Flame Malware Authors Hit Self-Destruct

← Back to Stories (view on slashdot.org)

Flame Malware Authors Hit Self-Destruct

Posted by samzenpus on Thursday June 7, 2012 @02:12PM from the without-a-trace dept.

angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."

184 of 260 comments (clear)

Min score:

Reason:

Sort:

SUICIDE not good enough... by reve_etrange · 2012-06-07 14:18 · Score: 5, Funny

The article implies that the new module overwrites with random data instead of just deleting files. I guess the original authors didn't think of that one...government inefficiency in action I suppose.

--
.: Semper Absurda :.
1. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-07 14:22 · Score: 3, Insightful
  
  No need to wipe the files if no one knows they're there.
2. Re:SUICIDE not good enough... by cheater512 · 2012-06-07 14:50 · Score: 5, Informative
  
  It overwrites with random data THEN deletes.
  Makes it impossible to tell it was ever installed.
  Otherwise you could scan the disk for remnants to tell if a computer was infected in the past.
  Delete doesn't actually remove any data, just the filename and allocates it as free space.
3. Re:SUICIDE not good enough... by Billly+Gates · 2012-06-07 15:13 · Score: 5, Insightful
  
  The more I learn about Flame the more it amazes me.
  Arstechnica.com has more stories on it and how it worked through collision detection and much more. I am amazed yet worried as I am sure malware mobfia folks are using the source code with real NATO grade malware complete with forging certificates, turning zombies into proxy servers, and using the Md5 collision detection done by professional mathematicians.
  Worse Ubuntu and other operating systems can be hit by this as they use the same algorithms for the certificates. This piece of malware was just done through conventional 0 day exploits but rather a very sophisticated means of forging certificates and might have done the cyberworld much more harm.
  
  --
  http://saveie6.com/
4. Re:SUICIDE not good enough... by cheater512 · 2012-06-07 15:29 · Score: 5, Informative
  
  Most certificates these days use SHA1 at the very least.
  This is not a issue for Linux anyway because Linux does not use certificates for code.
  Some do sign repositories, however those certificates are somewhat stronger.
  Remember, MD5 has been broken and deprecated for many years.
5. Re:SUICIDE not good enough... by blueg3 · 2012-06-07 15:30 · Score: 5, Interesting
  
  Journals are only so deep and, more importantly, only contain file metadata. You might, sometimes, be able to use them to determine that a file used to exist on a computer, but not what its contents were.
6. Re:SUICIDE not good enough... by Darinbob · 2012-06-07 15:46 · Score: 1
  
  Many file systems will allocate new blocks when overwriting data. Not sure what Windows does. There is also the problem of scrubbing old versions of the files whenever updates are recieved.
7. Re:SUICIDE not good enough... by mysidia · 2012-06-07 15:51 · Score: 4, Informative
  
  Journals are only so deep and, more importantly, only contain file metadata.
  True, but Volume shadow copy can retain past revisions of files for a considerable length of time. So can backup applications which store copies of files offline
8. Re:SUICIDE not good enough... by blueg3 · 2012-06-07 15:57 · Score: 1
  
  Sure, so can copy-on-write filesystems and lots of other mechanisms.
9. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-07 16:08 · Score: 5, Informative
  
  Journals are only so deep and, more importantly, only contain file metadata.
  This is true for most installations, but not in general. Some journaling filesystems (including ext3 and ext4) let you write all data through the journal as well -- it guarantees data integrity as well as filesystem consistency.
  Obviously, if the journal is on the filesystem device (internal journal, or external journal on another partition of the same disk (but WTF would you do that)), it costs you half your write bandwidth, which is why it's rarely used (though it can boost performance on fsync-heavy workloads, because it reduces seeking), but it can be effective with an external journal, or if the data integrity is worth the performance loss.
10. Re:SUICIDE not good enough... by Gr8Apes · 2012-06-07 16:09 · Score: 3, Insightful
  
  all true, which is why you keep multiple backups dating back months, right?
  
  --
  The cesspool just got a check and balance.
11. Re:SUICIDE not good enough... by catmistake · 2012-06-07 16:10 · Score: 5, Interesting
  
  The more I learn about Flame the more it amazes me.
  The more I learn about the whole cyberwar program the more I am impressed.
  
  --
  The Admin and the Engineer
12. Re:SUICIDE not good enough... by viperidaenz · 2012-06-07 16:20 · Score: 3, Informative
  
  Many SSD's will write to empty blocks without erasing the original as the erase block size is much larger than the write block size. You don't want to have to read 15x more data and write it back just because you changed 16th of the erase block.
13. Re:SUICIDE not good enough... by hairyfeet · 2012-06-07 17:43 · Score: 4, Interesting
  
  Which brings up something I've been wondering about...is it even POSSIBLE to overwrite a file if its on an SSD? Sure its easy enough to do on a HDD without having to wipe the whole drive, but since the SSD basically "lies" to the OS about where the data is actually at so it can perform wear leveling is it even possible to overwrite just a few files on an SSD with random data, or would one have to format the whole thing?
  As for TFA just more proof it was written by a government and NOT a criminal, because a criminal would have been more likely just to wipe the whole drive just to be pricks. Lets face it when it comes to malware we have a lot more cases of the writers being pricks than we do of them being nice, so it just makes me think even more these new bugs are just government works for hire.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
14. Re:SUICIDE not good enough... by TapeCutter · 2012-06-07 18:41 · Score: 1
  
  Trashing the whole disk is mindless vandalisim, botnet authours may be pricks but they don't normally vandalise their own bots.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
15. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-07 19:22 · Score: 5, Informative
  
  As someone who works in the ITAD industry SSDs are causing an absolute shit-fit to put it lightly. No, it is not possibly to reliably overwrite any given file on an SSD. The obfuscation layer makes it impossible to do perform a true full overwrite and even harder to verify.
  Sadly even formatting the whole thing is ineffective if you want to be sure that 100% of data is overwritten. SSDs have 10-30% more blocks than they let on, and the drive chooses which ones it's telling you about. If you write one day and wipe another your guess is as good as mine where the data was saved, what the software tried to overwrite, and what any effort to verify is reading. All three could be different.
16. Re:SUICIDE not good enough... by Henk+Poley · 2012-06-07 20:07 · Score: 2, Informative
  
  A format is not enough. You have to do a ATA Secure Erase to be really sure. But, a format or full empty space overwrite should make sure somebody will have to disassemble the drive to actually get to the data remnants. Since the visible virtualized drive part will of course remain empty, else the 'contract' of storage would be broken.
17. Re:SUICIDE not good enough... by detritus. · 2012-06-07 20:07 · Score: 5, Interesting
  
  Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3
  No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu. This news also appeared on Slashdot, but it's mysteriously disappeared since then (this is where I originally heard about it).
18. Re:SUICIDE not good enough... by DarkOx · 2012-06-07 21:37 · Score: 4, Insightful
  
  Right but the assumption has always been they don't vandalize their own bots because the owners would then discover they are part of a bot net. That does not hold if the bot net owner is already dismantling the network, I don't know what motivation they have to not nuke the hosts entirely to ensure there don't leave any finger prints.
  The only thing I can think of is they may be concerned that if a large percentage of the public has their machines trashed all at the same time Joe Sixpack of Pakistani mangoes might wake up and start taking computer security seriously. Which could make future bot nets harder to construct.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
19. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-07 22:09 · Score: 4, Informative
  
  Actually, yes - my Mac does it automatically.
20. Re:SUICIDE not good enough... by chrb · 2012-06-07 22:15 · Score: 5, Informative
  
  Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3 [freecode.com]
  Ubuntu bug: Bug reported 22nd September and closed the same day.
  Microsoft bug: attacks on MD5 widely known and carried out since 2005, but Microsoft still carry on using it in Windows Update until 2012.
  
  No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu.
  Do you have any evidence that this was the action of a rogue developer? By your logic, you must no longer use a computer, as the "rogue" developer issue is one that potentially affects all software.
21. Re:SUICIDE not good enough... by drinkypoo · 2012-06-07 22:40 · Score: 4, Interesting
  
  But, a format or full empty space overwrite should make sure somebody will have to disassemble the drive to actually get to the data remnants
  That is almost certainly false. The vendor almost certainly has commands to let them retrieve the full data from the drive over the bus.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
22. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-08 00:10 · Score: 1
  
  In other words, instead of just committing suicide, Flame burnt itself.
23. Re:SUICIDE not good enough... by V+for+Vendetta · 2012-06-08 01:03 · Score: 1
  
  because a criminal would have been more likely just to wipe the whole drive just to be pricks.
  
  I don't think so. That would be the reaction of a wanna-be-real-hax0rs script kiddie. But a professional criminal would leave the system up and running, because with a crash like that, even the most stupid user would recognize it and perhaps ask someone more knowledgeable to "have a look at it", which in turn could reveal the real reason for the crash. No, leave as silent as you came in is a criminal's best bet to go by unnoticed.
24. Re:SUICIDE not good enough... by petermgreen · 2012-06-08 01:37 · Score: 2
  
  Modern hard drives can do similar things though the probability is lower because they only do it as a fault recovery mechanism rather than as part of normal operation.
  Some drives (both HDD and SSD) have a built in secure erase function but you have to trust the drive manufacturer to have implemented it right.
  Bottom line if you have a modern storage device (whether solid state or spinning rust) and need to be absoloutely sure the data won't fall into enemy hands your only option is to reduce it to dust.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
25. Re:SUICIDE not good enough... by hairyfeet · 2012-06-08 02:24 · Score: 5, Interesting
  
  Please don't do that. you'd be surprised how many people out there can't afford a PC at all and how many guys there are like me that donate their time refurbing give aways from businesses so that those poor folks can have a PC. I have yet to see ANYONE recover squat from a spinning rust drive wiped with DoD-3, which is what I use on all donations, so please don't destroy the drives because with the price of HDDs still so high that just means that many more machines can't be refurbed to help the poor. Do a DoD-3 and then use whatever software you wish to try to recover but you won't find anything, then donate it, if you don't know about anyone like me your local churches or Freecycle will be glad to help.
  But so far if things continue as they have been frankly you won't have to give away that SSD, it'll already be dead before you get a chance. The amount of failures from SSDs is just insane, every one of my gamer customers that tried to switch ended going with the hybrids or raptors simply because of how quickly they die.
  But when it comes to HDDs please just do a DoD-3, there are folks out there that would look upon that old P4 or early dual as a real blessing, thanks.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
26. Re:SUICIDE not good enough... by redback · 2012-06-08 02:25 · Score: 1
  
  Windows does it too.
27. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-08 02:47 · Score: 2, Funny
  
  That is almost certainly false. The vendor almost certainly has commands to let them retrieve the full data from the drive over the bus.
  Potentially this post is almost certainly informative.
28. Re:SUICIDE not good enough... by sir-gold · 2012-06-08 03:04 · Score: 2
  
  Even if you do destroy the drive, PLEASE leave the HD cage in the case! I hate getting computers from businesses that are missing both the HD AND the proprietary cage, especially when it's an entire pallet of computers and the PC manufacturer no longer stocks the cages.
29. Re:SUICIDE not good enough... by magli · 2012-06-08 03:08 · Score: 2
  
  If they nuked the hosts entirely, they would reveal which hosts were infected. This would show who their targets were, and potentially shed light on who they are. It would also reveal what data they had managed to steel.
30. Re:SUICIDE not good enough... by Fnord666 · 2012-06-08 03:16 · Score: 1
  
  Many file systems will allocate new blocks when overwriting data. Not sure what Windows does. There is also the problem of scrubbing old versions of the files whenever updates are recieved(sic).
  Another interesting issue is file compression on the disk. Some systems try to overwrite a file with the same number of bytes but use an overwrite pattern. Unfortunately since that pattern is highly compressible, you are likely to only update 5% of the actual disk blocks that have your data on them. Another pass with a different pattern but the same basic compressibility only overwrites the same 5% of the blocks. Naive implementations can result in programs that supposedly overwrite your data 11 times with different patterns, only to leave 95% of the data untouched.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
31. Re:SUICIDE not good enough... by rhsanborn · 2012-06-08 04:42 · Score: 1
  
  Unfortunately, how long does it take to do a DoD-3, vs taking the hard drive out and taking it to someone who will put it in a chipper?
32. Re:SUICIDE not good enough... by drinkypoo · 2012-06-08 07:23 · Score: 1
  
  Potentially this post is almost certainly informative.
  I have [mostly] learned not to make declarative statements if I don't have a citation loaded in another tab. (Sometimes I know beyond any doubt that I can find many citations, but otherwise...)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
33. Re:SUICIDE not good enough... by jaminJay · 2012-06-08 08:58 · Score: 1
  
  Because they're pricks, or because the coding effort involved would be far less? Just because they're criminals does not mean they have no delivery pressure. In fact, they might be subject to losing body parts rather than their bonuses.
  
  --
  Leela: "Is all the work done by children?" Alien: "No, not the whipping."
34. Re:SUICIDE not good enough... by gweihir · 2012-06-08 09:36 · Score: 1
  
  Which brings up something I've been wondering about...is it even POSSIBLE to overwrite a file if its on an SSD?
  Not reliably, no. You could fill up the SSD before, in the hopes that no other data-area is available, but there still is a smaller or larger pool of sectors kept for writing. You may get lucky if you fill the SSD up and repeatedly overwrite the file for more data overwritten than the SSD has in physical space. This can still fail though and leave data on disk.
  The best option for non-destructive erase is to use the "secure erase" ATA command. This will erase all data, but only if implemented right. Apparently, some vendors do not do that. The best option if you need to be sure is several full-disk overwrites, followed by "secure erase", followed by physical destruction.
  There is also the option to use encryption. There is a thing in cryptography called an all-or-nothing-transform. If you put a file through that before writing it to disk, if you succeed in overwriting at least a (small) part of it, all data is gone. You can, in addition, "spread" the file using cryptography, i.e. make it a lot larger. That is, for example, how some disk encryption software stores the master key on disk (to be unlocked by different passphrases). But it represents a large effort and basically works best if you encrypt the whole disk in the first place with something like this.
  There is one border-case though: For example, a 240GB SSD has only 16GB maximum spare/free sector pool (as Flash chips come in 2^n sizes). If you overwrite all empty space and then the file, you can be sure that no more than 16GB are still on the SSD.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
35. Re:SUICIDE not good enough... by detritus. · 2012-06-08 12:40 · Score: 1
  
  Being this was an ubuntu-specific bug, I no longer trust Ubuntu and simply use Debian.
  When the changes you make undermine the very core security of your distribution flavor, you lose me as a user.
  This change to apt-key added nothing useful.
36. Re:SUICIDE not good enough... by hairyfeet · 2012-06-08 12:54 · Score: 1
  
  Hear hear! I've had to strip many a PC because there was no drive cage and no damned way to even jury rig a mount short of duct taping the damned thing. Most of those cages are a real PITA to get and cost a pretty penny if the OEM will even sell you one so its often not worth it. BTW if you end up with a bunch of otherwise good PCs like that you can get cases sans PSU for cheap at Geeks, what i do is charge a small fee for the PCs i have to rebuild that way that covers the case and shipping so it all evens out.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
37. Re:SUICIDE not good enough... by RockDoctor · 2012-06-09 07:11 · Score: 1
  
  Unfortunately, how long does it take to do a DoD-3, vs taking the hard drive out and taking it to someone who will put it in a chipper
  No where near as long as it will take you to find someone who will actually put it into a suitable chipper, as opposed to someone who says they'll put it into a chipper.
  There was a case a couple of months ago when a contractor for a UK hospital group had signed a contract promising to destroy hard drives from computers they were being paid to take away ; naturally the machines reappeared on (IIRC) ebaY, with un-wiped hard drives, medical records, personnel details and a small shitstorm of bad publicity.
  If the data must be destroyed, then doing it yourself is really the only option ; if your time is too valuable for even a powerful chipper, then you've got a real problem that you need to budget for. If you're an IT professional then you'll memo for that budget, and if it's declined, pass the buck for the responsibility back up to the manager who refused your budget request and document that. If your management won't take your professional opinion on this, then you need to be job-hunting already.
  You may be lucky and have a minion who you can trust to do this. A retiree who'll do it one day a week; someone on medical short-time ; whatever. But if you really need data security, then you need to keep this in-house and amongst people whose professional integrity you trust.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
38. Re:SUICIDE not good enough... by toddestan · 2012-06-09 08:15 · Score: 1
  
  That's only because of undue paranoia. There is absolutely zero evidence that anyone can recover anything after a single random wipe, let alone a DoD-3 wipe.
Interesting by Anonymous Coward · 2012-06-07 14:18 · Score: 5, Interesting

Something tells me that this wasn't designed by a teenager.
1. Re:Interesting by bmo · 2012-06-07 15:04 · Score: 1, Insightful
  
  The teenage hacker in a basement was never as much of a risk compared to what started happening about 15 years ago with organized crime getting involved.
  This "new" kind of malware has been dubbed (I think more accurately than most) crimeware.
  And whether governments do it, or the RBN, it's still crimeware.
  --
  BMO
2. Re:Interesting by flyingsquid · 2012-06-07 15:41 · Score: 5, Insightful
  
  Something tells me that this wasn't designed by a teenager.
  There are a limited number of possible suspects. First off, not many parties have the means to create this. The consensus is that Flame is one of the largest and most advanced pieces of malware ever created- it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability. That list is pretty short, and would include countries like the United States, China, Russia, Israel, and North Korea.
  Second, let's look at the targets. The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order. Roughly half of the infections are in Iran. So whoever created Flame is worried about the Middle East, but really, really worried about Iran. More worried about Iran than any other country. The Iran fixation suggests two possible suspects- Israel and the United States.
  The focus on Iran is consistent with Flame coming from the U.S., but Flame also targets several U.S. allies, including Egypt and Saudi Arabia. The other thing is, Flame doesn't target anything outside of the Middle East. If it was produced by the U.S., you'd expect Flame to be found in other countries- North Korea and Pakistan, for example- where the U.S. has security interests. But whoever created Flame doesn't really care what happens in North Korea or Pakistan. Whoever created Flame is primarily concerned with countries that are either enemies or potential enemies of Israel- Iran, Palestine, Syria, Lebanon. That strongly suggests Israel as the culprit.
3. Re:Interesting by catmistake · 2012-06-07 16:17 · Score: 2
  
  Something tells me that this wasn't designed by a teenager.
  Arguably, yes it was. According to the NYT, it was designed under George Bush.
  That's not what the article says. It says Olympic Games began under George Bush's administration. The article doesn't say who developed Flame, only that forensic analysis is underway.
  
  --
  The Admin and the Engineer
4. Re:Interesting by Anonymous Coward · 2012-06-07 16:42 · Score: 2, Informative
  
  Second, since when is Pakistan not in the Middle East?
  Pakistan is in South Asia. Consider, for example, their membership in the SAARC.
  https://en.wikipedia.org/wiki/South_Asian_Association_for_Regional_Cooperation#Current_members
  They _want_ to be considered as a Middle East, or more accurately, an Arab country. There are "scholars" in Pakistan producing academic papers "proving" that Pakistanis are descended from Arabs. Not only does this ignore the complex interplay of ethnicities present in the Indian sub-continent, it is pure political revisionism to disown their shared ancestry with Indians, so that the creation of Pakistan on religious grounds gains justification.
  BTW, "Indian" subcontinent is also not a term preferred in Pakistani discourse. South Asia is more acceptable.
5. Re:Interesting by viperidaenz · 2012-06-07 16:45 · Score: 4, Insightful
  
  ... because small groups of smart people can't create something complex? It's software, you don't need massive amounts of funding, all you need is a few smart people and some time.
6. Re:Interesting by Anonymous Coward · 2012-06-07 17:12 · Score: 3, Funny
  
  Second, since when is Pakistan not in the Middle East?
  Pakistan has never been in the Middle East.
7. Re:Interesting by Anonymous Coward · 2012-06-07 17:19 · Score: 1
  
  Since continental drift started happening.
  Seriously, only from the Americas is the rest of the world in the east.
8. Re:Interesting by Taco+Cowboy · 2012-06-07 17:45 · Score: 2
  
  This "new" kind of malware has been dubbed (I think more accurately than most) crimeware
  I think Mobware is a more accurate description
  "Crime" can be mere petty crime
  But "Mob" is a total different animal altogether
  
  --
  Muchas Gracias, Señor Edward Snowden !
9. Re:Interesting by Taco+Cowboy · 2012-06-07 17:53 · Score: 2
  
  You need SEVERAL smart people and A LOT OF time. If they only work weekends for free, on something this massive and complex, your project will be finished in 15 years and be already obsolete.
  You have seriously underestimate the productivity of really really smart programmers
  It has been estimated that a very talented programmer is more effective than the output of 300 garden variety code monkeys combined
  And in my time I've in several occasions the privilege to work with some of the top brains of the programming field, and I can tell you that it has been such a blessing
  
  --
  Muchas Gracias, Señor Edward Snowden !
10. Re:Interesting by gl4ss · 2012-06-07 18:26 · Score: 2
  
  also the 20mbyte claim is misleading, since it includes runtimes so that they could get away with coding less native code and more scripting..
  
  --
  world was created 5 seconds before this post as it is.
11. Re:Interesting by sociocapitalist · 2012-06-07 19:35 · Score: 1
  
  Egypt isn't an necessary ally of the US anymore.
  It seems possible that Flame is checking the system time and that any system with GMT offsets that fall into the target part of the world are subject to infection.
  
  --
  blindly antisocialist = antisocial
12. Re:Interesting by sociocapitalist · 2012-06-07 19:37 · Score: 1
  
  I should add that in addition to Egypt not necessarily being an ally anymore, that Saudi Arabia, while technically an allied country, has no shortage of people willing to be enemies of America.
  
  --
  blindly antisocialist = antisocial
13. Re:Interesting by Sique · 2012-06-07 20:20 · Score: 1
  
  Just because Pakistan is member of a South Asian regional association it doesn't necessarily mean that Pakistan is geographically located in South Asia. Kasachstan is member of the UEFA (Union des Associations Européennes de Football), while being a Central Asian country, and Marocco is member of the EBU (European Broadcasting Union), while being north african.
  Pakistan is considered south asian from a geographical point of view, because the Hindu Kush, Karakoram and Himalaya mountain ranges in the north form a natural border against Central Asia, and the Suleiman, Brahui and Kirthar mountains do the same against Western Asia (ok, Baluchistan is already west of the Kirthar mountains...).
  
  --
  .sig: Sique *sigh*
14. Re:Interesting by Anonymous Coward · 2012-06-07 20:28 · Score: 2, Funny
  
  If it's written in a .NET language, 20mb is about the size of "Hello World!".
15. Re:Interesting by progician · 2012-06-07 21:20 · Score: 1
  
  Your argument about North Korea is flawed. All it takes to extract information from IT infrastructures and attack them, is some cheap equipment and a few skilled coder. It is easier to train a bunch of programmers than physicists, biologists, or soldiers in general (the bullets can be quite expensive for a nation with low industrial capacity and no access to legally acquirable American weaponry). We don't need big bad ass machinery for our studies, and most of the knowledge is available for free on the internet. Don't take it wrong, I don't think of North Korea as a boogie man, and I am quite sceptical with the smearing propaganda generally about any "rouge" state because I know that there is no good or bad in the world of politics, only continuous struggle between opposing factions for power.
16. Re:Interesting by DarkOx · 2012-06-07 21:47 · Score: 5, Interesting
  
  it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability.
  
  The thing weighing in at 20 megs is not an achievement, rather its an embarrassment showing total lack of craft. Much of the code in this thing is not the malware itself either, its interpreters and support libraries to run it, and much of open source and otherwise stuff that serves other purposes. Its not an efficiently built thing at all.
  The only achievement here if there is one is somebody manged to deliver a payload that large, so often undetected and reliably. I agree it looks state sponsored to me, only government contractors could create a turd this large and still polish it enough that it mostly worked.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
17. Re:Interesting by PenquinCoder · 2012-06-08 00:00 · Score: 1
  
  Somebody has to farm gold in WoW.
18. Re:Interesting by cryptizard · 2012-06-08 00:04 · Score: 4, Interesting
  
  Actually quite the opposite. It has been stated by antivirus folks that its large size and structure actually helped it hide for longer. AV software is used to viruses being super-optimized and obfuscated. Flame on the other hand looks like any other desktop application, complete with included runtimes.
19. Re:Interesting by Gr8Apes · 2012-06-08 00:34 · Score: 1
  
  Reading up on Middle East history, the term is largely an American one now that's been adopted by others, and has been revised in scope significantly over the years. It's an arbitrary definition that in the late 50s early 60s was defined essentially as an area from Egypt to Iran, specifically excluding Afghanistan and Pakistan which had been included prior to then. So officially, you're correct that it is not part of the Middle East as that term appears to be defined today, although references often include both countries in the grouping anyways.
  
  --
  The cesspool just got a check and balance.
20. Re:Interesting by Gr8Apes · 2012-06-08 00:35 · Score: 1
  
  The Middle East never had anything to do with continental drift, as it is an arbitrary term that comprises countries across at least 2 continents.
  
  --
  The cesspool just got a check and balance.
21. Re:Interesting by Cruciform · 2012-06-08 00:39 · Score: 2
  
  How about "WarioWare"?
22. Re:Interesting by couchslug · 2012-06-08 00:46 · Score: 1
  
  Given the periodic Slashdot pieces on prodigies, I will not be quick to succumb to ageist assumptions.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
23. Re:Interesting by couchslug · 2012-06-08 00:48 · Score: 1
  
  "Flame also targets several U.S. allies, including Egypt and Saudi Arabia."
  They are allies in name only, playing the US against their own people and against competing Muslims who are are outright enemies.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
24. Re:Interesting by DarkOx · 2012-06-08 02:04 · Score: 1
  
  It has been stated by antivirus folks that its large size and structure actually helped it hide for longer.
  I am aware of that. I still don't see a larger foot print as helping this thing to remain stealthy. I see that as more a failure of the AV vendors and the IT Sec Community (myself included there) to imagine this type of threat.
  Scanners need to get better at analyzing things beyond just matching signatures
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
25. Re:Interesting by Gr8Apes · 2012-06-08 04:36 · Score: 1
  
  Awesome!
  If I only had mod points and you weren't responding to me....
  
  --
  The cesspool just got a check and balance.
26. Re:Interesting by Basje · 2012-06-08 06:14 · Score: 1
  
  Could as easily be a company. Google, Yahoo, Microsoft, Baidu, IBM et al are all able to pull this off.
  
  --
  the pun is mightier than the sword
27. Re:Interesting by cryptizard · 2012-06-08 12:45 · Score: 1
  
  Agreed, but it can't be considered a failure by the team developing Flame when they accurately assessed this weakness in existing AV and exploited it.
28. Re:Interesting by msoftsucks · 2012-06-08 12:50 · Score: 1
  
  Actually the United Federation of Teachers (the teachers union) have recommended the North American Union and "Other!".
  
  --
  Quit playing Monopoly with Bill.
  Linux - of the people, by the people, and for the people.
29. Re:Interesting by shiftless · 2012-06-10 13:28 · Score: 1
  
  Whoever created Flame is primarily concerned with countries that are either enemies or potential enemies of Israel- Iran, Palestine, Syria, Lebanon. That strongly suggests Israel as the culprit.
  Or they wanted it to look that way...
That explains it. by Anonymous Coward · 2012-06-07 14:20 · Score: 5, Funny

My mother was wondering why her computer suddenly was working so much better.
Thanks dudes!
1. Re:That explains it. by macraig · 2012-06-07 14:46 · Score: 1
  
  Of course the performance bump had nothing at all to do with you removing all your TrueCrypted porn and finally freeing up more than 1% of the drive....
2. Re:That explains it. by amirishere · 2012-06-07 17:57 · Score: 1
  
  Exactly. I live in the attic.
3. Re:That explains it. by allo · 2012-06-07 21:23 · Score: 1
  
  freeing disk space has nothing to do with performance.
4. Re:That explains it. by rvw · 2012-06-07 22:43 · Score: 1
  
  freeing disk space has nothing to do with performance.
  If you only have 10MB free space, it certainly does.
5. Re:That explains it. by allo · 2012-06-08 03:04 · Score: 1
  
  > it was starting to get longer and longer ...
  and thus using so much disk space, the performance of your computer suffered from it? :)
6. Re:That explains it. by allo · 2012-06-08 03:05 · Score: 1
  
  swap is in the normal case an own partition, and windows-users are well advised to set the swap file to static size ... ... but when you need to have swap space, the performance is lost long before. swapping is sloooooooow.
7. Re:That explains it. by allo · 2012-06-08 03:07 · Score: 1
  
  dynamic swapfile is a misconfiguration (and sadly a default in ms windows, but its windows ...)
Re:Nice try by Dunbal · 2012-06-07 14:28 · Score: 4, Informative

Er no, this is infected machines being remotely instructed to clean themselves up by the person controlling the "virus". It has nothing to do with you doing anything to your machine. They sent the virus an instruction, and the virus is removing all traces of itself from a machine.

--
Seven puppies were harmed during the making of this post.
No AutoDestruct by bengoerz · 2012-06-07 14:29 · Score: 5, Interesting

In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained. As it stands, there's still evidence of Flame sitting on disconnected machines.
1. Re:No AutoDestruct by nanoflower · 2012-06-07 14:36 · Score: 4, Insightful
  
  All too true. I'm sure the authors will be taking that into account for their next version. Hopefully everyone will be on the lookout and catch it quicker than they did this one.
2. Re:No AutoDestruct by Anonymous Coward · 2012-06-07 14:37 · Score: 5, Insightful
  
  That doesn't sound like a very effective worm. If they did it that way you could fix the infection with a pf rule.
3. Re:No AutoDestruct by Dancindan84 · 2012-06-07 14:37 · Score: 1
  
  Heh. A virus dead man's switch.
  
  --
  "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
4. Re:No AutoDestruct by gman003 · 2012-06-07 14:52 · Score: 5, Interesting
  
  Imagine if everything had gone according to plan. They've gotten all the data they need, and have not been detected. They issue a self-destruct order, and bam. Nobody will ever know they were even there.
  Now, as for why they're doing it now, there's another reason. I imagine the target has figured out they're infected. But maybe they don't know every computer that was infected. And if the virus has self-destructed, they may never know for sure which machines were hit. Even if they actually *did* ID every machine, the fact that the creators did this may make them think they missed some.
5. Re:No AutoDestruct by Anonymous Coward · 2012-06-07 14:52 · Score: 1
  
  Good job dude. Got any other great ideas to give the authors?
6. Re:No AutoDestruct by Anonymous Coward · 2012-06-07 15:00 · Score: 1
  
  Once it's somewhat understood, sure (at least enough to know all control channels). Of course, the only reason you'd code a suicide feature at all is because you plan to activate it after it's become useless and before it's understood well enough for everybody to block control channels (thus rendering it useless, risking mass destruction of the entire infection by antivirus updates, and (perhaps) risking detection of your uber-evil centrifuge-destroying payload).
  It doesn't seem like a bad idea at all, if the worm is dependent on remote control to acheive the desired result. Of course, if (as for stuxnet) the payload is meant to work on off-line systems, then it might be bad -- depends on the relative cost of a failed mission (did not infect the target, try again later) vs. an exposed mission (target finds out who they are, becomes more careful, and maybe even causes an international incident if the source can be deduced).
7. Re:No AutoDestruct by Billly+Gates · 2012-06-07 15:17 · Score: 5, Interesting
  
  If this is a real professional job I would not be surprised if it leaves some backdoors opened for another different piece of malware. It wouldn't surprise me if Cisco router rootkits exist. After all evidence points in China they are doing just this, as they did with Nortel routers with a backdoor.
  
  --
  http://saveie6.com/
8. Re:No AutoDestruct by Baloroth · 2012-06-07 15:21 · Score: 5, Interesting
  
  The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.
  A secondary implication is that Flame has fulfilled it's purpose. Again, what that is, no one is exactly sure (espionage, certainly, but you don't create something this advanced without some specific target in mind) and wasn't worth maintaining anymore.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
9. Re:No AutoDestruct by CodeBuster · 2012-06-07 15:26 · Score: 1
  
  In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained.
  Well, there's always version 2.0 after all. Maybe we'll see that feature, among many others I'm sure, in the next version. Somehow I doubt that we've seen the last of Flame or the people who created it.
10. Re:No AutoDestruct by Nutria · 2012-06-07 15:38 · Score: 1
  
  This is why most organizations should treat the Internet the same way they treat firewalls: block everything then whitelist only what's actually needed for employees to do their work.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
11. Re:No AutoDestruct by Sir_Sri · 2012-06-07 15:44 · Score: 1
  
  If it's intended to run on not networked control systems (say the ones being used in hardened bunkers to make nuclear weapons components) that wouldn't help you a lot.
  Those computers probably start network connected to get setup, and are then disconnected for work, precisely the time you want your malware to do its thing. They circumvent the hooks into windows update knowing that they'll all have windows updates run on them before the get pulled off.
12. Re:No AutoDestruct by Chuck+Chunder · 2012-06-07 16:28 · Score: 1
  
  If we accept that this is software used by a state for espionage then networks that aren't routinely connected to the internet in a fashion that allows direct contact with the control servers may be of more interest than ones that are and such automatic removal might not be desired.
  
  Perhaps a military private network is compromised when someone attaches a compromised laptop to it. Perhaps information is then snuck out or instructions fed in on subsequent occasions that such a laptop is connected, sneaker-net style.
  
  --
  Boffoonery - downloadable Comedy Benefit for Bletchley Park
13. Re:No AutoDestruct by Will.Woodhull · 2012-06-07 17:14 · Score: 1
  
  There are also images of Flame components on a lot of the backups of every significant system that was infected. An unrelated malware that simply crashed computers in a way that forced reloads from backups would not be difficult to construct, and could possibly assure that Flame components would again be in active residence on the networks.
  Flame may very well be capable of becoming undead. To assure that this could not happen, it may be necessary to destroy all backups since the days before Flame.
  A related question: how often have networks been re-infected by backups or accessing archived files? IIRC, this used to be an issue with some Word macro viruses, back in the days of the woodburning computers.
  
  --
  Will
14. Re:No AutoDestruct by Will.Woodhull · 2012-06-07 17:23 · Score: 2
  
  If the blackhats can wipe all active instances of Flame in such a way that no one can tell it was ever there, AND they can do so before Flame is fully analyzed, then they only need to wait until some critical computers have to be restored from backups, where some backups are assuredly dirty with Flame. This way Flame has a better chance of coming back as undead malware.
  I rather suspect that whoever constructed Flame is also capable of arranging things so that certain computers will need to be restored from back ups.
  Cleansing backups is going to be costly. There will be fewer resources available to the teams that are developing the missile guidance systems and the nuclear detonation simulators.
  
  --
  Will
15. Re:No AutoDestruct by an+unsound+mind · 2012-06-07 17:49 · Score: 2
  
  Alternatively, the fact that it was discovered may mean the current deployment was aborted and there will be (or already is) a new version of Flame to replace the old one.
16. Re:No AutoDestruct by icebraining · 2012-06-07 19:04 · Score: 1
  
  Is that really feasible? You'd have to whitelist DNS queries, every single email address (good luck if you need to contact customers), etc.
  For example, Google Docs can be pretty useful, right? But allowing it gives an attack a full proxy: http://hackaday.com/2012/01/31/using-google-documents-as-a-web-proxy/
  
  --
  Dilbert RSS feed
17. Re:No AutoDestruct by icebraining · 2012-06-07 19:06 · Score: 1
  
  From those comments, one more: do you allow www.google.com? One more proxy! http://www.google.com/gwt/n
  
  --
  Dilbert RSS feed
18. Re:No AutoDestruct by dropadrop · 2012-06-07 19:07 · Score: 1
  
  The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.
  A secondary implication is that Flame has fulfilled it's purpose. Again, what that is, no one is exactly sure (espionage, certainly, but you don't create something this advanced without some specific target in mind) and wasn't worth maintaining anymore.
  It's probably. I think the main reason however is, that a large portion of people who have been infected don't know it yet, and the people in charge prefer to keep it that way.
19. Re:No AutoDestruct by Nutria · 2012-06-07 19:44 · Score: 1
  
  Leave open ports 25, 53, 465 and whatever ports your VPN uses.
  There would have to be more tweaks, but the point is that the vast majority of people in any organization don't need access to ESPN, CNN, TMZ, etc, etc, ad nauseum.
  You whitelist depending on the field that your company, division or group is in. Yes, it would require some effort on the part of IT staff, but would also reduce the number of malware infections and thus the amount of time wasted on reimaging such PCs.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
20. Re:No AutoDestruct by drinkypoo · 2012-06-07 22:42 · Score: 2
  
  They're shutting down now because they have the data they need and they're erasing now to try to prevent the target from knowing they have been compromised.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
21. Re:No AutoDestruct by rvw · 2012-06-07 22:46 · Score: 1
  
  Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know.
  
  I bet those guys at Kapersky (and those in Iran as well) are smart enough to make images of infected machines, probably in different states. Then you can restore them as many times as you want.
22. Re:No AutoDestruct by Dan1701 · 2012-06-08 00:17 · Score: 1
  
  More to the point, the fact that they are securely wiping the infection files of the net-connected machines, but seem not to have a means of wiping the files on infected but isolated machines (relatively easy to do; make the thing periodically phone home and suicide if it cannot do this) means one of two things.
  1) They're incompetent and didn't think of doing this. Unlikely; I'm not much of a programmer but I thought of it.
  2) The infection files they are wiping contain information lifted from the infected machine and/or other important info, and the virus authors do not wish to gift anyone investigating the infection with this information. The authors either don't care, or don't want to take the trouble to try to prevent the virus code falling into the hands of whitehat investigators.
  I side with the latter; if a person doesn't know a machine has been compromised then this is the best outcome for the blackhats. If the victim susses they've been infected but doesn't know what has been stolen though, they have to assume the worst and the panicked arse-covering and re-assessment of security and procedures etc. is going to be almost as much use in disrupting the enemy than the conpromised information would have been. A military-industrial complex which knows it has been infiltrated but does not know to what extent usually becomes paranoid. The "bolting the stable door after the horse has gone" syndrome kicks in, blame gets shared out as selfishly as possible, careers get terminated and security gets so tight that nothing can be done without covertly circumventing it.
  Iran, if this was the target, would be a perfect target for this sort of attack. Iran is a military-religious dictatorship, and the top people in such regimes are not usually the very brightest in the world, merely the most devious backstabbing ones. Perpetrating a hack like this would cause such dismay and confusion that this might well have been the plan all along, with the possibility of stealing information a distant second priority.
23. Re:No AutoDestruct by dj245 · 2012-06-08 00:37 · Score: 1
  
  After all evidence points in China they are doing just this, as they did with Nortel routers with a backdoor.
  
  Does it? This malware targets machines in the middle east only. What big stake does China have there that would make them go to all this trouble? I could see them doing this to the US, Japan, Korea, Philippines, or Taiwan, but the middle east doesn't make a lot of sense to poke around with for China. You could probably make a case for something, sure, but as another poster said it makes a lot more sense that Israel did it.
  
  Cue "I bet the Jews did this" photo meme.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
24. Re:No AutoDestruct by scubamage · 2012-06-08 01:55 · Score: 1
  
  Especially when you consider that there are signs that flame has been around since 2007. That's one hell of a good run.
25. Re:No AutoDestruct by scubamage · 2012-06-08 01:57 · Score: 1
  
  Considering there are researchers out there who believe flame has actually been circulating since 2007, most likely more than we want to think about.
26. Re:No AutoDestruct by Fnord666 · 2012-06-08 03:27 · Score: 1
  
  The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.
  I consider this unlikely since the first thing researchers would do would be to create an offline copy of the affected drives. Analysis can proceed from there and the infected system can be restored as often as needed.
  Similarly a dead man's switch would be easily bypassed once it was identified by isolating the restored system on a closed network where everything was sand boxed and simulated, including the CC servers. Validation code in the client for the CC servers could be patched around as well if there was some form of validation scheme. Possession is 9/10th of p0wnage after all.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
27. Re:No AutoDestruct by leonardluen · 2012-06-08 04:34 · Score: 1
  
  that really doesn't make much sense, they are attempting to do a secure wipe, it seems it is possible they don't want anyone to realize which machines were infected.
  if you leave a backdoor, that is something that could be detected and then you would know that flame had been on that machine.
Re:Nice try by Dancindan84 · 2012-06-07 14:34 · Score: 1

He wasn't implying it had anything to do with someone doing anything to their own machine. He was implying that Flame is a government intelligence tool and someone came up with a better way of making sure that's never proven.

--
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
Re:Nice try by Dancindan84 · 2012-06-07 14:35 · Score: 1

Bleh, sorry. The way the thread was set up it looked like your reply was to someone else.

--
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
The bigger question. by multicoregeneral · 2012-06-07 14:37 · Score: 4, Interesting

Sure, all this business with Flame is absolutely fascinating. But even more fascinating: why are European and American software companies doing business with Iran in the first place?

--
This signature intentionally left blank.
1. Re:The bigger question. by Hamsterdan · 2012-06-07 14:44 · Score: 4, Interesting
  
  I have a hunch money's involved...
  
  --
  I've got better things to do tonight than die.
2. Re:The bigger question. by Anonymous Coward · 2012-06-07 14:44 · Score: 1
  
  so we can infect them with malware apparently.
3. Re:The bigger question. by TheEyes · 2012-06-07 14:59 · Score: 3, Insightful
  
  Why do companies outsource their factories to China? Why did AIG and several other companies leverage themselves to several times what they were worth?
  Birds gotta fly. Fish gotta swim. Pointy-haired bosses gotta sacrifice the future for a monetary bonus today.
4. Re:The bigger question. by gman003 · 2012-06-07 15:04 · Score: 5, Insightful
  
  You know what's more interesting?
  Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran. Iranian factories are cranking out G3s, MP5s, MG3s, all legally and for export. Not to mention the various Chinese/Russian small arms they manufacture (couldn't find out whether those were licensed or not).
  I think that, before they ban software companies from doing business in Iran, they should maybe think about banning the firearm companies. Just a thought.
5. Re:The bigger question. by multicoregeneral · 2012-06-07 15:12 · Score: 1
  
  A very literate answer. Thank you.
  
  I'm not criticizing anyone. Just thought it was odd, considering all the blanket sanctions that actually do ban software companies, and anyone else for that matter from working in the country.
  
  --
  This signature intentionally left blank.
6. Re:The bigger question. by artor3 · 2012-06-07 15:19 · Score: 1
  
  It's a lot more understandable when you remember that it's someone else's future being sacrificed.
7. Re:The bigger question. by AHuxley · 2012-06-07 15:30 · Score: 1
  
  Iran pays on time and very well. Gold, local currencies... Iran is good like that.
  
  --
  Domestic spying is now "Benign Information Gathering"
8. Re:The bigger question. by fullback · 2012-06-07 15:36 · Score: 5, Insightful
  
  Because there is no legitimate reason to not do business. The relentless war mongering against fictional bogeymen is fascinating, too.
9. Re:The bigger question. by kermidge · 2012-06-07 15:41 · Score: 2
  
  Nice catch.
  I recall reading some thirty years back that the last parties to lose money in a depression are cosmetics and booze; by examination and extrapolation they seem to do pretty well in good times as well.
  Arms merchants transcend that - there's always people wanting to mess over others, and other people wanting to defend themselves. I expect that given net and scope of profit and the realpolitik of weaponry, it's a no-lose proposition. Guns and bullets have no morals, nor, essentially, do their makers. True capitalism, true free markets. Funny, doesn't bring the prices down to stick an MP5 in the closet.
10. Re:The bigger question. by Sir_Sri · 2012-06-07 15:48 · Score: 3, Insightful
  
  1. Because iran has money.
  2. Because there are 70 million people in Iran, the vast majority of whom are not engaged in trying to kill americans or europeans.
  3. Because lots of people, especially in europe, believe that US sanctions are counter productive, and so don't have such sanctions.
  Also keep in mind there are lots of things that aren't barred from export to Iran, and lots of things are sold legally to other countries and then illegally re-exported to Iran. Most notably to qatar and bahrain, but other places as well.
11. Re:The bigger question. by shutdown+-p+now · 2012-06-07 16:09 · Score: 2
  
  why are European and American software companies doing business with Iran in the first place?
  Why not? How is it significantly different from Russia, or China, or Vietnam, or Saudi Arabia?
12. Re:The bigger question. by Tastecicles · 2012-06-07 16:12 · Score: 1
  
  Nobody ever went broke selling weapons. My cousin went into weapons, now he owns his own moon. Me? I opened a bar in the back end of Space.
  - Quark
  Or something like that.
  Also:
  Rule of Acquisition #34: war is good for business.
  Why does nobody go to war with Switzerland?
  Because Switzerland is the home of the largest banks in the world, and the largest weapons manufacturers in the world. They supply money and arms to everybody. One man's money is as good as another's, be he Western despot or Eastern hero <g>.
  
  --
  Operation Guillotine is in effect.
13. Re:The bigger question. by catmistake · 2012-06-07 16:31 · Score: 1
  
  Birds gotta fly. Fish gotta swim.
  
  FTFY
  
  --
  The Admin and the Engineer
14. Re:The bigger question. by viperidaenz · 2012-06-07 16:49 · Score: 1
  
  Guns and bullets are not a free market, the governments regulate the industry so it is split between a regulated market and a black market. Both of which inflate prices.
15. Re:The bigger question. by Anonymous Coward · 2012-06-07 17:24 · Score: 2, Informative
  
  Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran.
  Not quite correct: there were factories in Iran producing those weapons under license, since the early 1970s. Not H&K factories. The Iranians originally paid a royalty on each item produced.
  Are you also going to be indignant that Bell provided critical assistance in establishing the helicopter repair and production facility at Isfahan in the same period?
16. Re:The bigger question. by Anonymous Coward · 2012-06-07 19:16 · Score: 2
  
  ... or Israel?
17. Re:The bigger question. by icebraining · 2012-06-07 19:18 · Score: 1
  
  Why do companies outsource their factories to China?
  Because it's beneficial for them and for poor Chinese people, not to mention to us who get cheaper stuff? Why shouldn't they outsource to China?
  
  --
  Dilbert RSS feed
18. Re:The bigger question. by Anonymous Coward · 2012-06-07 19:31 · Score: 2, Interesting
  
  Germany is Iran's largest trading partner as well.
  Say what you will about a culture of Holocaust related guilt (which has caused them to fund and build multiple nuclear missle subs for Israel), Germany has far less qualms about who it sells what to than any other country I've ever seen. They sell guns to Iran and subs to Isreal; tanks to Turkey and landing craft to Greece. If there's a conflict Germany is more than happy to supply both sides if there's profit to be made.
  Side note, I'm married to a German national, and happy that as fucked up as U.S. foreign policy is at least we've picked a side on our misguided war.
19. Re:The bigger question. by sociocapitalist · 2012-06-07 19:39 · Score: 1
  
  Sure, all this business with Flame is absolutely fascinating. But even more fascinating: why are European and American software companies doing business with Iran in the first place?
  So that European and American governments have a vector to install malware...?
  
  --
  blindly antisocialist = antisocial
20. Re:The bigger question. by sociocapitalist · 2012-06-07 19:44 · Score: 1
  
  Are you sure this is still the case?
  "Much of the manufacturing of Heckler & Koch weapons is carried out under licensed production agreements, either for the armed forces of the producing country or for export. Such agreements have been made with a number of EU countries and also Burma (now Myanmar), Iran, Mexico, Saudi Arabia, Pakistan, Turkey and Thailand. Heckler & Koch have stated that the agreements with Burma and Iran have lapsed."
  http://www.caat.org.uk/resources/publications/armsfairs/dsei-2003-report/hecklerandkoch.php
  
  --
  blindly antisocialist = antisocial
21. Re:The bigger question. by kermidge · 2012-06-07 21:57 · Score: 1
  
  Pretty much. In practice there ends up being a fairly plastic gray market - governments get right creative when a given sale or transfer fits their exigency du jour.
22. Re:The bigger question. by Sigg3.net · 2012-06-07 22:39 · Score: 1
  
  If you want to learn more about someone you talk with them
  Keep your enemies closer.
  
  --
  Defining Statistics and Social Research
23. Re:The bigger question. by Ryanrule · 2012-06-08 05:56 · Score: 1
  
  Money dear boy!
24. Re:The bigger question. by multicoregeneral · 2012-06-08 13:27 · Score: 1
  
  Because there is no legitimate reason to not do business. The relentless war mongering against fictional bogeymen is fascinating, too.
  Isn't it? That one is a complete pathology. Even going back and looking at the newspapers of the last 30 years or so, it's interesting to watch the total and unwavering support of middle eastern dictators turn into an absolute and irrational fear of terrorism. As though the two aren't related. I wonder if we would have supported destroying the Democracy in Lebanon or the the rise of the Mullahs in Iran if we knew what we would have on our hands 30 years later. Or... maybe we did. Hard to know.
  
  --
  This signature intentionally left blank.
Re:Nice try by sdnoob · 2012-06-07 14:40 · Score: 1

it will be, but the TLAs will deny deny deny.
Flame just gets more and more interesting by tick-tock-atona · 2012-06-07 14:42 · Score: 5, Insightful

Not only does Flame use a previously unknown MD5 chosen prefix attack, but now they are removing all traces of the software from machines under their control.
Now, since security researchers already have copies of the software this isn't going stop anyone further deconstructing and analysing it. The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?
1. Re:Flame just gets more and more interesting by kaiser423 · 2012-06-07 15:38 · Score: 1
  
  Given that Flame was highly sophisticated, modular and individually targetable there is the potential that some machines had modules that had not yet been discovered and that could also be a reason to destruct - to prevent anyone from discovering more.
2. Re:Flame just gets more and more interesting by sociocapitalist · 2012-06-07 19:46 · Score: 1
  
  ...The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?
  Or to limit legal and political liability as much as possible should it actually come back to them?
  
  --
  blindly antisocialist = antisocial
Yes, "Lucky" by SuperKendall · 2012-06-07 14:47 · Score: 4, Insightful

The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive.
Or, to make everyone else stop looking.
You know all of the installations received the same self-destruct command how again?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Yes, "Lucky" by Billly+Gates · 2012-06-07 15:19 · Score: 1
  
  It is so big it is possible any VM with network access could have received the command to self destruct or maybe it self destructs when it can't find a LAN connection? I would not be surprised.
  
  --
  http://saveie6.com/
Release the Source! by Anonymous Coward · 2012-06-07 14:58 · Score: 1

If the binary is un-distributed by the authors, does that mean that they no longer have to comply with the terms of the GPL and release the source code?
http://yro.slashdot.org/story/12/06/06/1256217/stuxnetflameduqu-uses-gpl-code
Better get on that GPLv4 Richard!
That's it, I'm officially convinced by Voyager529 · 2012-06-07 15:00 · Score: 4, Funny

The people who wrote Flame are the same fine ladies and gentlemen who have brought us CleanMyPC.com. Apparently their accountant is on vacation or something, because removing malware is generally a service that they charge for.
1. Re:That's it, I'm officially convinced by Billly+Gates · 2012-06-07 15:20 · Score: 3, Interesting
  
  Dude the more you spam for it the higher the Google page ranking it gets. Out of curiosity I did a google search for malware and cleanPC was 4 out of the 5 links listed. Good god talk about SEO to the extreme
  
  --
  http://saveie6.com/
Red Mercury next? by ka9dgx · 2012-06-07 15:19 · Score: 1

Oh oh..... can I name the next one? Let's call it "Red Mercury", and it should be taking out a reactor in 5, 4, 3, 2
1. Re:Red Mercury next? by catmistake · 2012-06-07 16:32 · Score: 1
  
  Joshua
  
  --
  The Admin and the Engineer
2. Re:Red Mercury next? by shentino · 2012-06-07 16:50 · Score: 1
  
  Material Defender.
  Descent.
The Other by SuperKendall · 2012-06-07 15:23 · Score: 5, Funny

maybe it self destructs when it can't find a LAN connection?
Works for Diablo 3...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Nice try by griffjon · 2012-06-07 15:26 · Score: 4, Interesting

Does it close the doors on the way out and patch the various exploits it used to get in to the system in the first place, or does it just leave the system ripe for future re-exploitation by the same or similar tools?
In other news, over in Oz - the man who was behind the curtain is not only unimportant, but not there now, so please stop looking.

--
Returned Peace Corps IT Volunteer
Good thing, I guess... by Anonymous Coward · 2012-06-07 15:40 · Score: 1

It could have been worse, the instruction could have been to wipe the computer's hard drive, or worse, load garbage into the EEPROM, overwrite the BIOS, and THEN wipe the computer's boot sectors, then hard drives... would be tough to recover from that. Even if you have backups and a boot disk... if your BIOS is destroyed, your computer is going to require professional help even to get to the point where it starts looking for a bootloader...
It seems almost pointless though, since the virus is known, I'm sure there's at least one known, infected machine that was NOT on, (and therefore not connected to the internet,) that can be analyzed forensically, since the operator(s) will know not to connect it to the internet again until they're done analyzing it, so that it cannot receive the (virus) self-destruct instructions...
1. Re:Good thing, I guess... by shentino · 2012-06-07 16:51 · Score: 2
  
  Which is why it's sound engineering for a computer to have a bios loader burned into a rom chip that can reflash the bios.
2. Re:Good thing, I guess... by couchslug · 2012-06-08 00:52 · Score: 1
  
  "It could have been worse, the instruction could have been to wipe the computer's hard drive, or worse, load garbage into the EEPROM, overwrite the BIOS, and THEN wipe the computer's boot sectors, then hard drives... would be tough to recover from that. Even if you have backups and a boot disk... if your BIOS is destroyed, your computer is going to require professional help even to get to the point where it starts looking for a bootloader..."
  If THAT happened, people would actually pay attention to computer security. It would be counter-productive.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
When your covert operation has made the news... by Arancaytar · 2012-06-07 16:20 · Score: 4, Insightful

... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
1. Re:When your covert operation has made the news... by Anonymous Coward · 2012-06-07 19:21 · Score: 2, Insightful
  
  ... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
  The code, sure. But there is still value in hiding what data has been stolen. Destroying the evidence rather than deleting it in a recoverable way means that if a target realises they were infected they will have to assume that everything was taken. That's much worse than knowing exactly what was taken. Consider online store that keeps credit card details for a million users - the difference between knowing that 20 credit card details were leaked and merely knowing that you were infected could well be the difference between surviving as a company or not.
2. Re:When your covert operation has made the news... by Arrepiadd · 2012-06-07 19:50 · Score: 2
  
  Sure, but who says the point was trying to avoid being discovered
  To me it sounds more like a method to avoid being detected where it hadn't been yet. Let's say the biggest bad ass in the neighborhood just got to know about Flame. As others have pointed, unless he backed up his computer, he will never be able to find out if he was infected. For whomever built this, I'd say this is very valuable.
3. Re:When your covert operation has made the news... by flux · 2012-06-08 08:44 · Score: 1
  
  And even if the machines in question were backed up, don't typical rootkits (which I'm not saying Flame is) hide themselves from the filesystem in certain situations? Could be that the backups have no trace of Flame.
Re:In that order by TaoPhoenix · 2012-06-07 16:23 · Score: 1

"The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order."
Why would Israel create malware that hits themselves second? So they can play innocent?

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Best reason to hide this is 'Intelligence'. by arthurh3535 · 2012-06-07 16:28 · Score: 5, Interesting

As in those who were infected that lost important data can no longer know (for a surety) that their important data kept on their computer/server was compromised or not.
"So our top-sekret 'eyes-only' data may or may not be compromised and they may know everything. But we don't know if they actually know anything about everything. So we can't trust anything that we've stored on a computer in the last year."
Talk about your security nightmare situation for an Intelligence Agency of some acronym.

--
No! It's a *SIG*. Keep the Special Interest Groups away! (Con joke!)
1. Re:Best reason to hide this is 'Intelligence'. by Anonymous Coward · 2012-06-07 16:59 · Score: 1
  
  They're foolish if they don't have some form of periodic differential mirroring backup that prevents overwrites.
2. Re:Best reason to hide this is 'Intelligence'. by sociocapitalist · 2012-06-07 19:48 · Score: 1
  
  Talk about your wet dream situation for an Intelligence Agency of some acronym.
  FTFY :-)
  
  --
  blindly antisocialist = antisocial
Re:In that order by InsaneMosquito · 2012-06-07 16:40 · Score: 1

Maybe it was unintentional? Stuxnet wasn't supposed to be released, maybe a code change was made and deployed in Israel and it escaped at that point.
Re:In that order by Bevilr · 2012-06-07 17:33 · Score: 4, Insightful

Have you bothered to read other articles on Flame? It's ability to record and gather information and transmit it back to C&C servers means that it's an excellent tool not just to do large government espionage, but also to listen in on individual conversations. As a tool in a fight against domestic terrorism, and counter espionage. I imagine it would be very effective, it's like a wiretap, without having to ask a judge for a wiretap. Infections in Israel/Palestine aren't broken down by Israel vs Palestine anywhere I've seen, which may mean that the vast majority are in Palestine. If that's true, it is another pretty large piece of evidence in favor of Israeli authorship.
Re:In that order by sortadan · 2012-06-07 18:52 · Score: 3, Insightful

Why would you think that they wouldn't spy on their own people, especially with their relationship to the Palestinians? If anything, the fact that it's not showing up in the US would tend to prove the point that it was Israel. The US clearly isn't afraid to spy on it's own people.
Re:In that order by slashmojo · 2012-06-07 19:43 · Score: 4, Insightful

By the same reasoning it could have been made by Iran..
Re:In that order by busyqth · 2012-06-07 19:45 · Score: 1

Stuxnet wasn't supposed to be released.
You sure are gullible.
Coincidentally by RivenAleem · 2012-06-07 19:53 · Score: 2

Download rate for MyCleanPC is up in Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
Re:Nice try by HyperQuantum · 2012-06-07 23:04 · Score: 1

They sent the virus an instruction, and the virus is removing all traces of itself from a machine.
It makes me wonder how they implemented that functionality. Because, in the Windows world an executable cannot delete or modify itself. Files that are open for reading cannot be deleted; this is also the reason for the message "Windows cannot update important system files and services while the system is using them" after running Windows Update.
So how did they do it? Separate the self-destruct module into a different executable, placing it in temp storage or something? But then that executable will remain on disk. Unless they aren't worried about that. "Who cares, the sensitive parts have been securely deleted."

--
I am not really here right now.
Goverment Crimeware? by Kamiza+Ikioi · 2012-06-08 00:58 · Score: 1

And whether governments do it, or the RBN, it's still crimeware.
I think that's taking a fast and loose definition of "crime", isn't it? That would make tanks, bombs, planes, and even spy tech... all crimetech.
Spyware is taken, and Warware may not roll off the tongue as easy. But calling government cyberwar activities Crimeware just feeds the nutjob conspiracy theorists, as though no government has no legitimate self interest in spying or conducting activities against other countries.
As someone against the taking of human life, I find government cyberwar methods to be the best thing to happen to humanity since the bullet proof vest!

--
I8-D
1. Re:Goverment Crimeware? by bmo · 2012-06-08 01:23 · Score: 1
  
  >I think that's taking a fast and loose definition of "crime", isn't it?
  No, not really.
  It's an illegal activity, whether done by governments or by the mob.
  --
  BMO
2. Re:Goverment Crimeware? by slimjim8094 · 2012-06-08 01:34 · Score: 3
  
  It's an illegal activity, whether done by governments or by the mob.
  So if the government murders (we call it war) or kidnaps (we call it arrest), is it also illegal? I understand and sympathize with a lot of the "fuck da man" libertarianism around here, but nobody's ever seriously argued that the government shouldn't have more power to affect a person than the average person. The trade-off is all the accountability they're supposed to have. We don't let your neighbor tie you up and lock you in his house, but we let the police - if they can justify it.
  
  --
  I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
3. Re:Goverment Crimeware? by lordholm · 2012-06-08 01:49 · Score: 1
  
  State monopoly on violence is essential for building a civilized society. It actually reduces the number of murders and killings in total. Steven Pinker has put forward an excellent theory (building on works of others), which he illustrate solidly with lots of data that when states where formed, having monopoly on violence, the violence rate (including the violence from the state) went down by a factor of 10.
  Actually, I would say that the state is evil, but it is a necessary evil and better than the alternative (absolute anarchy). We should always choose the lesser of evils.
  
  --
  "Civis Europaeus sum!"
4. Re:Goverment Crimeware? by bmo · 2012-06-08 01:54 · Score: 1
  
  >So if the government murders (we call it war) or kidnaps (we call it arrest), is it also illegal?
  No. Because you miss the point that the above are done under the rule of law.
  Flame, etc, are not done under the rule of law. They are merely rogue state actions outside the rule of law when practiced by a state.
  The Congress did not give the Executive branch this power by any sort of law that I can recall, not even the PATRIOT act, and if they had, it would have certainly appeared here, and I've been here since before 2001.
  Nice try, though.
  --
  BMO
5. Re:Goverment Crimeware? by bmo · 2012-06-08 02:06 · Score: 1
  
  Yes, but when a hostile action is taken outside the rule of law, that is per-se illegal and a crime. See my other message.
  --
  BMO
Safe gaming by halcyon1234 · 2012-06-08 01:38 · Score: 1

Yay, it's gone! Does that mean it's safe for me to play Angry Birds again?

--
UTF-8: There and Back Again
You don't "run" the virus by 1800maxim · 2012-06-08 01:48 · Score: 1

That's why when you have a copy of the infected files, or the hard disk, or the virus itself, you don't run the system. You analyze it from another system, to ensure no writes are done by the infected system.

Fear not, once it's in the researchers' hands, it ain't going anywhere.
Re:In that order by lordholm · 2012-06-08 01:53 · Score: 1

Why would they want to? Considering the purpose of Stuxnet, it would be essential that it remains hidden from security firms. It escaping into the wild was most definitely an accident.

--
"Civis Europaeus sum!"
Re:SSD file deletion and overwriting by DocSavage64109 · 2012-06-08 02:02 · Score: 3, Interesting

This older article from slashdot points out the opposite problem.

"They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker."
Who said this was limited to the US government? by Kamiza+Ikioi · 2012-06-08 02:18 · Score: 1

The Congress did not give the Executive branch this power by any sort of law that I can recall
Who said this was limited to the US government? You are talking about against US citizens by the US government, a very select case. Several countries can spy on their own citizens "by law", China for instance. It's quite legal there. So, that immediately would contradict your statement "It's an illegal activity, whether done by governments or by the mob." Because it's just not true on its face.
We are not aware which country did this, unlike Stuxnet. So let's look at Stuxnet, which was created by the US and Israel. The CIA operates under similar legality to operate on foreign agents and powers. Why does Stuxnet differ from an agent sneaking in and sabotaging a machine?
In what way is Stuxnet, targetted at Iran, crimeware under US law. Sometimes laws give explicit powers. Other times, powers are assumed unless explicitly prohibited.
Something is not simply illegal where the law is silent.
So, assuming Stuxnet was an operation carried out by the US government against the Iran government, and assuming that it operated as intended, namely that it never left Iranian facilities... show me the law, the exact law, that makes it illegal.
You are sort of blandly making these assumptions of legality... without anything legal backing. If you were to take the makers of Stuxnet to court, what law would you go to SCOTUS charging them with if you were Iran?
You can't just throw "not done under the rule of law" out there. That's some libertarian, "government can't do anything unless we spell it out in exact detail to them, with no wiggle room", jargon. And, you may very well be a libertarian and believe that. Unfortunately for that argument, neither the US government nor the courts nor China nor Russia nor many other countries with cyberwar programs take such a view on the law.
That leaves it as thinking is should be illegal, but that's opinion, not law.

--
I8-D
1. Re:Who said this was limited to the US government? by bmo · 2012-06-08 02:38 · Score: 1
  
  You find me the law that grants the Executive branch the power to do this, when there are laws within the US that make computer intrusion illegal *on the books since the 80s* So unless Congress carves out an exemption for the Executive branch to those laws, computer intrusion is illegal since it is already illegal via state and federal law.
  And if you have read anything I have ever written in here, I am far from libertarian. Indeed, I find it an insult, sir.
  --
  BMO
2. Re:Who said this was limited to the US government? by bmo · 2012-06-08 02:42 · Score: 1
  
  To follow up on my previous message:
  http://www.law.cornell.edu/uscode/text/18/1030
  Show me where the Executive Branch is exempt from this.
  --
  BMO
3. Re:Who said this was limited to the US government? by slimjim8094 · 2012-06-08 02:50 · Score: 1
  
  Assuming you're talking about the Computer Fraud and Abuse Act and its amendments (18 USC 1030), it only applies to "protected computers" which are:
  
  - exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
  - which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States
  In other words, the laws only concern themselves with computers in the US, or outside but used by US entities but only if the intrusion affected them. It's hard to argue that a bunch of process computers in the Middle East meets either definition. Furthermore, it specifically exempts intelligence activities:
  
  (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
  IANAL, but I think there's your law.
  
  --
  I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
4. Re:Who said this was limited to the US government? by bmo · 2012-06-08 03:03 · Score: 1
  
  But Stuxnet and Flame are both found *outside* just the PLCs running centrifuges in Iran. Indeed, that's how Stuxnet was discovered, on computers *totally unrelated* to the enrichment of Uranium *outside* of Iran.
  >Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran.[12] - Wikipedia
  Which means that 40 percent of the computers were *outside Iran* and *totally* unrelated.
  Lawful activities of an intelligence agency need to be targeted to specific foes. That is unless you are arguing for the scatter-shot strategy of infecting everything on the planet in the name of state security.
  At that point, we have nothing to discuss.
  --
  BMO
Strong evidence this is a state-run malware app. by conspirator23 · 2012-06-08 05:08 · Score: 2

Despite being smart and thoughtful enough to put in a method to cover their tracks after discovery, they took way, WAY to long to pull the trigger and too much forensic data has already been determined. That's a failure of bureacracy. A more nimble organization would have flushed the damn thing before it could be slashdotted.
Re:Nice try by uglyduckling · 2012-06-08 05:12 · Score: 1

I would think that any of the standard mechanisms in Windows for removing an installed program could be hijacked.
Re:Nice try by steelfood · 2012-06-08 06:27 · Score: 1

Considering some of these exploits are algorithmic and have nothing to do with the implementation, no. You don't "patch" these exploits. You move to a different algorithm entirely.

--
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
dude! by hesaigo999ca · 2012-06-08 08:41 · Score: 1

awesome guys, these malware writers, seems to me they should be running things, as they think of everything!?