Slashdot Mirror
Flame Malware Authors Hit Self-Destruct
angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."
The article implies that the new module overwrites with random data instead of just deleting files. I guess the original authors didn't think of that one...government inefficiency in action I suppose.
.: Semper Absurda
Something tells me that this wasn't designed by a teenager.
My mother was wondering why her computer suddenly was working so much better.
Thanks dudes!
I wonder how many man hours of confusion this will cause with people falsely believing their bugs are flame.
Er no, this is infected machines being remotely instructed to clean themselves up by the person controlling the "virus". It has nothing to do with you doing anything to your machine. They sent the virus an instruction, and the virus is removing all traces of itself from a machine.
Seven puppies were harmed during the making of this post.
In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained. As it stands, there's still evidence of Flame sitting on disconnected machines.
He wasn't implying it had anything to do with someone doing anything to their own machine. He was implying that Flame is a government intelligence tool and someone came up with a better way of making sure that's never proven.
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
Bleh, sorry. The way the thread was set up it looked like your reply was to someone else.
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
Sure, all this business with Flame is absolutely fascinating. But even more fascinating: why are European and American software companies doing business with Iran in the first place?
This signature intentionally left blank.
it will be, but the TLAs will deny deny deny.
Not only does Flame use a previously unknown MD5 chosen prefix attack, but now they are removing all traces of the software from machines under their control.
Now, since security researchers already have copies of the software this isn't going stop anyone further deconstructing and analysing it. The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?
The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive.
Or, to make everyone else stop looking.
You know all of the installations received the same self-destruct command how again?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If the binary is un-distributed by the authors, does that mean that they no longer have to comply with the terms of the GPL and release the source code?
http://yro.slashdot.org/story/12/06/06/1256217/stuxnetflameduqu-uses-gpl-code
Better get on that GPLv4 Richard!
The people who wrote Flame are the same fine ladies and gentlemen who have brought us CleanMyPC.com. Apparently their accountant is on vacation or something, because removing malware is generally a service that they charge for.
Oh oh..... can I name the next one? Let's call it "Red Mercury", and it should be taking out a reactor in 5, 4, 3, 2
maybe it self destructs when it can't find a LAN connection?
Works for Diablo 3...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Does it close the doors on the way out and patch the various exploits it used to get in to the system in the first place, or does it just leave the system ripe for future re-exploitation by the same or similar tools?
In other news, over in Oz - the man who was behind the curtain is not only unimportant, but not there now, so please stop looking.
Returned Peace Corps IT Volunteer
It could have been worse, the instruction could have been to wipe the computer's hard drive, or worse, load garbage into the EEPROM, overwrite the BIOS, and THEN wipe the computer's boot sectors, then hard drives... would be tough to recover from that. Even if you have backups and a boot disk... if your BIOS is destroyed, your computer is going to require professional help even to get to the point where it starts looking for a bootloader...
It seems almost pointless though, since the virus is known, I'm sure there's at least one known, infected machine that was NOT on, (and therefore not connected to the internet,) that can be analyzed forensically, since the operator(s) will know not to connect it to the internet again until they're done analyzing it, so that it cannot receive the (virus) self-destruct instructions...
... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
"The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order."
Why would Israel create malware that hits themselves second? So they can play innocent?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
As in those who were infected that lost important data can no longer know (for a surety) that their important data kept on their computer/server was compromised or not.
"So our top-sekret 'eyes-only' data may or may not be compromised and they may know everything. But we don't know if they actually know anything about everything. So we can't trust anything that we've stored on a computer in the last year."
Talk about your security nightmare situation for an Intelligence Agency of some acronym.
No! It's a *SIG*. Keep the Special Interest Groups away! (Con joke!)
Maybe it was unintentional? Stuxnet wasn't supposed to be released, maybe a code change was made and deployed in Israel and it escaped at that point.
Have you bothered to read other articles on Flame? It's ability to record and gather information and transmit it back to C&C servers means that it's an excellent tool not just to do large government espionage, but also to listen in on individual conversations. As a tool in a fight against domestic terrorism, and counter espionage. I imagine it would be very effective, it's like a wiretap, without having to ask a judge for a wiretap. Infections in Israel/Palestine aren't broken down by Israel vs Palestine anywhere I've seen, which may mean that the vast majority are in Palestine. If that's true, it is another pretty large piece of evidence in favor of Israeli authorship.
Why would you think that they wouldn't spy on their own people, especially with their relationship to the Palestinians? If anything, the fact that it's not showing up in the US would tend to prove the point that it was Israel. The US clearly isn't afraid to spy on it's own people.
By the same reasoning it could have been made by Iran..
Stuxnet wasn't supposed to be released.
You sure are gullible.
Download rate for MyCleanPC is up in Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
"The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order."
Why would Israel create malware that hits themselves second? So they can play innocent?
You're not familiar with the standard modus operandi of Mossad, are you?
Why would Israel create malware that hits themselves second? So they can play innocent?
Same reason the good 'ol US of A spies on it's citizens. To catch those pesky terrorists and/or get dirt on political enemies. Or do you thing every single person in Israel is a frothing at the mouth zionist?
They sent the virus an instruction, and the virus is removing all traces of itself from a machine.
It makes me wonder how they implemented that functionality. Because, in the Windows world an executable cannot delete or modify itself. Files that are open for reading cannot be deleted; this is also the reason for the message "Windows cannot update important system files and services while the system is using them" after running Windows Update.
So how did they do it? Separate the self-destruct module into a different executable, placing it in temp storage or something? But then that executable will remain on disk. Unless they aren't worried about that. "Who cares, the sensitive parts have been securely deleted."
I am not really here right now.
And whether governments do it, or the RBN, it's still crimeware.
I think that's taking a fast and loose definition of "crime", isn't it? That would make tanks, bombs, planes, and even spy tech... all crimetech.
Spyware is taken, and Warware may not roll off the tongue as easy. But calling government cyberwar activities Crimeware just feeds the nutjob conspiracy theorists, as though no government has no legitimate self interest in spying or conducting activities against other countries.
As someone against the taking of human life, I find government cyberwar methods to be the best thing to happen to humanity since the bullet proof vest!
I8-D
The consensus is that Flame is one of the largest and most advanced pieces of malware ever created- it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability.
I'm really choking on this oft recited mantra. Lest we forget, we are talking about computer code. We are talking about describing an idea or process in a machine readable language. So, the fact of the matter is that anyone that "speaks" the language is capable of doing it.
Remember the 13 year old Swedish computer "master minds" of the 90's that "miraculously" broke into computers on the other side of the world and deleted files! Geniuses! Impossibly brilliant miscreants! Our head asplode!
That Flame seems to have a politically motivated slant does seem to imply a nation state is behind it, but even that is not guaranteed. There are plenty of people and fringe groups with deep seated political motivations. Any of them are capable of hiring a programmer and some of them may even be programmers themselves.
My point is that the "consensus" and the mantra are ludicrous with no hard evidence. Contrary to the recitations of the media, it's not that complex a program that it is beyond the realm of possibility that it is anyone besides a nation state. It could literally be anyone. If a nation state can motivate an employee programmer, presumably with money. Would that same programmer not be equally capable if they were self motivated? What if the were motivated with funding from a drug cartel or arms dealer?
The self-destruct routine in Flame won't stop security analysts from doing research on it. All it takes to protect your copy of Flame from going up in smoke, is a backup.
The only thing this is going to prevent is detection in a previously undetected install.
Yay, it's gone! Does that mean it's safe for me to play Angry Birds again?
UTF-8: There and Back Again
No doors are closed. It just kills itself very very thoroughly. As far as I can tell, it does not even take pains to wipe the data it has collected.
That's why when you have a copy of the infected files, or the hard disk, or the virus itself, you don't run the system. You analyze it from another system, to ensure no writes are done by the infected system.
Fear not, once it's in the researchers' hands, it ain't going anywhere.
The self destruct module is a LUA script.
Why would they want to? Considering the purpose of Stuxnet, it would be essential that it remains hidden from security firms. It escaping into the wild was most definitely an accident.
"Civis Europaeus sum!"
This older article from slashdot points out the opposite problem.
"They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker."
Flame Off
The Congress did not give the Executive branch this power by any sort of law that I can recall
Who said this was limited to the US government? You are talking about against US citizens by the US government, a very select case. Several countries can spy on their own citizens "by law", China for instance. It's quite legal there. So, that immediately would contradict your statement "It's an illegal activity, whether done by governments or by the mob." Because it's just not true on its face.
We are not aware which country did this, unlike Stuxnet. So let's look at Stuxnet, which was created by the US and Israel. The CIA operates under similar legality to operate on foreign agents and powers. Why does Stuxnet differ from an agent sneaking in and sabotaging a machine?
In what way is Stuxnet, targetted at Iran, crimeware under US law. Sometimes laws give explicit powers. Other times, powers are assumed unless explicitly prohibited.
Something is not simply illegal where the law is silent.
So, assuming Stuxnet was an operation carried out by the US government against the Iran government, and assuming that it operated as intended, namely that it never left Iranian facilities... show me the law, the exact law, that makes it illegal.
You are sort of blandly making these assumptions of legality... without anything legal backing. If you were to take the makers of Stuxnet to court, what law would you go to SCOTUS charging them with if you were Iran?
You can't just throw "not done under the rule of law" out there. That's some libertarian, "government can't do anything unless we spell it out in exact detail to them, with no wiggle room", jargon. And, you may very well be a libertarian and believe that. Unfortunately for that argument, neither the US government nor the courts nor China nor Russia nor many other countries with cyberwar programs take such a view on the law.
That leaves it as thinking is should be illegal, but that's opinion, not law.
I8-D
In the windows world, an executable cannot delete or modify itself if it's running in memory. So, kill the process, modify the process, start the process back up in such a time that the rest of the OS doesn't notice the missing functionality perhaps? The restart you mention doesn't mean the storage item hasn't been modified, it's just to get the whole set of patches into memory in a clean manner.
I know nothing about this, so take my post with a grain of salt - but with my given limited knowledge, this is how I'd do it. I know that if you have rights (and most windows users do) you can modify anything on disk you want.
Like the fire needs Heat, Fuel and Air; Flame needs a Worm, a Virus and a Malware to live. The suicide command is lie, because Worms can't be erased from computers. Folowing my thoughs, the Heat is the Worm, hosted inside our motherboards, only waiting for a Fuel, or a Virus to wake up. The Air is the element of the cloud, just accessing a website containing a Malware with specific instructions will fire the Flame again. Call me crazy, before calling me a hacker; I just know what I know, maybe I just can't express myself properly. But sure you can call me, a very experienced programmer.
The CENTRAL INTELLIGENCE AGENCY, authors of Flame, hit the self-destruct button after the recent New York Times article exposing their work on Stuxnet and Duqu.
Removing the malwar is also psychological ops. Every person of importance in Iran and the middle east...HAS TO ASSUME THEY'VE BEEN COMPROMISED. The fact that IT can not find any evidence of Flame on their machines is of no comfort.
Despite being smart and thoughtful enough to put in a method to cover their tracks after discovery, they took way, WAY to long to pull the trigger and too much forensic data has already been determined. That's a failure of bureacracy. A more nimble organization would have flushed the damn thing before it could be slashdotted.
I would think that any of the standard mechanisms in Windows for removing an installed program could be hijacked.
Considering some of these exploits are algorithmic and have nothing to do with the implementation, no. You don't "patch" these exploits. You move to a different algorithm entirely.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
awesome guys, these malware writers, seems to me they should be running things, as they think of everything!?
Move along. Move along.
Who else would bother to cover their track? They have something to lose so they have to try to clean up and remove the evidence. An individual or a guerrilla has no such requirement or pressure to do that. Best bet: USA and/or Israel behind it. Most likely the USA while Stuxnet has the elegance of an Israeli effort.