Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flame Malware Authors Hit Self-Destruct

Posted by samzenpus on from the without-a-trace dept.

angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."

20 of 260 comments (clear)

  1. Interesting by Anonymous Coward · · Score: 5, Interesting

    Something tells me that this wasn't designed by a teenager.

    1. Re:Interesting by DarkOx · · Score: 5, Interesting

      it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability.

      The thing weighing in at 20 megs is not an achievement, rather its an embarrassment showing total lack of craft. Much of the code in this thing is not the malware itself either, its interpreters and support libraries to run it, and much of open source and otherwise stuff that serves other purposes. Its not an efficiently built thing at all.

      The only achievement here if there is one is somebody manged to deliver a payload that large, so often undetected and reliably. I agree it looks state sponsored to me, only government contractors could create a turd this large and still polish it enough that it mostly worked.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Interesting by cryptizard · · Score: 4, Interesting

      Actually quite the opposite. It has been stated by antivirus folks that its large size and structure actually helped it hide for longer. AV software is used to viruses being super-optimized and obfuscated. Flame on the other hand looks like any other desktop application, complete with included runtimes.

  2. No AutoDestruct by bengoerz · · Score: 5, Interesting

    In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained. As it stands, there's still evidence of Flame sitting on disconnected machines.

    1. Re:No AutoDestruct by gman003 · · Score: 5, Interesting

      Imagine if everything had gone according to plan. They've gotten all the data they need, and have not been detected. They issue a self-destruct order, and bam. Nobody will ever know they were even there.

      Now, as for why they're doing it now, there's another reason. I imagine the target has figured out they're infected. But maybe they don't know every computer that was infected. And if the virus has self-destructed, they may never know for sure which machines were hit. Even if they actually *did* ID every machine, the fact that the creators did this may make them think they missed some.

    2. Re:No AutoDestruct by Billly+Gates · · Score: 5, Interesting

      If this is a real professional job I would not be surprised if it leaves some backdoors opened for another different piece of malware. It wouldn't surprise me if Cisco router rootkits exist. After all evidence points in China they are doing just this, as they did with Nortel routers with a backdoor.

      --
      http://saveie6.com/
    3. Re:No AutoDestruct by Baloroth · · Score: 5, Interesting

      The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.

      A secondary implication is that Flame has fulfilled it's purpose. Again, what that is, no one is exactly sure (espionage, certainly, but you don't create something this advanced without some specific target in mind) and wasn't worth maintaining anymore.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  3. The bigger question. by multicoregeneral · · Score: 4, Interesting

    Sure, all this business with Flame is absolutely fascinating. But even more fascinating: why are European and American software companies doing business with Iran in the first place?

    --
    This signature intentionally left blank.
    1. Re:The bigger question. by Hamsterdan · · Score: 4, Interesting

      I have a hunch money's involved...

      --
      I've got better things to do tonight than die.
    2. Re:The bigger question. by Anonymous Coward · · Score: 2, Interesting

      Germany is Iran's largest trading partner as well.

      Say what you will about a culture of Holocaust related guilt (which has caused them to fund and build multiple nuclear missle subs for Israel), Germany has far less qualms about who it sells what to than any other country I've ever seen. They sell guns to Iran and subs to Isreal; tanks to Turkey and landing craft to Greece. If there's a conflict Germany is more than happy to supply both sides if there's profit to be made.

      Side note, I'm married to a German national, and happy that as fucked up as U.S. foreign policy is at least we've picked a side on our misguided war.

  4. Re:That's it, I'm officially convinced by Billly+Gates · · Score: 3, Interesting

    Dude the more you spam for it the higher the Google page ranking it gets. Out of curiosity I did a google search for malware and cleanPC was 4 out of the 5 links listed. Good god talk about SEO to the extreme

    --
    http://saveie6.com/
  5. Re:Nice try by griffjon · · Score: 4, Interesting

    Does it close the doors on the way out and patch the various exploits it used to get in to the system in the first place, or does it just leave the system ripe for future re-exploitation by the same or similar tools?

    In other news, over in Oz - the man who was behind the curtain is not only unimportant, but not there now, so please stop looking.

    --
    Returned Peace Corps IT Volunteer
  6. Re:SUICIDE not good enough... by blueg3 · · Score: 5, Interesting

    Journals are only so deep and, more importantly, only contain file metadata. You might, sometimes, be able to use them to determine that a file used to exist on a computer, but not what its contents were.

  7. Re:SUICIDE not good enough... by catmistake · · Score: 5, Interesting

    The more I learn about Flame the more it amazes me.

    The more I learn about the whole cyberwar program the more I am impressed.

    --
    The Admin and the Engineer
  8. Best reason to hide this is 'Intelligence'. by arthurh3535 · · Score: 5, Interesting

    As in those who were infected that lost important data can no longer know (for a surety) that their important data kept on their computer/server was compromised or not.

    "So our top-sekret 'eyes-only' data may or may not be compromised and they may know everything. But we don't know if they actually know anything about everything. So we can't trust anything that we've stored on a computer in the last year."

    Talk about your security nightmare situation for an Intelligence Agency of some acronym.

    --
    No! It's a *SIG*. Keep the Special Interest Groups away! (Con joke!)
  9. Re:SUICIDE not good enough... by hairyfeet · · Score: 4, Interesting

    Which brings up something I've been wondering about...is it even POSSIBLE to overwrite a file if its on an SSD? Sure its easy enough to do on a HDD without having to wipe the whole drive, but since the SSD basically "lies" to the OS about where the data is actually at so it can perform wear leveling is it even possible to overwrite just a few files on an SSD with random data, or would one have to format the whole thing?

    As for TFA just more proof it was written by a government and NOT a criminal, because a criminal would have been more likely just to wipe the whole drive just to be pricks. Lets face it when it comes to malware we have a lot more cases of the writers being pricks than we do of them being nice, so it just makes me think even more these new bugs are just government works for hire.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  10. Re:SUICIDE not good enough... by detritus. · · Score: 5, Interesting

    Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3

    No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu. This news also appeared on Slashdot, but it's mysteriously disappeared since then (this is where I originally heard about it).

  11. Re:SUICIDE not good enough... by drinkypoo · · Score: 4, Interesting

    But, a format or full empty space overwrite should make sure somebody will have to disassemble the drive to actually get to the data remnants

    That is almost certainly false. The vendor almost certainly has commands to let them retrieve the full data from the drive over the bus.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Re:SSD file deletion and overwriting by DocSavage64109 · · Score: 3, Interesting

    This older article from slashdot points out the opposite problem.

    "They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker."

  13. Re:SUICIDE not good enough... by hairyfeet · · Score: 5, Interesting

    Please don't do that. you'd be surprised how many people out there can't afford a PC at all and how many guys there are like me that donate their time refurbing give aways from businesses so that those poor folks can have a PC. I have yet to see ANYONE recover squat from a spinning rust drive wiped with DoD-3, which is what I use on all donations, so please don't destroy the drives because with the price of HDDs still so high that just means that many more machines can't be refurbed to help the poor. Do a DoD-3 and then use whatever software you wish to try to recover but you won't find anything, then donate it, if you don't know about anyone like me your local churches or Freecycle will be glad to help.

    But so far if things continue as they have been frankly you won't have to give away that SSD, it'll already be dead before you get a chance. The amount of failures from SSDs is just insane, every one of my gamer customers that tried to switch ended going with the hybrids or raptors simply because of how quickly they die.

    But when it comes to HDDs please just do a DoD-3, there are folks out there that would look upon that old P4 or early dual as a real blessing, thanks.

    --
    ACs don't waste your time replying, your posts are never seen by me.