dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3502
share rss forum feed


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11

2 recommendations

Flame: Massive cyber-attack discovered, researchers say



Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4
Very informative article on on Kaspersky SecureList Blog (The Flame: Questions and Answers): »www.securelist.com/en/blog/20819···_Answers
--
~ The fool is one of the wisest people of all ~

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Brano
Code bloat even on threats. "The malware code itself is 20MB in size"

I guess with the size of hard drives, memory and the speed of computers along with bloat in the OS and software bad people now can hide almost anything on the computer.


shortckt
Watchen Das Blinken Lights
Premium
join:2000-12-05
Tenant Hell
It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal.


Code bloat indeed... looks like they included a bit of everything in it. No wonder it's 20MB.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 edit
reply to Brano
Also cited: Kaspersky
Wired CNET Twitter hashtag #Flame
ESET


Anon users

@anonymouse.org
Seems like bright Russians, after Stuxnet, once again saved the Middle East, Syria & Iran will be in the mud for a while, Aye Aye Sir...


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to Brano
Flame (aka Flame aka Skywiper) is a massive, complex piece of malware, used for information gathering and espionage.

The malware is most likely created by a western intelligence agency or military. It has infected computers in Iran, Lebanon, Syria, Sudan and elsewhere.
»www.f-secure.com/weblog/archives···371.html

{Note:Skywiper drops binaries with the .OCX extension, as they are often not scanned by AV. Except by McAfee. So then it uses the .TMP extension.}

CrySyS has published their report on Skywiper / Flamer
ht tp://www.crysys.hu/skywiper/skywiper.pdf

Technical studies conducted by experts skilled in the center and the research done on the net and Dyvkyv Astaks targeted attacks, the Center for the first time to release the latest information from the attacks of this family.
Number: IRCNE2012051505
»translate.google.com/translate?s···d%3D1892

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5
reply to Brano
I'm betting the US made the latest cyberweapon spreading around the world, but Israel is also a prime candidate. Flame was aimed at Iran and they are the biggest victim, but it is now spreading.

»news.yahoo.com/cyberweapon-disco···nce.html

A massive, data-slurping cyberweapon is circulating in the Middle East, and computers in Iran appear to have been particularly affected, according to a Russian Internet security firm.

Moscow-based Kaspersky Lab ZAO said the "Flame" virus was unprecedented both in terms of its size and complexity, possessing the ability to turn infected computers into all-purpose spying machines that can even suck information out of nearby cell phones.

"This is on a completely different level," Kaspersky researcher Roel Schouwenberg said in a telephone interview Tuesday. "It can be used to spy on everything that a user is doing."

Flame is the third major cyberweapon discovered in the past two years, and Kaspersky's conclusion that it was crafted at the behest of a national government fueled speculation that the virus could be part of an Israeli-backed campaign of electronic sabotage aimed at archrival Iran.

Although their coding is different, Schouwenberg said there was some evidence to suggest that the people behind Flame also helped craft Stuxnet, a notorious virus that disrupted controls of some nuclear centrifuges in Iran in 2010.

"Whoever was behind Flame had access to the same exploits and same vulnerabilities as the Stuxnet guys," he said, speculating that two teams may have been working in parallel to write both programs.

Flame appears focused on espionage. The virus can activate a computer's audio systems to eavesdrop on Skype calls or office chatter, for example. It can also take screenshots, log keystrokes, and — in one of its more novel functions— steal data from Bluetooth-enabled cell phones.

Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, said he thought four countries, in no particular order, had the technological know-how to develop so sophisticated an electronic offensive: Israel, the U.S., China and Russia.

"It was 20 times more sophisticated than Stuxnet," with thousands of lines of code that took a large team, ample funding and months, if not years, to develop, he said. "It's a live program that communicates back to its master. It asks, 'Where should I go? What should I do now?' It's really almost like a science fiction movie," he said.

Kaspersky said it had detected the program in hundreds of computers, mainly in Iran but also in Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

Schouwenberg, the Kaspersky researcher, said stolen data was being sent to some 80 different servers, something which would give the virus's controllers time to readjust their tactics if they were discovered. He added that some of Flame's functions still weren't clear.



MeDuZa

join:2003-06-13
Austria
quote:
Israel was blessed as being a country rich with high-tech, these tools that we take pride in open up all kinds of opportunities for us.
Haaretz
--
Reality corrupted. Reboot universe? (Y/N)


Triple Helix
Troll Hunter
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed
reply to Brano
Great info on this Flame Malware!

"Privately held Webroot said its automatic virus-scanning engines detected Flame in December 2007, but that it did not pay much attention because the code was not particularly menacing.

That is partly because it was easy to discover and remove, said Webroot Vice President Joe Jaroch. "There are many more dangerous threats out there today," he said."

Full Article: »www.reuters.com/article/2012/05/···20120528
--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper!
(H59 Clan)


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

4 edits
reply to Brano
quote:
Industrial vacuum cleaner
Yet we already have & have had an "industrial vacuum cleaner" (think NSA & ATT), yet no one seems to care.

quote:
At the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day.
quote:
Skywiper attempts to evade detection by anti-virus products by storing its code in .OCX files (not usually checked by anti-virus products in their default configuration). However, if the malware detects the presence of McAfee's on-access scanner (McShield) it stores its code in .TMP files instead:
Why?

Why is there no default whitelisting of allowable executables (with associated hashes) & or other methods of containment? Wouldn't that make far more sense then something like UAC?


FF4m3

@bhn.net
reply to Brano
Iran 'finds fix' for sophisticated Flame malware:

Iran says it has developed tools that can defend against the sophisticated cyber attack tool known as Flame.

Iran says its home-grown defence could both spot when Flame is present and clean up infected PCs.

Iran's National Computer Emergency Response Team (Maher) said in a statement that the detection and clean-up tool was finished in early May and is now ready for distribution to organisations at risk of infection.

In the same statement that announced its home-grown detection tool, Iran said Flame's "propagation methods, complexity level, precise targeting and superb functionality" were reminiscent of the Stuxnet and Duqu cyber threats to which it had also fallen victim.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
You can follow some of the local experts in Iran here.

»twitter.com/?tw_e=screenname&tw_···#!/MSabz

»twitter.com/?tw_e=screenname&tw_···_bagheri
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to therube
said by therube:


Why?

Why is there no default whitelisting of allowable executables (with associated hashes) & or other methods of containment? Wouldn't that make far more sense then something like UAC?

»code.google.com/p/malware-lu/wik···e_flamer
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 recommendation

Right.

Not one of:

bb5441af1e1741fca600e9c433cb1550 d53b39fb50841ff163f6e9cfd8b52c2e
bdc9e04388bda8527b398a8c34667e18 c9e00c9d94d1a790d5923b050b0bd741
296e04abb00ea5f18ba021c34e486746 5ad73d2e4e33bb84155ee4b35fbefc2b
dcf8dab7e0fc7a3eaf6368e05b3505c5 06a84ad28bbc9365eb9e08c697555154
ec992e35e794947a17804451f2a8857e 296e04abb00ea5f18ba021c34e486746
b604c68cd46f8839979da49bb2818c36 c81d037b723adc43e3ee17b1eee9d6cc
37c97c908706969b2e3addf70b68dc13 
 
are on my whitelist, so they won't be able to run, period!

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

reply to nonymous
said by nonymous:

Code bloat even on threats. "The malware code itself is 20MB in size"

I guess with the size of hard drives, memory and the speed of computers along with bloat in the OS and software bad people now can hide almost anything on the computer.

You're right. And additionally to the contemporary bloated Windows OS's, where you can hide anything you want (may be it was the goal of the bloat, after all) now there is the new practice that Google has implemented with its Chrome browser (and others rush to follow) - each tab creates a new process. With 50 tabs opened (some users on this forum report that they do that) - try to manage what's going on with your computer... What process are run, when they were launched, etc... The new stand in software development now is - who cares about computer security when there is a lot of resources, available in latest computers for disposal. Just take it all or as much as you can.

Plus, as a computer user, responsible for its security, try to watch memory balance with Task Manager in Windows OS. Can you balance it and tell, where it goes and by which process? It's like looking into a skewed mirror, not much reality left in here...

No wonder that now in Windows OS it becomes possible to run and hide 20 MiB viruses, that can do everything. If it going this way, soon they will replace the whole OS itself, I guess... Thanks to the contemporary genuine "genius" architecture of the Windows OS...
--
Keep it simple, it'll become complex by itself...


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Brano
Flame-bait Questions

Posted by Sean @ 16:43 GMT |
There are many ongoing discussions about "Flame" right now — an espionage tool, information was disclosed about it on Monday.

There are plenty of questions from customers, and also from members of the press.

Mikko spoke with Clark Boyd of PRI's The World yesterday about the breaking news.

Symantec's Liam O Murchu spoke with Kai Ryssdal of Marketplace in a very "economical" conversation about Flame's functionality.

Some good questions have been asked. And plenty of hyperbole has been generated.

Here are some questions of our own.

• Am I protected from Flame?

That's the wrong question. You should be asking yourself this: am I at risk?

• Alright then, am I at risk from Flame?

Let's see, are you a systems administrator for a Middle Eastern government?

No? Then no… you aren't at risk.

The number of computers estimated to be infected with Flame is one thousand and there are more than one billion Windows computers in the world. You do the math. You're just as likely to win the lottery.

Additionally: Flame is not a worm. Its architecture includes wormable functionality but those functions are disabled by default. So Flame isn't spreading like a worm and therefore you won't be infected unless you've been specifically targeted.

And then there's the fact that Flame is now known to be in the wild. And so… it's been "turned off". Even Flame's targets are no longer at risk. The real power of an espionage tool is that it's a secret. Flame is no longer a secret and so it will therefore be abandoned. Operational security has been compromised.

• Okay, but still — in theory — am I protected?

We have detections for Flame and our current software blocks and prevents Flame from functioning based on our tests. If you have the most current version of your antivirus software and it's functioning properly with up to date databases, you should be good.

• So I'm safe?

Safe? Okay look… Flame is estimated to be at least two years old. That's old in terms of software code. And Flame is now a known quantity. You don't need to worry about it. Flame has been extinguished.

But…that isn't why you should find Flame interesting. The important thing about Flame is that it represents what else might be out there… the threats that are still unknown.
»www.f-secure.com/weblog/archives···372.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Brano
Cuckoo in Flame

Posted on May 29, 2012 | Category :Cuckoo, Malware Analysis
The summer is near and once again another top-notch cyber-warfare apocalyptic malware incident is all over the news, ready to keep you entertained with the latest cyber drama as you bore under your beach umbrella while your wife is sunbathing.

Was it USA, Israel, Russia, China, the Martians or Machete? Who knows, we are not gonna speculate on this because the blabbing on this topic on the Internet is already large enough.

We just thought hey, is “the most sophisticated cyber-weapon to date” gonna run on our upcoming Cuckoo Sandbox 0.4? Well, seems like it does and since we already had a preview blog post planned, what better test case than this.

So first of all, this is the sample we are going to analyze:

File name: mssecmgr.ocx

»blog.cuckoobox.org/2012/05/29/cu···n-flame/

Flame: Component soapr32.ocx
WEDNESDAY, 30 MAY 2012
One of the Flame's components, soapr32.ocx, is a DLL that is designed to collect information about the system and about the software installed on the victim's computer.

All the strings that might give clues about the malware functionality are encrypted. Any time the code needs a string, it decrypts it first, as shown below:
»stratsec.blogspot.com.au/2012/05···ocx.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
quote:
The malware tries to retrieve the credentials information, such as username and password, for the following software products:

... FTP Explorer

That is like some ancient stuff.
»pastebin.com/urxuFLUD

Floriana

join:2012-05-23
reply to FFH5
said by FFH5:

I'm betting the US made the latest cyberweapon spreading around the world, but Israel is also a prime candidate. Flame was aimed at Iran and they are the biggest victim, but it is now spreading.

»news.yahoo.com/cyberweapon-disco···nce.html

A massive, data-slurping cyberweapon is circulating in the Middle East, and computers in Iran appear to have been particularly affected, according to a Russian Internet security firm.

Moscow-based Kaspersky Lab ZAO said the "Flame" virus was unprecedented both in terms of its size and complexity, possessing the ability to turn infected computers into all-purpose spying machines that can even suck information out of nearby cell phones.

"This is on a completely different level," Kaspersky researcher Roel Schouwenberg said in a telephone interview Tuesday. "It can be used to spy on everything that a user is doing."

Flame is the third major cyberweapon discovered in the past two years, and Kaspersky's conclusion that it was crafted at the behest of a national government fueled speculation that the virus could be part of an Israeli-backed campaign of electronic sabotage aimed at archrival Iran.

Although their coding is different, Schouwenberg said there was some evidence to suggest that the people behind Flame also helped craft Stuxnet, a notorious virus that disrupted controls of some nuclear centrifuges in Iran in 2010.

"Whoever was behind Flame had access to the same exploits and same vulnerabilities as the Stuxnet guys," he said, speculating that two teams may have been working in parallel to write both programs.

Flame appears focused on espionage. The virus can activate a computer's audio systems to eavesdrop on Skype calls or office chatter, for example. It can also take screenshots, log keystrokes, and — in one of its more novel functions— steal data from Bluetooth-enabled cell phones.

Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, said he thought four countries, in no particular order, had the technological know-how to develop so sophisticated an electronic offensive: Israel, the U.S., China and Russia.

"It was 20 times more sophisticated than Stuxnet," with thousands of lines of code that took a large team, ample funding and months, if not years, to develop, he said. "It's a live program that communicates back to its master. It asks, 'Where should I go? What should I do now?' It's really almost like a science fiction movie," he said.

Kaspersky said it had detected the program in hundreds of computers, mainly in Iran but also in Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

Schouwenberg, the Kaspersky researcher, said stolen data was being sent to some 80 different servers, something which would give the virus's controllers time to readjust their tactics if they were discovered. He added that some of Flame's functions still weren't clear.

I'm betting the US made the latest cyberweapon spreading around the world, but Israel is also a prime candidate. Flame was aimed at Iran and they are the biggest victim, but it is now spreading.

dangerous cyber weapon

wat0114
Premium
join:2012-02-20
Calgary, AB
reply to Name Game
It seems it would take a lot, mostly ignorance, to allow the installation of this in the first place. Depending on where you look around the Internet, some people are "buying into" this hype like it's the second coming of the computer infesting antichri$t BTW, looking at all those .ocx files it loads, AppLocker with dll restrictions enforced should stop it cold.

»www.crysys.hu/skywiper/skywiper.pdf


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

reply to OZO
said by OZO:

The new stand in software development now is - who cares about computer security when there is a lot of resources, available in latest computers for disposal. Just take it all or as much as you can.

That's true not only in the desktop world but the embedded world as well

About 10 years ago I was working for a company that used a 8051 based microcontroller (god I hate them!) with 16KB (16,384 bytes) of (EP)ROM and 1KB (1,024 bytes) of RAM. We were interviewing candidates for an embedded firmware developer position and this one guy asked why we weren't writing our code in Java! Needless to say he didn't get the job.

These days we have GB of RAM and TB of HD yet it still manages to be eaten up. I swear that many developers have stock in semiconductor/disk manufacturers.
--
Don't feed trolls--it only makes them grow!


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5

1 recommendation

reply to Brano

FOX & Angry Birds



state
stress magnet
Premium,Mod
join:2002-02-08
Purgatory
kudos:6
Wow, think they sensationalize much?

Might as well have run a headline saying it's tied to HP, Dell or Apple since it's more than likely that the code was written using one of their products.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to antdude
I posted the Fox News link on my Facebook page, antdude See Profile - that should scare some away from playing games such as these.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to state
said by state:

Wow, think they sensationalize much?

Might as well have run a headline saying it's tied to HP, Dell or Apple since it's more than likely that the code was written using one of their products.

I am thinking the makers of WD-40 might be at the bottom of this whole thing.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
»www.bbc.co.uk/news/technology-18365844
quote:
The creators of the Flame malware have sent a "suicide" command that removes it from some infected computers.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
said by Brano:

»www.bbc.co.uk/news/technology-18365844

quote:
The creators of the Flame malware have sent a "suicide" command that removes it from some infected computers.

Not quite....flame in some cases is updating and changing.
Kim at Wired has a good interview here that is current on Flame.

»s3.amazonaws.com/scifri-segments···6081.mp3
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


norwegian
Premium
join:2005-02-15
Outback

1 edit
reply to Brano

Re: Flame: Massive cyber-attack discovered, researchers say

Funnily enough, because I don't want to sound paranoid; when I first came here asking and pushing till WCB got sick of me, I found then on Win XP, sp 1 and dial up, there seemed something running on the computer because web site history did not match where I went, there was some shocking links I would not want to reproduce here or anywhere. Fast forward, the windows update redirection sounds familiar, because what ever happened it seemed like every update it was staying ahead of the patches.

I just can't believe how some of this behavior sounds so similar to what was happening then. Maybe some malware just proxies windows updates etc for it's own purpose, it is a platform standard?

All the read up just takes me back to then.......the funny thing though:
If then was a baby brother to what is here of late, the time frame they are referencing at present, for the history of file date stamping would double. Scary thought.

Edit: Dictionary font.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Brano
Excellent Article...not only about how it came down..but also who was at risk..and better yet who might be at risk in the future and why.

Flames and collisions
Posted on Jun 7, 2012 by Jeff

Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened.—Mikko Hypponen
Unless you are a system administrator for a government institution in or around the Middle East you do not need to worry about Flame infecting your computer. Flame (also known as “Flamer” and “skywiper”) itself is not a security concern except to a very narrow, targeted group. Quite simply you don’t need to worry about being infected by Flame, and antivirus vendors who suggest otherwise may be engaging in fear mongering.

With so few people in danger of Flame, why am I writing about it? Good question. I’m writing about it because one of the methods used in Flame has the potential of undermining a crucial part of computer security. The authors of Flame have the ability to subvert the Windows Update process. Whatever Flame itself does or doesn’t do, the fact that its authors acquired the capability to distribute fake updates to Microsoft Windows is cause for serious concern.

Software updates and chains of trust

I have previously written about how an important part of computer security is ensuring that your software updates come from the right place. You don’t want someone who pretends to be AgileBits giving you malicious updates to 1Password. And you don’t want someone who pretends to be Microsoft giving you malicious Windows Updates. The methods used for digitally signing downloads and updates involves some mathematical magic and a Chain of Trust. In the summer 2011, we saw, in the example of DigiNotar, what can happen when someone finds a way to insert themselves into the chain of trust.

These two articles, “Who do you trust to tell you who to trust?” and “A peek over the Gatekeeper” explain the security infrastructure I’ll be writing about here. You will see terms like Certificate Authority or Man in the Middle attack in this post, but they are more fully explained and illustrated in those other posts.

read more here
»blog.agilebits.com/2012/06/07/fl···lisions/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/