Slashdot Mirror
Flame: The Massive Stuxnet-Level Malware Sweeping the Middle East
An anonymous reader writes "Wired is reporting on a massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Kaspersky Lab, the company that discovered the malware, has a FAQ with more details."
The FAQ above is /.ed. Anyone have a better link? Maybe something at isc.sans.edu or ... ? I'm not terribly interested in reading FUD or stuff run thru a journalist filter for 4th graders, a technical link would be appreciated.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Isn't this the same company that made the bogust spoof about malware on systems? With an aggressive "NEED TO UPGRADE TO PREMIUM?"
Is it coincidence that a Russian security firm keeps finding these clandestine state-sponsored Middle-eastern directed malware? Or are US and European security firms simply instructed to look the other way? /tinfoilhat
It seems those kinds of viruses are going against the trends, which is using social engineering nowadays, and not very sophisticated software. For example, the oh-so-dangerous Chinese hackers mostly use tactics which boil down to sending emails asking you in clever ways to execute the attached exe or to enter your username and password on their website that looks like your legitimate one.
It's refreshing to see a virus which targets, you know, the actual computer instead of the user.
If the researchers quickly surmised that this is a spy tool deployed by our allies against targets of intelligence interest, it seems like a bad idea to publicly disclose it. This isn't a "Wikileaks" type scenario where they're exposing government corruption for the good of the public. They're just compromising the usefulness of an (apparently sophisticated and expensive) spying tool. Chant all you want about the futility of security through obscurity; it is the entire basis of much espionage, and historically the cooperation of the public in hiding information about intelligence programs has been critical to their effectiveness. That has been true not only in the US but also in Russia where Kaspersky is based. Of course we used to be concealing our intelligence activities from each other, but now our interests are aligned, at least with respect to Iran.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
A good move? Starting a arms race in a field where you are the most vulnerable player? Is isn't a nuclear thermonuclear one, but in this one the best move is not to play too.
Using LUA?
Here we declare that any such actions against us are an act of war, right? If it's an act of war against us, isn't it an act of war against them? Are we behind this? If so, WTF?
Take the Red Pill.
Ahhh, and they just started enriching uranium again. I guess it's back to yellow cake, and mud pies. Thanks for playing "You bet your P.C.
Who made Flame?
Flame seems to use libraries with permissive licenses only. No hacktivists or cybercriminals would care about this issue, they would use whatever works best.
This leaves governments, they might. Why? Because if it ever becomes known who actually made it, that party would need to release all of the sources, had they used libraries under some copyleft license! Why? Well, whoever made Flame has already obviously distributed binaries, so suing for copyleft violation would happen in court, and it would be many people suing, especially the counterparty is the government. It would be a PR disaster, and to risk that on an election year? No way.
Also, Flame requires a considerable infrastructure to store and analyze the spied information. Which governments would be capable of pulling this off? All the big ones with a lot of money to spend: China, Russia, Great Britain, France, USA, Japan, ...
So, which government cares a lot about intellectual property? China? Nope. Russia? Nope. Great Britain - well, yeah. Personally, I don't think it was Great Britain. It would be enlightening to check the Flame Lua-parts (or other plaintext in the main Flame) for spelling of -ise vs. -ize. I bet there's -ize and not -ise.
It is said that Stuxnet and Flame share similar 0-day holes. The nation which developed Stuxnet is Israel and they have a strong history of military and intelligence collaboration with USA. Israel would not have had the capability or capacity to run two such parallel programs on its own.
So who HAS likely NOT made Flame? Drop the nations which are one way or another unlikely candidates, and only one name is really left.
So, who made Flame?
USA made Flame. This is what I think. What's your analysis?
And if this was turned around and directed at the US this would be suddenly bad, right?
Because you're the "good guys" so if you do it then it must be OK and if everyone else did it, it should be a crime?
Fuck, no wonder people think America applies a nice double standard to themselves -- fuck you and your Manifest Destiny.
I'll take security researchers who aren't going to just shut up to let security holes be out there to be exploited.
Sounds like a description of "Good Times." Will it chase gradeschoolers with my snow blower?
TFA purports that somebody wrote a bunch of code that is a virus, trojan, malware and toaster driver all at once.
You mean it's like a Facebook phone?
Apart from the toaster bit, which might be useful...
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Well, hard to say if it's realy a weapon, but if so I also approve.
Think about it: this may well be a war, an agreessive confilct between twonations, one of which has nuclear weapons, and the other is close. And how many casualties so far? How many cities levelled? This is a good weapon, as weapons go!
Sure, eventually we'll be attacked by the same, and there will be casualties, but it somehow seems less dangerous to civilians than dropping skyscrapers.
Socialism: a lie told by totalitarians and believed by fools.
Seriously? The USA has a history of supporting/sponsoring terrorists, among other political shenanigans, and has enough nuclear material to make more than five nuclear weapons. By your reasoning it should be perfectly acceptable to carry out this kind of attack against them, too.
Kaspersky discovered the malware about two weeks ago after the United Nations' International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems.
Why do you jump to the conclusion that if it is targeting Iran it must be a good thing? Do you ever question what you see in the media? What if it was written by programmers hired by wall streeters that were trying to gain an upper hand on the oil market, thereby basically stealing money from the Iranians and from you? Still a good thing? This is probably not the case, but that's just it: until we find out all of the details we need to keep our minds open and quizzical, and question who is feeding us what bullshit and why.
Propaganda is getting more and more sophisticated; it is coming at you from all directions. I'm not saying be paranoid, just to realize that most media that gets presented to you has a purpose. Once in a while see if you can divine that purpose.
Try some critical thinking.
Look where all this talking got us, baby.
1. a scarier version of stuxnet
2. a Facebook smarphone
3. secret backdoors on military chips
4. workplace havoc because of OS fake holidays
I was going to accuse Slashdot of fearmongering, until I doublechecked and found out that, yes, Facebook really is trying to build a smartphone.
The Apocalypse is near.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I swear this is a page out of that book.
When do we get razorbacks?
First it was the civil war, then that pesky 1901 democratic consitution then the bomb? I guess it's fitting to talk about the next civil war on memorial day... X marks the spot, right?
Here is an interesting, informative article related to the topic of this story.
I saw this post demoted, I knew where it led before clicking on it.
The AmigA was all about hardware.
Just because someone happened to work on an Amiga OS doesn't make their Linux variant run like an Amiga
But this is off topic and should be buried.
It destroys, then removes all traces of itself.
FTA: "The disk destroyed by Wiper/Viper was filled primarily with random trash, and almost nothing could be recovered from it,"
Very impressive piece of work, done in a language my keyboard can understand.
Wait.
Do you seriously believe Iran will eventually attack the USA?
For real? Do you think Khamenei will, someday, wake up, drink his coffee and say "What a nice day! I'll deploy the long-range missile technology I don't have to blow up a location half the planet away from me, just because Rush Limbaugh said I probably would do it."?
In hindsight, was project manhattan worth it?
Since Iran support/sponsors terrorists and has enough nuclear material to make an estimated five nuclear weapons (although the material may be slightly too crude to weaponize at the moment),
I'd bet the malware was developed either in Israel or the USA...probably Israel with USA support. This could create problems but I think this is a good move.
I think you should work on your premise there. I don't know which terrorists you speak of. The US and Isreal support terrorists ("freedom fighters") when it is in their interest. Both have large amounts of nuclear weapons. Aren't you applying double standards here? How do you know Iran are the evil guys here (just because they are being portrayed as such in the media)? Iranian leadership is whacky, but it isn't warmongering.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
about the supposed Chinese hackers? Since they're doing the same thing themselves against people they don't like?
But of course they won't. The West can't help but be sanctimonious and hypocritical.
why would we think this is the US rather than Israel?
Jeezus fuck, FOX news much?
Goddamned hypocritical, sociopathic Americans... can't even recognize propaganda. That's the difference between the folks in countries like Iran and yourselves - they're smart enough to know their government are lying scumbags who overtly manipulate information, you're too fucking dumb and blind to know or acknowledge it.
It's idiots like you that make this world a far less safe place. Fix your fucking selves before trying to 'fix' the world.
Well, the last time this happend (stuxnet) it fuku'd up an unintended target.
Well yes, but which OS does this malware run on?
Seriously? The USA has a history of supporting/sponsoring terrorists, among other political shenanigans, and has enough nuclear material to make more than five nuclear weapons. By your reasoning it should be perfectly acceptable to carry out this kind of attack against them, too.
But....but..... god is on their side!
OK, the facts, as presented so far:
- Massive, extremely sophisticated spyware is detected on computers in a few Middle East countries; dubbed "Flame", it is suposed to be similar to the infamous (well, at least for some) Stuxnet malware.
- It is not stated that, the origin of the spyware is a North American government.
- The only company that makes a public announcement about this spyware is Kaspersky Lab, a Russian security company, although the spyware in question is supposed to have been "out there" since 2007.
- Kaspersky Lab (KL) made the public announcement, however they do not provide scanner/remover for Flame; in fact, a Flame search at the KL site returns no hits.
Are we to believe that other AV compenies did not know about it? Why is it that no major AV software reports it? Why is it that no Flame remover is publicly available yet?
I do not parrot what the media says but the timing is right for a preemptive disruption of Iran's nuclear capabilities. Sure, it could be Wall Streeters but then isn't it you who believe everything you hear in the media (e.g. Wall Street = bad, fat cats, etc.)? They can make plenty of money without this conspiracy...and the last time this was done a couple years ago it was deemed to be state sponsored, not a private company or organization. I'd rather stick to my theory than your made up theory, though yours makes a much better novel. The timing tells me enough and I still think it's good although as someone else pointed out (and as I assumed and mentioned) the attacking country would be retaliated against either via a cyber attack or a physical attack. I believe the USA stated a cyber attack on us would be considered an attack like any other and retaliated against via whatever means necessary.
I thought the previous administration's decision to attack preemptively was bold though uncalled for and will ultimately hurt the credibility of the USA but the current administration has ignored a lot of the issues of the Middle East and shunned Israel so action had to be taken while the time's right.
I personally support diplomacy and peaceful negotiations, but this I approve of because of the timing, the political landscape, and the repercussions of doing nothing.
the important somewhat scary question: how does Kaspersky accumulate so much sensitive data?
Think about it. We're talking about personal computers in the middle east. We're talking about some kind of top-shelf spyware. So where does Kaspersky pull their data from?
I think cyberweapons could be seen as useful to computer defense companies. Since I can remember, programmers interested in viruses and virus defense have been apt to bring up the question, "why shouldn't we infect everybody's computer with the latest virus scanner in the form of a virus? Why leave it this voluntary thing?"
Obivously Kaspersky and any other computer virus defense company could benefit from spreading a virus that allows them to actively scan the contents of a computer's drive or memory, if they are looking across a huge geography for a specific signature. They could benefit even more if the virus allowed them to attach modules that will tell them if the cyberweapon attempts to contact other computers either to spread or to report back, because this would allow them to quickly and easily build a vector map.
Which leads me to ask how they get their data in the first place. It's not like they are paying off all the Geek Squads in the Middle East, to send them copies of the entire contents of any drives brought in as having "problems". So how are they discovering threats in the first place, and how can they write paragraphs such as this one:
"According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields â" they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that arenâ(TM)t interesting, leaving the most important ones in place. After which they start a new series of infections."
This suggests that they have become intimately knowledgable about the owners of the infected machines, whether or not those owners are persons of interest, and know seemingly just about as much as the owners of the cyberweapon know. So where is the line drawn, to distinguish between threat and defense??
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Many countries, including the US and Israel, support/sponsor terrorists or state sponsored terrorists. For the most recent example just look at the Iranian nuclear scientists that keep blowing up.
Nuh uh
"Shunned Isreal" - This is an attempt at humour, right?
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
"Es lebe mpoulton die selbstgerechte, selbstgefÃllige GeschwÃtz!"
"Sieg Heil!!!"
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Both times I clicked to reply to this same response, the response was instead threaded to the parent. What gives, Slashdot?? I'm curious to see which one this ends up threaded under.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
No but to play devil's advocate here it is far more likely they would lob one at Israel. When that happens, because of treaties we have with them (lots of Jewish folk here to push it through), we would be at war with whoever did attack Israel. It's the same situation with North and South Korea.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
Do you seriously believe Iran will eventually attack the USA?
I'm sure I never said that. I don't think I ever implied that. Israel is a nuclear power engaged in low-level conflict with Iran. There's a war of assassination and proxy (and likely malware) going on between those nations.
Wow, do you have some cartoon charicature conservative in you head, and whenever anyone says somehting you don't agree with, you just assign that stereotype and all it's beliefs to the speaker? Trying to understand the actual arguments being made is a much better way to go through life!
Socialism: a lie told by totalitarians and believed by fools.
Update 1 (28-May-2012):
According to our analysis, the Flame malware is the same as âoeSkyWiperâ, described by the CrySyS Lab and by Iran Maher CERT group where it is called âoeFlamerâ.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Funny how history has its way of repeating itself.
British Petroleum, used to be called the Anglo-Iranian Oil Company (of course it's Anglo first, Iranian second), which were taking advantage of the Iranians and exploiting them for their own interests. When Iran attempted to put a stop to it, we instigated a coup with Britian to install a pro-US/Britian dictator to keep the oil flowing. I have no doubts that everything happening in Iran is for the exact same reasons. Look no further than the likes of the transnational oil corporations, backed by the US/Israel/Britian, to be responsible for this, because ultimately, they want control of their wealth.
Once again "computer" == "windows pc"?
Does it run on Linux?
Who the fuck would run mission critical systems on Windows? Sorry pal, but malware is what you will get.
Two words: Impossible. I don't believe that a backwater like Sudan has 32 computers, nevermind 32 stuxnet infections, unless maybe these are real viral infections of decimated cattle. So that map and analysis looks like total bulldust to me.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
And how many casualties so far?
Quote a few on the Iranian side: certain entities have been murdering their nuclear scientists in the streets.
Here is Crysys' analysis of Flame (which they call Skywiper) (pdf) Seems to be more informative than the Kaspersky dito.
Flame appears to be a project that ran in parallel with Stuxnet/Duqu, not using the Tilded platform. There are however some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project - such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet’s authors.
Because putting stuff into autorun is a revolution in malware design? I couldn't take the FAQ serious from that on.
Is it coincidence that a Russian security firm keeps finding these clandestine state-sponsored Middle-eastern directed malware? Or are US and European security firms simply instructed to look the other way? /tinfoilhat
US anti-virus companies are shit, example Norton and McAfee.
Russia have Kaspersky which is considered the best.
Did I do that?
It should be pointed out that the 'massive' in our typically hyperbolic summary appears to refer to the size of the malware (20MB) and not the number of infections which appear to amount to a few hundred at this time.
| implying you need more than,some white porn and a popup saying 'install this in order to get that' to infect some middle asian :|
| sophisticated
It is well known that other nations' Intelligence Agencies know how to talk to people (especially Israelis) ... hence, not much need for IM's snapshots & other MP3 of microphone being sent to some servers (as Flame does). Also, 20Mb/installation is ridiculously big by target countries' networks bandwidth (design-by-comitee, typical of US govt).
So, likely culprit is some of the multiple USA's 3-lettered agencies.
It looks like PC malware with modular components. If it's not attacking control systems (which use a different type of CPU and coding), it seems a far stretch to compare it with Stuxnet. Wired is generally very weak on substance in tech articles. Security blogs should have more meaningful discussion of the nature of this nastiness, and hopefully uses steps to mitigate damage. It's hard to believe that malware would be contained to one region.
Articles here really ought to be researched a little to link to core reference sites, not to those ad-driven mass-media sites with attention getting headlines and no meat in the articles.
Hey guys,
Just wanted to let you know that Bitdefender released a tool to find and remove this complex spy tool.
To determine whether your computer is infected with Flamer, download the Bitdefender removal tool from:
http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/
How many years left until people wise up and start working on Capability Based Security? It's the only way to stop this type of stuff.
My major scoop is that my senior Israeli source confirms that it is a product of Israeli cyberwarfare experts. Most such products are produced by the IDF’s Unit 8200, though the Mossad also may take some role in such projects. So add to all the previous marginally successful efforts this new one. The goal is apparently to infiltrate the computers of individuals in Iran, Israel, Palestine and elsewhere who are engaged in activities that interest Israel’s secret police including military intelligence. My source also tells me that this is the first known instance in which Israeli intelligence has used malware to intrude on Israeli citizens. Within Israel and the Palestinian territories Flame is implemented by the Shin Bet. The “beauty” of it for the secret police is that unlike “legal” eavesdropping on phones or computers, you don’t need to ask for judicial approval to infect a computer.
Make of it what you will.