Slashdot Mirror
Flame Malware Authors Hit Self-Destruct
angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."
No need to wipe the files if no one knows they're there.
All too true. I'm sure the authors will be taking that into account for their next version. Hopefully everyone will be on the lookout and catch it quicker than they did this one.
That doesn't sound like a very effective worm. If they did it that way you could fix the infection with a pf rule.
Not only does Flame use a previously unknown MD5 chosen prefix attack, but now they are removing all traces of the software from machines under their control.
Now, since security researchers already have copies of the software this isn't going stop anyone further deconstructing and analysing it. The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?
The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive.
Or, to make everyone else stop looking.
You know all of the installations received the same self-destruct command how again?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Why do companies outsource their factories to China? Why did AIG and several other companies leverage themselves to several times what they were worth?
Birds gotta fly. Fish gotta swim. Pointy-haired bosses gotta sacrifice the future for a monetary bonus today.
The teenage hacker in a basement was never as much of a risk compared to what started happening about 15 years ago with organized crime getting involved.
This "new" kind of malware has been dubbed (I think more accurately than most) crimeware.
And whether governments do it, or the RBN, it's still crimeware.
--
BMO
You know what's more interesting?
Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran. Iranian factories are cranking out G3s, MP5s, MG3s, all legally and for export. Not to mention the various Chinese/Russian small arms they manufacture (couldn't find out whether those were licensed or not).
I think that, before they ban software companies from doing business in Iran, they should maybe think about banning the firearm companies. Just a thought.
The more I learn about Flame the more it amazes me.
Arstechnica.com has more stories on it and how it worked through collision detection and much more. I am amazed yet worried as I am sure malware mobfia folks are using the source code with real NATO grade malware complete with forging certificates, turning zombies into proxy servers, and using the Md5 collision detection done by professional mathematicians.
Worse Ubuntu and other operating systems can be hit by this as they use the same algorithms for the certificates. This piece of malware was just done through conventional 0 day exploits but rather a very sophisticated means of forging certificates and might have done the cyberworld much more harm.
http://saveie6.com/
Because there is no legitimate reason to not do business. The relentless war mongering against fictional bogeymen is fascinating, too.
Something tells me that this wasn't designed by a teenager.
There are a limited number of possible suspects. First off, not many parties have the means to create this. The consensus is that Flame is one of the largest and most advanced pieces of malware ever created- it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability. That list is pretty short, and would include countries like the United States, China, Russia, Israel, and North Korea.
Second, let's look at the targets. The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order. Roughly half of the infections are in Iran. So whoever created Flame is worried about the Middle East, but really, really worried about Iran. More worried about Iran than any other country. The Iran fixation suggests two possible suspects- Israel and the United States.
The focus on Iran is consistent with Flame coming from the U.S., but Flame also targets several U.S. allies, including Egypt and Saudi Arabia. The other thing is, Flame doesn't target anything outside of the Middle East. If it was produced by the U.S., you'd expect Flame to be found in other countries- North Korea and Pakistan, for example- where the U.S. has security interests. But whoever created Flame doesn't really care what happens in North Korea or Pakistan. Whoever created Flame is primarily concerned with countries that are either enemies or potential enemies of Israel- Iran, Palestine, Syria, Lebanon. That strongly suggests Israel as the culprit.
1. Because iran has money.
2. Because there are 70 million people in Iran, the vast majority of whom are not engaged in trying to kill americans or europeans.
3. Because lots of people, especially in europe, believe that US sanctions are counter productive, and so don't have such sanctions.
Also keep in mind there are lots of things that aren't barred from export to Iran, and lots of things are sold legally to other countries and then illegally re-exported to Iran. Most notably to qatar and bahrain, but other places as well.
all true, which is why you keep multiple backups dating back months, right?
The cesspool just got a check and balance.
... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
... because small groups of smart people can't create something complex? It's software, you don't need massive amounts of funding, all you need is a few smart people and some time.
Have you bothered to read other articles on Flame? It's ability to record and gather information and transmit it back to C&C servers means that it's an excellent tool not just to do large government espionage, but also to listen in on individual conversations. As a tool in a fight against domestic terrorism, and counter espionage. I imagine it would be very effective, it's like a wiretap, without having to ask a judge for a wiretap. Infections in Israel/Palestine aren't broken down by Israel vs Palestine anywhere I've seen, which may mean that the vast majority are in Palestine. If that's true, it is another pretty large piece of evidence in favor of Israeli authorship.
Why would you think that they wouldn't spy on their own people, especially with their relationship to the Palestinians? If anything, the fact that it's not showing up in the US would tend to prove the point that it was Israel. The US clearly isn't afraid to spy on it's own people.
By the same reasoning it could have been made by Iran..
Right but the assumption has always been they don't vandalize their own bots because the owners would then discover they are part of a bot net. That does not hold if the bot net owner is already dismantling the network, I don't know what motivation they have to not nuke the hosts entirely to ensure there don't leave any finger prints.
The only thing I can think of is they may be concerned that if a large percentage of the public has their machines trashed all at the same time Joe Sixpack of Pakistani mangoes might wake up and start taking computer security seriously. Which could make future bot nets harder to construct.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html