Which criminal mastermind will say, "tomorrow, I'll steal Word documents of all Syrians" ? What will he do with them anyways? Given the abundance of low-hanging fruit, why would a criminal jump through all these hoops?
So state-sponsored malware writers should seed their payloads with misleading targeting information, but have an option to download other targeting code dynamically. (And erase such the moment it's not needed.)
If you're gonna go to that amount of trouble then why not steal everything, including CC numbers and why not target everyone, not just specific states?
From the other articles I've read, its my understanding that they're basically saying Flame is so sophisticated, it was probably developed by a team of really, really smart people with time and resources at their disposal.
It doesn't necessarily rule out criminals, but its much more likely that its state-sponsored.
> Flame targeted countries such as Iran and Israel and sought to steal large amounts of sensitive data.
I had heard that Flame targeted Iran, which was one of the reasons people suspected US and/or Israel. This says Israel was targeted. Am I misinterpreting something here? If other evidence supposedly points to a nation-state, what nation-state dislikes both Iran and Israel? Something's not adding up.
Edit: Thanks. "Spy on friends" or "Spy on yourself to deflect attention" seem as viable as any other theories out there, if not more.
Another article on this (I don't have the link) indicated that the operators were carefully picking their targets and uninstalling it from uninteresting systems. If you have a virus like this, you can target people in your own country and help deflect suspicion at the same time.
Sure. It's also a great way to get around domestic wiretapping laws. Assuming you can cooperate well enough with a foreign power, you can have a "I'll show you yours if you show me mine." sort of situation.
The US has some very close allies for sharing intel, and it'd be a massive incident if it got out that such allied countries were spying on each other. It happens to some degree, but if stuff gets out, the White House & State can make heads roll, so you'd only see pretty routine spycraft occur between allies (counter-intel, rumor mill, feelers).
The trick is not to get caught... and if you do get caught, then blame it in on the Chinese/Russians/flavour-of-the-month :D
In all seriousness, the spying may not be as hardcore or blatant(!) as say US/China or US/Russia but they are not looking for the same kind of intel between US/UK. I wuold be very very surprised if there was not some intel gathering at some level.
Iran has sectarian differences with most of its neighbours: its Supreme Leader is a Shia cleric, whereas most countries in the Middle East are majority Sunni. So it isn't exactly surrounded by friends.
At first I thought, why bother. But of course you would want to try to leave your target with no immediate way to determine which machines had been hit. Wonder why they didn't do it sooner. Perhaps they were worried about losing control if too many c&c servers were taken out.
I'm not sure it's even possible to do. I take a more creative approach involving "deny" file permissions everywhere and deliberately writing over various .exe files with gibberish.
Surely they're not actually maintaining those hosts themselves (imagine the embarassment of doing a RDNS lookup and getting "flame-cc1.nsa.gov"). They are almost certainly compromised machines owned by someone else, which makes "securing" them in the classic sense pretty much impossible.
I know it was a joke comment, but names like "Flame", "Duqu" or "Stuxnet" are not names in which those viruses were developed, but those were attributed to them later through security community
I'd imagine the folks doing this have a windowless van parked outside a Starbucks. I'm fairly certain you'd never be able to trace it back to a .gov computer without physically finding the computers themselves.
How about telling me what it is you think instead of condescendingly calling me funny and naive. Besides the use of weaponized computer viruses, which the NY Times confirmed was done by Obama in the Stuxnet case, I am also thinking of the massive increase in drone strike assassinations, including of American citizens, in countries we are not at war with, namely Pakistan and Yemen. The only assumption I made is that Flame was also done by Obama but I don't think that is a big leap.
Meow. Who says they would want to put the cat back in the bag. Part of war is showing the other side that your guns are bigger and meaner. If the US is responsible, and like others I am reasonably confident we are, then the US just flashed a really nice show of what we are capable of in a real cyberwar.
