Slashdot Mirror
Flame: The Massive Stuxnet-Level Malware Sweeping the Middle East
An anonymous reader writes "Wired is reporting on a massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Kaspersky Lab, the company that discovered the malware, has a FAQ with more details."
Is it coincidence that a Russian security firm keeps finding these clandestine state-sponsored Middle-eastern directed malware? Or are US and European security firms simply instructed to look the other way? /tinfoilhat
It seems those kinds of viruses are going against the trends, which is using social engineering nowadays, and not very sophisticated software. For example, the oh-so-dangerous Chinese hackers mostly use tactics which boil down to sending emails asking you in clever ways to execute the attached exe or to enter your username and password on their website that looks like your legitimate one.
It's refreshing to see a virus which targets, you know, the actual computer instead of the user.
Wikipedia links to this PDF: http://www.crysys.hu/skywiper/skywiper.pdf
http://www.pcworld.com/businesscenter/article/256370/researchers_identify_stuxnetlike_cyberespionage_malware_called_flame.html
TFA purports that somebody wrote a bunch of code that is a virus, trojan, malware and toaster driver all at once. Nobody knows who did it or why, but they must be very smart. It hijacks data, voice, video and neural transmissions and appears to be able to perform telekinesis. It was likely written sometime after 1996 and before 2021.
It's big.. Really big. So big that it would fit on any USB drive or email attachment created since, well, 1996.
It's smart. Really smart. So smart that it's going to take us literally months of press reports to get it out.
It goes after the Usual Suspects. It may or may not be related to Stuxnet, tilde, Steven P. Jobs or George Bush (either or both of them).
For some strange reason, the coders wrote the thing pretty much unobfuscated. Except that unobfuscated isn't a word.
Be afraid. Be very afraid.
Faster! Faster! Faster would be better!
A good move? Starting a arms race in a field where you are the most vulnerable player? Is isn't a nuclear thermonuclear one, but in this one the best move is not to play too.
Here we declare that any such actions against us are an act of war, right? If it's an act of war against us, isn't it an act of war against them? Are we behind this? If so, WTF?
Take the Red Pill.
Yes it is clearly not in the best interest of the intelligence community to be discovered with whatever plot they're currently plotting away at. On the other hand Kaspersky wants profit, being the first to report on something like this will likely gain them space in the spotlight for the moment at least which translates to profit, so it is probably not in the best interest of Kaspersky to comply with the intelligence community's need for obscurity unless they pay them enough enough(or use some less pleasant means of coercion).
Who made Flame?
Flame seems to use libraries with permissive licenses only. No hacktivists or cybercriminals would care about this issue, they would use whatever works best.
This leaves governments, they might. Why? Because if it ever becomes known who actually made it, that party would need to release all of the sources, had they used libraries under some copyleft license! Why? Well, whoever made Flame has already obviously distributed binaries, so suing for copyleft violation would happen in court, and it would be many people suing, especially the counterparty is the government. It would be a PR disaster, and to risk that on an election year? No way.
Also, Flame requires a considerable infrastructure to store and analyze the spied information. Which governments would be capable of pulling this off? All the big ones with a lot of money to spend: China, Russia, Great Britain, France, USA, Japan, ...
So, which government cares a lot about intellectual property? China? Nope. Russia? Nope. Great Britain - well, yeah. Personally, I don't think it was Great Britain. It would be enlightening to check the Flame Lua-parts (or other plaintext in the main Flame) for spelling of -ise vs. -ize. I bet there's -ize and not -ise.
It is said that Stuxnet and Flame share similar 0-day holes. The nation which developed Stuxnet is Israel and they have a strong history of military and intelligence collaboration with USA. Israel would not have had the capability or capacity to run two such parallel programs on its own.
So who HAS likely NOT made Flame? Drop the nations which are one way or another unlikely candidates, and only one name is really left.
So, who made Flame?
USA made Flame. This is what I think. What's your analysis?
TFA purports that somebody wrote a bunch of code that is a virus, trojan, malware and toaster driver all at once.
You mean it's like a Facebook phone?
Apart from the toaster bit, which might be useful...
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Well, hard to say if it's realy a weapon, but if so I also approve.
Think about it: this may well be a war, an agreessive confilct between twonations, one of which has nuclear weapons, and the other is close. And how many casualties so far? How many cities levelled? This is a good weapon, as weapons go!
Sure, eventually we'll be attacked by the same, and there will be casualties, but it somehow seems less dangerous to civilians than dropping skyscrapers.
Socialism: a lie told by totalitarians and believed by fools.
Kaspersky discovered the malware about two weeks ago after the United Nations' International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems.
Why do you jump to the conclusion that if it is targeting Iran it must be a good thing? Do you ever question what you see in the media? What if it was written by programmers hired by wall streeters that were trying to gain an upper hand on the oil market, thereby basically stealing money from the Iranians and from you? Still a good thing? This is probably not the case, but that's just it: until we find out all of the details we need to keep our minds open and quizzical, and question who is feeding us what bullshit and why.
Propaganda is getting more and more sophisticated; it is coming at you from all directions. I'm not saying be paranoid, just to realize that most media that gets presented to you has a purpose. Once in a while see if you can divine that purpose.
Try some critical thinking.
Look where all this talking got us, baby.
1. a scarier version of stuxnet
2. a Facebook smarphone
3. secret backdoors on military chips
4. workplace havoc because of OS fake holidays
I was going to accuse Slashdot of fearmongering, until I doublechecked and found out that, yes, Facebook really is trying to build a smartphone.
The Apocalypse is near.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The story also states:
its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals â" marking it as yet another tool in the growing arsenal of cyberweaponry.
What I don't understand is why a massive and technically complex piece of malware necessarily has to be written by a "nation-state"? There are no really smart hackers around that might want to do something like this for the challenge? One might think that a smart hacker might want to point the smoking gun in a different direction?
Explain, please.
If you want news from today, you have to come back tomorrow.
"Except that unobfuscated isn't a word."
http://en.wiktionary.org/wiki/unobfuscated
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I think it is both a matter of money and resources. A "nation-state" has as much money as anyone can, and they also can place moles/agents in a lot of places where your average, even "smart", hacker would shit his pants. Not only that, a lone man can only do so much
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Wait.
Do you seriously believe Iran will eventually attack the USA?
For real? Do you think Khamenei will, someday, wake up, drink his coffee and say "What a nice day! I'll deploy the long-range missile technology I don't have to blow up a location half the planet away from me, just because Rush Limbaugh said I probably would do it."?
Since Iran support/sponsors terrorists and has enough nuclear material to make an estimated five nuclear weapons (although the material may be slightly too crude to weaponize at the moment),
I'd bet the malware was developed either in Israel or the USA...probably Israel with USA support. This could create problems but I think this is a good move.
I think you should work on your premise there. I don't know which terrorists you speak of. The US and Isreal support terrorists ("freedom fighters") when it is in their interest. Both have large amounts of nuclear weapons. Aren't you applying double standards here? How do you know Iran are the evil guys here (just because they are being portrayed as such in the media)? Iranian leadership is whacky, but it isn't warmongering.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
On the other hand Kaspersky wants profit, being the first to report on something like this will likely gain them space in the spotlight for the moment at least which translates to profit...
Profit? If I had been a victim of this malware I'd be pretty pissed at Kaspersky since I'd definitely prefer to keep a very tight lid on this. There is great value in using a tool like this, once it has been discovered, to feed it's operator (presumably the Mossad) a big and steaming pile of plausible bullshit.
Only to idiots, are orders laws.
-- Henning von Tresckow
because the average cyber criminal is gonna go after a large target because like all criminals they are lazy and want the most bang for their time, whereas these things are HIGHLY specialized, with Stux it was specialized to the point of absurdity, so while your average or even smart cyber criminal isn't gonna bother attacking a system with such a small target area and which takes more work than say...ohh...fooling someone with an SMS scam nations on the other hand that want to fuck something specific up without going to war will spend the bux to build something like this.
ACs don't waste your time replying, your posts are never seen by me.
I do not parrot what the media says but the timing is right for a preemptive disruption of Iran's nuclear capabilities. Sure, it could be Wall Streeters but then isn't it you who believe everything you hear in the media (e.g. Wall Street = bad, fat cats, etc.)? They can make plenty of money without this conspiracy...and the last time this was done a couple years ago it was deemed to be state sponsored, not a private company or organization. I'd rather stick to my theory than your made up theory, though yours makes a much better novel. The timing tells me enough and I still think it's good although as someone else pointed out (and as I assumed and mentioned) the attacking country would be retaliated against either via a cyber attack or a physical attack. I believe the USA stated a cyber attack on us would be considered an attack like any other and retaliated against via whatever means necessary.
I thought the previous administration's decision to attack preemptively was bold though uncalled for and will ultimately hurt the credibility of the USA but the current administration has ignored a lot of the issues of the Middle East and shunned Israel so action had to be taken while the time's right.
I personally support diplomacy and peaceful negotiations, but this I approve of because of the timing, the political landscape, and the repercussions of doing nothing.
Not only that, a lone man can only do so much
You massively underestimate the capabilities of determined individuals. One guy on his own reinvented Unix. Napoleon *almost* subjugated all of Asia. Larry Wall invented the world of perl.
Given the chance, I could fix this for Iran by myself, but it'll take a while to train subordinates. Debian wheezy or squeeze?
"Tongue tied and twisted, just an Earth bound misfit
the important somewhat scary question: how does Kaspersky accumulate so much sensitive data?
Think about it. We're talking about personal computers in the middle east. We're talking about some kind of top-shelf spyware. So where does Kaspersky pull their data from?
I think cyberweapons could be seen as useful to computer defense companies. Since I can remember, programmers interested in viruses and virus defense have been apt to bring up the question, "why shouldn't we infect everybody's computer with the latest virus scanner in the form of a virus? Why leave it this voluntary thing?"
Obivously Kaspersky and any other computer virus defense company could benefit from spreading a virus that allows them to actively scan the contents of a computer's drive or memory, if they are looking across a huge geography for a specific signature. They could benefit even more if the virus allowed them to attach modules that will tell them if the cyberweapon attempts to contact other computers either to spread or to report back, because this would allow them to quickly and easily build a vector map.
Which leads me to ask how they get their data in the first place. It's not like they are paying off all the Geek Squads in the Middle East, to send them copies of the entire contents of any drives brought in as having "problems". So how are they discovering threats in the first place, and how can they write paragraphs such as this one:
"According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields â" they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that arenâ(TM)t interesting, leaving the most important ones in place. After which they start a new series of infections."
This suggests that they have become intimately knowledgable about the owners of the infected machines, whether or not those owners are persons of interest, and know seemingly just about as much as the owners of the cyberweapon know. So where is the line drawn, to distinguish between threat and defense??
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Many countries, including the US and Israel, support/sponsor terrorists or state sponsored terrorists. For the most recent example just look at the Iranian nuclear scientists that keep blowing up.
"Shunned Isreal" - This is an attempt at humour, right?
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
In the case of Stuxnet, your average hacker doesn't have access to nuclear centrifuge controllers to develop and debug on. For code that is as finely tuned as it was, you need a development lab that includes the target systems or at least true simulations thereof.
For something like Flame, with it being as targeted as it is, you'd expect something similar.
Learning HOW to think is more important than learning WHAT to think.
No but to play devil's advocate here it is far more likely they would lob one at Israel. When that happens, because of treaties we have with them (lots of Jewish folk here to push it through), we would be at war with whoever did attack Israel. It's the same situation with North and South Korea.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
Assuming you're talking about Linus and Linux, he had a LITTLE bit of help along the way.
Napoleon didn't almost subjugate anything without the resources of one of the world's most powerful nation states.
Larry Wall also had quite a bit of help from others making Perl what it is today.
Nice job picking examples that make the GPs point though.
Update 1 (28-May-2012):
According to our analysis, the Flame malware is the same as âoeSkyWiperâ, described by the CrySyS Lab and by Iran Maher CERT group where it is called âoeFlamerâ.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
I think the issue is that the more complex and sophisticated an attack, the more people you need, and then you run into an additional problem - for a criminal enterprise, the more people are involved, the more likely it is to be caught, either through carelessness or snitches.
So the "nation-state's backing" doesn't have to mean that a country's intelligence service is actively doing something, but just that they are sheltering and giving legal immunity to a group of civilian blackhats. And maybe free Mountain Dew.
Also, the deployment of this was apparently done using infected media physically planted on people or at the sites in multiple countries, so it would require some more resources than your typical spread-via-internet virus or worm.
You can tell a lot about who made this thing by looking at who it's targeting: Iran, Palestine, Syria, Lebanon, Eygpt, Saudi Arabia... it's practically a Who's Who of Israel's enemies and potential enemies. If you look at the map in the article, you can see all the infected countries in red, and smack dab in the middle of all of them is Israel. Israel also has some of the most advanced cyberwarfare capabilities in the world, so when you see an extremely sophisticated piece of malware, they should be at the top of your list of suspects. In short, the only way you could possibly make this malware look more Israeli is to circumcise it and put a yarmulke on top.
Here is Crysys' analysis of Flame (which they call Skywiper) (pdf) Seems to be more informative than the Kaspersky dito.
Two words: Impossible. I don't believe that a backwater like Sudan has 32 computers, nevermind 32 stuxnet infections, unless maybe these are real viral infections of decimated cattle. So that map and analysis looks like total bulldust to me.
I know you've got your tongue at least near your cheek, but I worked there a few years ago. They do have computers. The more reputable multinationals were running linux and StarOffice, due to US embargo Microsoft wasn't allowed to sell there. Given the rather not-ready-for-prime-time condition of Star Office in the mid-90s, people did complain and I expect productivity suffered. The embargo also meant that Visa, MasterCard and Amex couldn't operate there, so everything was done with cash. It was a little disturbing arriving in Khartoum with a few grand in cash inside my pockets.
If you ever wonder about what a really, really bad business trip might resemble, I suggest Khartoum.
The subject who is truly loyal to the Chief Magistrate will neither advise nor submit to arbitrary measures (Junius)
According the fine article and the BBC report Israel were also targeted.
You may believe that was done to throw people off their trail - but it's disingenuous not to mention it in your accusation.
In either case it simply makes no sense for anyone OTHER than a nation to have something like this built. look at Stux, last estimate i saw said there was MAYBE 25,000 machines on the planet that would fit the target profile, hell there are probably more Win2K machines still on the net than that and any halfway successful Android or Windows malware can easily get 10 times that much.
In the end a cybercriminal is like any other criminal, they want the biggest haul for the shortest amount of work. These things like Stux require one to several zero day attacks, all to get such a teeny tiny target that frankly a script kiddie would score more machines and get more bang for their bux than one of these bugs. It simply makes no sense from a criminal point of view but DOES make sense if you are a nation that wants to shut down a specific target without going to war. in that case then a bug like this would actually be a bargain when you consider how much even a small conflict will cost in money and resources.
ACs don't waste your time replying, your posts are never seen by me.