As someone who doesn't keep up with the crypto/security communities, one thing that has surprised me is how the cutting-edge news on this Flame story has been coming from antivirus vendors like Kaspersky Lab and Symantec. General sentiment seems to be that AV vendors are low-tech operations that don't have the best people when it comes to security. Other comments even on this very thread reflect this sentiment "timaelliott: Symantec is just jealous these guys can remove viruses from a machine so damn efficiently." Do these guys deserve more respect than we give them?
I'm not sure where the cutting edge work is being done in this case, but generally speaking we 'hear' from Kaspersky/Symantec in these sorts of press stories primarily because they have notable press/marketing operations with tight relationships to mainstream news organizations.
Even if they were doing little more than independently confirming the cutting edge work of other firms, their voice is massively 'louder' and today's mass media landscape is tilted away from the independent investigation that we could rely upon to properly attribute the work being done in such technical situations.
Ralph Langner did most of the research then Symantec refused to credit him. Also on many points the wikipedia article disagrees with your statements. Care to disclose if you have a vested interest? http://en.wikipedia.org/wiki/Stuxnet
Firstly, there is nothing at all special or interesting about how flame removes itself. It deletes a list of files that the author knows they created.
Secondly, you have to remember that these companies employ many free-thinking humans with varied jobs and abilities. Among those are some skilled analysts who simply take apart viruses for a paycheck. A lot of AV companies have at least a few people who are best of breed at this stuff. They post writeups and share the work of what is interesting. Marketing is generally not involved in the technical blog posts that you see.
> Firstly, there is nothing at all special or interesting about how flame removes itself.
Actually I'd disagree. The interesting thing for me is that it overwrites memory locations to thwart memory forensics. This isn't a common thing at all, but is something that I covered in a talk at a DC4420 meeting a year or two ago.
IMHO, the antivirus makers deserve even less credit than we give them. They have been demonstrating their competence, so why is their software a bloated mess that slows computers to a crawl and still lets through unsophisticated crapware like the fake antivirus stuff?
My biggest problem with all this media is that with knowledge of how it works, and having control of the C&C software, none of those idiots are just saying "For a day let's spoof all of their update centers and spam suicide signal to anyone who comms during that day." Which would kill a majority if not ALL of the virus out there.
Another option is to not sit around proudly on their C&C centers, but that's an obvious start on reversing them as well as a relay point for data. Finding WHAT data EXACTLY they're hunting is the first step in finding who is doing it.
> My biggest problem with all this media is that with knowledge of how it works, and having control of the C&C software, none of those idiots are just saying "For a day let's spoof all of their update centers and spam suicide signal to anyone who comms during that day." Which would kill a majority if not ALL of the virus out there.
It should be pointed out that they're not actually allowed to do that. As silly as it sounds, controlling another person's computer without their permission is illegal, no matter the reason. The best they can do is take over the /entire/ C&C chain, a monumental task, and then not send any commands to the infected machines, thereby rendering the virus inert.
I'll read it but know this, and I'm willing to sign a document to the effect publicly, regardless of it's damage to my reputation.
If a virus was spreading and I could counter it (especially without writing my own virus just for that) then my first action would be to do so and document it well.
A doctor would be clapped for, if he/she diagnosed an illness and treated someone. There would be some mumblings of doubt but who would take action against good will and humanitarianism?
If a mechanic saw someone's break lines cut, isn't it their duty just the same to use their information to help people?
We can't learn everything in life, we specialize. Society is no good if we don't use our differed knowledge in tandem with one another. As a specialist if you're not willing to help people with your knowledge then likely you're just a specialist for the purpose of profit, not passion. With that said, perhaps you should reconsider a few things.
I remember encountering this same issue back during the Code Red/nimda worm days. When my webserver would get hit with the query string that demonstrated an infected machine trying to find another victim, I would fire off a callback to that machine exploiting the same vector that would reboot it in the hopes that someone would notice their machine was infected.
I knew I was technically in violation of the law (contra certain amusing "self-defense" rationalizations) however.
I don't now much about Flame, but I would assume that messages are sent using public-key cryptography in such a way that they can't be spoofed. Maybe a replay attack would be possible though.
You don't spoof the messages, you spoof the destinations.
In a closed system if you can get ahold of the destination as they have, you can redirect everything else to that center temporarily and just let it keep spamming suicide modules. If it's still confusing I can try to explain it better.
Kaspersky runs a security news operation, competing with trade press operations like "Dark Reading", staffed with former writers from places like ZDNet. It is from what I can tell an extraordinarily effective marketing tool.
Symantec is gobbling up headlines specifically to make you believe they are a high-tech operation. There are many other private firms and state operations which you will never hear about, running rings around Symantec.
It could be a case of PhDs who can't code. Basically being smart in one area doesn't make you smart in another, and in fact will often blind you to other areas. So poor UX and the always behind nature of AV(attackers can see what you have done but you can't see what they are up to until it is too late) means you always appear incompetent no matter how good you are.
