Flame: The Massive Stuxnet-Level Malware Sweeping the Middle East

An anonymous reader writes "Wired is reporting on a massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Kaspersky Lab, the company that discovered the malware, has a FAQ with more details."

Kap Crap

Isn't this the same company that made the bogust spoof about malware on systems? With an aggressive "NEED TO UPGRADE TO PREMIUM?"

Kaspersky Again

[matty619]

Is it coincidence that a Russian security firm keeps finding these clandestine state-sponsored Middle-eastern directed malware? Or are US and European security firms simply instructed to look the other way? /tinfoilhat

Re:Kaspersky Again

[mpoulton]

In my opinion, Us, European, and Russian security firms should ALL be looking the other way and keeping their mouths shut. Once it's reasonably clear that a piece of malware is an espionage tool directed at our mutual targets of intelligence interest, and that it doesn't pose a general threat to our own information security, they should keep it to themselves. There's nothing patriotic, altruistic, laudable, or beneficial about screwing up legitimate national intelligence projects. This ain't a scandal, corruption, or anything of the sort.

Re:Kaspersky Again

[spazdor]

Should the details of the latest stealth aircraft technology be publicly disclosed so voters can make informed decisions?

If the latest stealth aircraft is designed to break into civilians' homes and hide there, then, um, yes. Yes they should.

Re:Kaspersky Again

[houghi]

Voting is done by emotion, not by logic.

Belgium has a multi-party system and before the elctions there was a voting test (stemtest) if you did not know who to vote for.
With several questions about statements and the importance of those statements.

Several politicians who tried it where apparently in the wrong party. That could be explained that they went to a certain party for whatever reason.

Several friends of mine who did the test got to a different party then what they would normally vote for. When I asked them if they would vote for that new party, the answer was mostly no and sometimes, I do not know yet.

When I asked why, the answers where always emotional, not rational. These people were well informed and STILL went with their emotions. Some of them based on fear, others on not wanting to break tradition "because that who they voted for before".

Re:Kaspersky Again

[Will.Woodhull]

There comes a point with even the most successful cyberattack vector-- think stuxnet-- of diminishing returns. Sooner or later the nation under attack is going to wise up and put in place some sort of protection.

However the attacker can change the game and go public just before that point, and do so in a way that can create enough confusion and fud to further damage his opponent. The way the news about stuxnet was dribbled out, with lots of caveats and plausible conspiracy theories, Iran has had to spend a lot more than they had budgeted for on system reviews. And all those Iranian tech people who have been tied up in assuring that military and critical civilian systems are clean-- well, they are no longer available for other pursuits, like refining nuclear detonation models or missile control systems. This is significant: if you can tie up the intellectual resources of a country with a few thousand lines of code, you can bring the development of their war machine to a grinding halt. And do it without anyone having to dodge real bullets.

It is plausible that we are now learning about Flame because its controllers have decided that it is time to go public. Kaspersky might be simply an unwitting player in moving the game to the next level. Or perhaps they are very much in the loop. From the perspective of a third party, it doesn't matter. What matters is that Flame makes it more likely that any clandestine business arrangements with repressive Middle East countries will become public. That shifts the risk - benefit analysis of companies that are thinking about doing business with those governments, and those governments will find some purchases will be harder to make and more expensive.

Of course this post adds to the fud; it suggests a complex conspiracy theory operating on several levels. I can say that I am not a party to such a conspiracy, but most readers would not be able to verify that. I can also say that as I do not much like the current regimes in Iran and Syria, I think it would be a good thing if they had to spend more of their resources on assuring that all their computers were clean of nasty little surprises. It seems to me that talking up the possibility of some kind of international conspiracy of many, many levels would be a good thing, whether it is true or not. Could the intelligence agencies of the USA, UK, Israel, Russia, Denmark (why not Denmark?) and so on have formed their own little Anonymous group? Can you not picture Ninja Hackers in Guy Fawkes masks?

Going against the trend

[satuon]

It seems those kinds of viruses are going against the trends, which is using social engineering nowadays, and not very sophisticated software. For example, the oh-so-dangerous Chinese hackers mostly use tactics which boil down to sending emails asking you in clever ways to execute the attached exe or to enter your username and password on their website that looks like your legitimate one.

It's refreshing to see a virus which targets, you know, the actual computer instead of the user.

Re:Seriously??

[Genda]

First we got the bomb, and that was good,
'Cause we love peace and motherhood.
Then Russia got the bomb, but that's okay,
'Cause the balance of power's maintained that way.
Who's next?
France got the bomb, but don't you grieve,
'Cause they're on our side (I believe).
China got the bomb, but have no fears,
They can't wipe us out for at least five years.
Who's next?

-- Tom Lerher "Who's Next"

Who made Flame?

Who made Flame?

Flame seems to use libraries with permissive licenses only. No hacktivists or cybercriminals would care about this issue, they would use whatever works best.

This leaves governments, they might. Why? Because if it ever becomes known who actually made it, that party would need to release all of the sources, had they used libraries under some copyleft license! Why? Well, whoever made Flame has already obviously distributed binaries, so suing for copyleft violation would happen in court, and it would be many people suing, especially the counterparty is the government. It would be a PR disaster, and to risk that on an election year? No way.

Also, Flame requires a considerable infrastructure to store and analyze the spied information. Which governments would be capable of pulling this off? All the big ones with a lot of money to spend: China, Russia, Great Britain, France, USA, Japan, ...

So, which government cares a lot about intellectual property? China? Nope. Russia? Nope. Great Britain - well, yeah. Personally, I don't think it was Great Britain. It would be enlightening to check the Flame Lua-parts (or other plaintext in the main Flame) for spelling of -ise vs. -ize. I bet there's -ize and not -ise.

It is said that Stuxnet and Flame share similar 0-day holes. The nation which developed Stuxnet is Israel and they have a strong history of military and intelligence collaboration with USA. Israel would not have had the capability or capacity to run two such parallel programs on its own.

So who HAS likely NOT made Flame? Drop the nations which are one way or another unlikely candidates, and only one name is really left.

So, who made Flame?
USA made Flame. This is what I think. What's your analysis?

Re:A Step in the Right Direction

Since Iran support/sponsors terrorists and has enough nuclear material to make an estimated five nuclear weapons I see no problems with this type of attack.

And if this was turned around and directed at the US this would be suddenly bad, right?

Because you're the "good guys" so if you do it then it must be OK and if everyone else did it, it should be a crime?

Fuck, no wonder people think America applies a nice double standard to themselves -- fuck you and your Manifest Destiny.

I'll take security researchers who aren't going to just shut up to let security holes be out there to be exploited.

Re:Seriously??

[mpoulton]

Um, wrong. Where did you get the idea that the US views malware-based foreign espionage as an act of war?

So if important US systems were infested with Iranian-government malware, Congress wouldn't be demanding that Obama bomb Iran this afternoon?

Important US government systems ARE being continuously attacked by Chinese-government actors, and Congress is NOT demanding that Obama bomb China. I don't think the result would be any different if it were Iran doing it (and they're probably trying). "Cyber-warfare" is not real war, and in practice it does not provoke a military response these days. It's happening all the time.

Re:Seriously??

And what do you think are you going to bomb in China, exactly? Your own company's factories? "God damn it, stop hacking us or we'll bomb our own ipad factory!" Yeah, the Chinese are fucking scared...

Re:Seriously??

Actually it's funny this is right out of Marxist philosophy which says whoever controls the means of the production are the rulers of that society. Well, over the last 20 years China has pulled in all of the world production so guess what that means? Haha, the Chinese are pretty crafty. If only Americans had read Marx instead of burning it they might have seen it coming.

I'll ask

[eyenot]

the important somewhat scary question: how does Kaspersky accumulate so much sensitive data?

Think about it. We're talking about personal computers in the middle east. We're talking about some kind of top-shelf spyware. So where does Kaspersky pull their data from?

I think cyberweapons could be seen as useful to computer defense companies. Since I can remember, programmers interested in viruses and virus defense have been apt to bring up the question, "why shouldn't we infect everybody's computer with the latest virus scanner in the form of a virus? Why leave it this voluntary thing?"

Obivously Kaspersky and any other computer virus defense company could benefit from spreading a virus that allows them to actively scan the contents of a computer's drive or memory, if they are looking across a huge geography for a specific signature. They could benefit even more if the virus allowed them to attach modules that will tell them if the cyberweapon attempts to contact other computers either to spread or to report back, because this would allow them to quickly and easily build a vector map.

Which leads me to ask how they get their data in the first place. It's not like they are paying off all the Geek Squads in the Middle East, to send them copies of the entire contents of any drives brought in as having "problems". So how are they discovering threats in the first place, and how can they write paragraphs such as this one:

"According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields â" they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that arenâ(TM)t interesting, leaving the most important ones in place. After which they start a new series of infections."

This suggests that they have become intimately knowledgable about the owners of the infected machines, whether or not those owners are persons of interest, and know seemingly just about as much as the owners of the cyberweapon know. So where is the line drawn, to distinguish between threat and defense??