BranoI hate Vogons MVM join:2002-06-25 Burlington, ON
2 recommendations |
Brano
MVM
2012-May-28 12:18 pm
Flame: Massive cyber-attack discovered, researchers say |
|
Smokey Bearveritas odium parit Premium Member join:2008-03-15 Annie's Pub |
Very informative article on on Kaspersky SecureList Blog (The Flame: Questions and Answers): » www.securelist.com/en/bl ··· _Answers |
|
|
nonymous (banned) join:2003-09-08 Glendale, AZ |
to Brano
Code bloat even on threats. "The malware code itself is 20MB in size"
I guess with the size of hard drives, memory and the speed of computers along with bloat in the OS and software bad people now can hide almost anything on the computer. |
|
shortcktWatchen Das Blinken Lights Premium Member join:2000-12-05 Tenant Hell |
shortckt
Premium Member
2012-May-28 4:27 pm
It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal.
Code bloat indeed... looks like they included a bit of everything in it. No wonder it's 20MB. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC 1 edit |
to Brano
Also cited: KasperskyWired CNET Twitter hashtag #Flame ESET |
|
|
Anon users
Anon
2012-May-28 10:32 pm
Seems like bright Russians, after Stuxnet, once again saved the Middle East, Syria & Iran will be in the mud for a while, Aye Aye Sir... |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI 1 edit |
to Brano
Flame (aka Flame aka Skywiper) is a massive, complex piece of malware, used for information gathering and espionage. The malware is most likely created by a western intelligence agency or military. It has infected computers in Iran, Lebanon, Syria, Sudan and elsewhere. » www.f-secure.com/weblog/ ··· 371.html {Note:Skywiper drops binaries with the .OCX extension, as they are often not scanned by AV. Except by McAfee. So then it uses the .TMP extension.} CrySyS has published their report on Skywiper / Flamer ht tp://www.crysys.hu/skywiper/skywiper.pdf Technical studies conducted by experts skilled in the center and the research done on the net and Dyvkyv Astaks targeted attacks, the Center for the first time to release the latest information from the attacks of this family. Number: IRCNE2012051505 » translate.google.com/tra ··· d%3D1892 |
|
FFH5 Premium Member join:2002-03-03 Tavistock NJ |
FFH5 to Brano
Premium Member
2012-May-29 1:02 pm
to Brano
I'm betting the US made the latest cyberweapon spreading around the world, but Israel is also a prime candidate. Flame was aimed at Iran and they are the biggest victim, but it is now spreading. » news.yahoo.com/cyberweap ··· nce.htmlA massive, data-slurping cyberweapon is circulating in the Middle East, and computers in Iran appear to have been particularly affected, according to a Russian Internet security firm.
Moscow-based Kaspersky Lab ZAO said the "Flame" virus was unprecedented both in terms of its size and complexity, possessing the ability to turn infected computers into all-purpose spying machines that can even suck information out of nearby cell phones.
"This is on a completely different level," Kaspersky researcher Roel Schouwenberg said in a telephone interview Tuesday. "It can be used to spy on everything that a user is doing."
Flame is the third major cyberweapon discovered in the past two years, and Kaspersky's conclusion that it was crafted at the behest of a national government fueled speculation that the virus could be part of an Israeli-backed campaign of electronic sabotage aimed at archrival Iran.
Although their coding is different, Schouwenberg said there was some evidence to suggest that the people behind Flame also helped craft Stuxnet, a notorious virus that disrupted controls of some nuclear centrifuges in Iran in 2010.
"Whoever was behind Flame had access to the same exploits and same vulnerabilities as the Stuxnet guys," he said, speculating that two teams may have been working in parallel to write both programs.
Flame appears focused on espionage. The virus can activate a computer's audio systems to eavesdrop on Skype calls or office chatter, for example. It can also take screenshots, log keystrokes, and in one of its more novel functions steal data from Bluetooth-enabled cell phones.
Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, said he thought four countries, in no particular order, had the technological know-how to develop so sophisticated an electronic offensive: Israel, the U.S., China and Russia.
"It was 20 times more sophisticated than Stuxnet," with thousands of lines of code that took a large team, ample funding and months, if not years, to develop, he said. "It's a live program that communicates back to its master. It asks, 'Where should I go? What should I do now?' It's really almost like a science fiction movie," he said.
Kaspersky said it had detected the program in hundreds of computers, mainly in Iran but also in Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
Schouwenberg, the Kaspersky researcher, said stolen data was being sent to some 80 different servers, something which would give the virus's controllers time to readjust their tactics if they were discovered. He added that some of Flame's functions still weren't clear. |
|
|
MeDuZa
Member
2012-May-29 1:39 pm
quote: Israel was blessed as being a country rich with high-tech, these tools that we take pride in open up all kinds of opportunities for us. Haaretz
|
|
|
to Brano
Great info on this Flame Malware! "Privately held Webroot said its automatic virus-scanning engines detected Flame in December 2007, but that it did not pay much attention because the code was not particularly menacing. That is partly because it was easy to discover and remove, said Webroot Vice President Joe Jaroch. "There are many more dangerous threats out there today," he said." Full Article: » www.reuters.com/article/ ··· 20120528 |
|
therube join:2004-11-11 Randallstown, MD 4 edits |
to Brano
quote: Industrial vacuum cleaner
Yet we already have & have had an "industrial vacuum cleaner" (think NSA & ATT), yet no one seems to care. quote: At the moment, we havent seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day.
quote: Skywiper attempts to evade detection by anti-virus products by storing its code in .OCX files (not usually checked by anti-virus products in their default configuration). However, if the malware detects the presence of McAfee's on-access scanner (McShield) it stores its code in .TMP files instead:
Why? Why is there no default whitelisting of allowable executables (with associated hashes) & or other methods of containment? Wouldn't that make far more sense then something like UAC? |
|
|
FF4m3 to Brano
Anon
2012-May-30 12:16 am
to Brano
Iran 'finds fix' for sophisticated Flame malware: Iran says it has developed tools that can defend against the sophisticated cyber attack tool known as Flame.
Iran says its home-grown defence could both spot when Flame is present and clean up infected PCs.
Iran's National Computer Emergency Response Team (Maher) said in a statement that the detection and clean-up tool was finished in early May and is now ready for distribution to organisations at risk of infection.
In the same statement that announced its home-grown detection tool, Iran said Flame's "propagation methods, complexity level, precise targeting and superb functionality" were reminiscent of the Stuxnet and Duqu cyber threats to which it had also fallen victim. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
|
|
Name Game |
to therube
said by therube: Why?
Why is there no default whitelisting of allowable executables (with associated hashes) & or other methods of containment? Wouldn't that make far more sense then something like UAC?
» code.google.com/p/malwar ··· e_flamer |
|
therube join:2004-11-11 Randallstown, MD
1 recommendation |
Right. Not one of: bb5441af1e1741fca600e9c433cb1550 d53b39fb50841ff163f6e9cfd8b52c2e
bdc9e04388bda8527b398a8c34667e18 c9e00c9d94d1a790d5923b050b0bd741
296e04abb00ea5f18ba021c34e486746 5ad73d2e4e33bb84155ee4b35fbefc2b
dcf8dab7e0fc7a3eaf6368e05b3505c5 06a84ad28bbc9365eb9e08c697555154
ec992e35e794947a17804451f2a8857e 296e04abb00ea5f18ba021c34e486746
b604c68cd46f8839979da49bb2818c36 c81d037b723adc43e3ee17b1eee9d6cc
37c97c908706969b2e3addf70b68dc13
are on my whitelist, so they won't be able to run, period! |
|
OZO Premium Member join:2003-01-17
1 recommendation |
to nonymous
said by nonymous:Code bloat even on threats. "The malware code itself is 20MB in size"
I guess with the size of hard drives, memory and the speed of computers along with bloat in the OS and software bad people now can hide almost anything on the computer. You're right. And additionally to the contemporary bloated Windows OS's, where you can hide anything you want (may be it was the goal of the bloat, after all) now there is the new practice that Google has implemented with its Chrome browser (and others rush to follow) - each tab creates a new process. With 50 tabs opened (some users on this forum report that they do that) - try to manage what's going on with your computer... What process are run, when they were launched, etc... The new stand in software development now is - who cares about computer security when there is a lot of resources, available in latest computers for disposal. Just take it all or as much as you can. Plus, as a computer user, responsible for its security, try to watch memory balance with Task Manager in Windows OS. Can you balance it and tell, where it goes and by which process? It's like looking into a skewed mirror, not much reality left in here... No wonder that now in Windows OS it becomes possible to run and hide 20 MiB viruses, that can do everything. If it going this way, soon they will replace the whole OS itself, I guess... Thanks to the contemporary genuine "genius" architecture of the Windows OS... |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to Brano
Flame-bait QuestionsPosted by Sean @ 16:43 GMT | There are many ongoing discussions about "Flame" right now an espionage tool, information was disclosed about it on Monday. There are plenty of questions from customers, and also from members of the press. Mikko spoke with Clark Boyd of PRI's The World yesterday about the breaking news. Symantec's Liam O Murchu spoke with Kai Ryssdal of Marketplace in a very "economical" conversation about Flame's functionality. Some good questions have been asked. And plenty of hyperbole has been generated. Here are some questions of our own. Am I protected from Flame? That's the wrong question. You should be asking yourself this: am I at risk? Alright then, am I at risk from Flame? Let's see, are you a systems administrator for a Middle Eastern government? No? Then no
you aren't at risk. The number of computers estimated to be infected with Flame is one thousand and there are more than one billion Windows computers in the world. You do the math. You're just as likely to win the lottery. Additionally: Flame is not a worm. Its architecture includes wormable functionality but those functions are disabled by default. So Flame isn't spreading like a worm and therefore you won't be infected unless you've been specifically targeted. And then there's the fact that Flame is now known to be in the wild. And so
it's been "turned off". Even Flame's targets are no longer at risk. The real power of an espionage tool is that it's a secret. Flame is no longer a secret and so it will therefore be abandoned. Operational security has been compromised. Okay, but still in theory am I protected? We have detections for Flame and our current software blocks and prevents Flame from functioning based on our tests. If you have the most current version of your antivirus software and it's functioning properly with up to date databases, you should be good. So I'm safe? Safe? Okay look
Flame is estimated to be at least two years old. That's old in terms of software code. And Flame is now a known quantity. You don't need to worry about it. Flame has been extinguished. But
that isn't why you should find Flame interesting. The important thing about Flame is that it represents what else might be out there
the threats that are still unknown. » www.f-secure.com/weblog/ ··· 372.html |
|
Name Game |
to Brano
Cuckoo in Flame Posted on May 29, 2012 | Category :Cuckoo, Malware Analysis The summer is near and once again another top-notch cyber-warfare apocalyptic malware incident is all over the news, ready to keep you entertained with the latest cyber drama as you bore under your beach umbrella while your wife is sunbathing. Was it USA, Israel, Russia, China, the Martians or Machete? Who knows, we are not gonna speculate on this because the blabbing on this topic on the Internet is already large enough. We just thought hey, is the most sophisticated cyber-weapon to date gonna run on our upcoming Cuckoo Sandbox 0.4? Well, seems like it does and since we already had a preview blog post planned, what better test case than this. So first of all, this is the sample we are going to analyze: File name: mssecmgr.ocx » blog.cuckoobox.org/2012/ ··· n-flame/Flame: Component soapr32.ocx WEDNESDAY, 30 MAY 2012 One of the Flame's components, soapr32.ocx, is a DLL that is designed to collect information about the system and about the software installed on the victim's computer. All the strings that might give clues about the malware functionality are encrypted. Any time the code needs a string, it decrypts it first, as shown below: » stratsec.blogspot.com.au ··· ocx.html |
|
therube join:2004-11-11 Randallstown, MD |
quote: The malware tries to retrieve the credentials information, such as username and password, for the following software products:
... FTP Explorer
That is like some ancient stuff. » pastebin.com/urxuFLUD |
|
|
to FFH5
said by FFH5:I'm betting the US made the latest cyberweapon spreading around the world, but Israel is also a prime candidate. Flame was aimed at Iran and they are the biggest victim, but it is now spreading.
»news.yahoo.com/cyberweap ··· nce.html A massive, data-slurping cyberweapon is circulating in the Middle East, and computers in Iran appear to have been particularly affected, according to a Russian Internet security firm.
Moscow-based Kaspersky Lab ZAO said the "Flame" virus was unprecedented both in terms of its size and complexity, possessing the ability to turn infected computers into all-purpose spying machines that can even suck information out of nearby cell phones.
"This is on a completely different level," Kaspersky researcher Roel Schouwenberg said in a telephone interview Tuesday. "It can be used to spy on everything that a user is doing."
Flame is the third major cyberweapon discovered in the past two years, and Kaspersky's conclusion that it was crafted at the behest of a national government fueled speculation that the virus could be part of an Israeli-backed campaign of electronic sabotage aimed at archrival Iran.
Although their coding is different, Schouwenberg said there was some evidence to suggest that the people behind Flame also helped craft Stuxnet, a notorious virus that disrupted controls of some nuclear centrifuges in Iran in 2010.
"Whoever was behind Flame had access to the same exploits and same vulnerabilities as the Stuxnet guys," he said, speculating that two teams may have been working in parallel to write both programs.
Flame appears focused on espionage. The virus can activate a computer's audio systems to eavesdrop on Skype calls or office chatter, for example. It can also take screenshots, log keystrokes, and in one of its more novel functions steal data from Bluetooth-enabled cell phones.
Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, said he thought four countries, in no particular order, had the technological know-how to develop so sophisticated an electronic offensive: Israel, the U.S., China and Russia.
"It was 20 times more sophisticated than Stuxnet," with thousands of lines of code that took a large team, ample funding and months, if not years, to develop, he said. "It's a live program that communicates back to its master. It asks, 'Where should I go? What should I do now?' It's really almost like a science fiction movie," he said.
Kaspersky said it had detected the program in hundreds of computers, mainly in Iran but also in Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
Schouwenberg, the Kaspersky researcher, said stolen data was being sent to some 80 different servers, something which would give the virus's controllers time to readjust their tactics if they were discovered. He added that some of Flame's functions still weren't clear. I'm betting the US made the latest cyberweapon spreading around the world, but Israel is also a prime candidate. Flame was aimed at Iran and they are the biggest victim, but it is now spreading. dangerous cyber weapon |
|
wat0114 Premium Member join:2012-02-20 Calgary, AB |
to Name Game
It seems it would take a lot, mostly ignorance, to allow the installation of this in the first place. Depending on where you look around the Internet, some people are "buying into" this hype like it's the second coming of the computer infesting antichri$t BTW, looking at all those .ocx files it loads, AppLocker with dll restrictions enforced should stop it cold. » www.crysys.hu/skywiper/s ··· iper.pdf |
|
1 recommendation |
to OZO
said by OZO:The new stand in software development now is - who cares about computer security when there is a lot of resources, available in latest computers for disposal. Just take it all or as much as you can. That's true not only in the desktop world but the embedded world as well About 10 years ago I was working for a company that used a 8051 based microcontroller (god I hate them!) with 16KB (16,384 bytes) of (EP)ROM and 1KB (1,024 bytes) of RAM. We were interviewing candidates for an embedded firmware developer position and this one guy asked why we weren't writing our code in Java! Needless to say he didn't get the job. These days we have GB of RAM and TB of HD yet it still manages to be eaten up. I swear that many developers have stock in semiconductor/disk manufacturers. |
|
antdudeMatrix Ant Premium Member join:2001-03-25 US
1 recommendation |
to Brano
FOX & Angry Birds |
|
statestress magnet Mod join:2002-02-08 Purgatory |
state
Mod
2012-Jun-2 10:32 am
Wow, think they sensationalize much?
Might as well have run a headline saying it's tied to HP, Dell or Apple since it's more than likely that the code was written using one of their products. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to antdude
I posted the Fox News link on my Facebook page, antdude - that should scare some away from playing games such as these. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to state
said by state:Wow, think they sensationalize much?
Might as well have run a headline saying it's tied to HP, Dell or Apple since it's more than likely that the code was written using one of their products. I am thinking the makers of WD-40 might be at the bottom of this whole thing. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2012-Jun-8 12:28 pm
» www.bbc.co.uk/news/techn ··· 18365844quote: The creators of the Flame malware have sent a "suicide" command that removes it from some infected computers.
|
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
Not quite....flame in some cases is updating and changing. Kim at Wired has a good interview here that is current on Flame. » s3.amazonaws.com/scifri- ··· 6081.mp3 |
|
norwegian Premium Member join:2005-02-15 Outback 1 edit |
to Brano
Re: Flame: Massive cyber-attack discovered, researchers sayFunnily enough, because I don't want to sound paranoid; when I first came here asking and pushing till WCB got sick of me, I found then on Win XP, sp 1 and dial up, there seemed something running on the computer because web site history did not match where I went, there was some shocking links I would not want to reproduce here or anywhere. Fast forward, the windows update redirection sounds familiar, because what ever happened it seemed like every update it was staying ahead of the patches.
I just can't believe how some of this behavior sounds so similar to what was happening then. Maybe some malware just proxies windows updates etc for it's own purpose, it is a platform standard?
All the read up just takes me back to then.......the funny thing though: If then was a baby brother to what is here of late, the time frame they are referencing at present, for the history of file date stamping would double. Scary thought.
Edit: Dictionary font. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to Brano
Excellent Article...not only about how it came down..but also who was at risk..and better yet who might be at risk in the future and why.Flames and collisions Posted on Jun 7, 2012 by Jeff Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened.Mikko Hypponen Unless you are a system administrator for a government institution in or around the Middle East you do not need to worry about Flame infecting your computer. Flame (also known as Flamer and skywiper) itself is not a security concern except to a very narrow, targeted group. Quite simply you dont need to worry about being infected by Flame, and antivirus vendors who suggest otherwise may be engaging in fear mongering. With so few people in danger of Flame, why am I writing about it? Good question. Im writing about it because one of the methods used in Flame has the potential of undermining a crucial part of computer security. The authors of Flame have the ability to subvert the Windows Update process. Whatever Flame itself does or doesnt do, the fact that its authors acquired the capability to distribute fake updates to Microsoft Windows is cause for serious concern. Software updates and chains of trust I have previously written about how an important part of computer security is ensuring that your software updates come from the right place. You dont want someone who pretends to be AgileBits giving you malicious updates to 1Password. And you dont want someone who pretends to be Microsoft giving you malicious Windows Updates. The methods used for digitally signing downloads and updates involves some mathematical magic and a Chain of Trust. In the summer 2011, we saw, in the example of DigiNotar, what can happen when someone finds a way to insert themselves into the chain of trust. These two articles, Who do you trust to tell you who to trust? and A peek over the Gatekeeper explain the security infrastructure Ill be writing about here. You will see terms like Certificate Authority or Man in the Middle attack in this post, but they are more fully explained and illustrated in those other posts. read more here » blog.agilebits.com/2012/ ··· lisions/ |
|