Flame Malware Authors Hit Self-Destruct

← Back to Stories (view on slashdot.org)

Flame Malware Authors Hit Self-Destruct

Posted by samzenpus on Thursday June 7, 2012 @02:12PM from the without-a-trace dept.

angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."

42 of 260 comments (clear)

Min score:

Reason:

Sort:

SUICIDE not good enough... by reve_etrange · 2012-06-07 14:18 · Score: 5, Funny

The article implies that the new module overwrites with random data instead of just deleting files. I guess the original authors didn't think of that one...government inefficiency in action I suppose.

--
.: Semper Absurda :.
1. Re:SUICIDE not good enough... by cheater512 · 2012-06-07 14:50 · Score: 5, Informative
  
  It overwrites with random data THEN deletes.
  Makes it impossible to tell it was ever installed.
  Otherwise you could scan the disk for remnants to tell if a computer was infected in the past.
  Delete doesn't actually remove any data, just the filename and allocates it as free space.
2. Re:SUICIDE not good enough... by Billly+Gates · 2012-06-07 15:13 · Score: 5, Insightful
  
  The more I learn about Flame the more it amazes me.
  Arstechnica.com has more stories on it and how it worked through collision detection and much more. I am amazed yet worried as I am sure malware mobfia folks are using the source code with real NATO grade malware complete with forging certificates, turning zombies into proxy servers, and using the Md5 collision detection done by professional mathematicians.
  Worse Ubuntu and other operating systems can be hit by this as they use the same algorithms for the certificates. This piece of malware was just done through conventional 0 day exploits but rather a very sophisticated means of forging certificates and might have done the cyberworld much more harm.
  
  --
  http://saveie6.com/
3. Re:SUICIDE not good enough... by cheater512 · 2012-06-07 15:29 · Score: 5, Informative
  
  Most certificates these days use SHA1 at the very least.
  This is not a issue for Linux anyway because Linux does not use certificates for code.
  Some do sign repositories, however those certificates are somewhat stronger.
  Remember, MD5 has been broken and deprecated for many years.
4. Re:SUICIDE not good enough... by blueg3 · 2012-06-07 15:30 · Score: 5, Interesting
  
  Journals are only so deep and, more importantly, only contain file metadata. You might, sometimes, be able to use them to determine that a file used to exist on a computer, but not what its contents were.
5. Re:SUICIDE not good enough... by mysidia · 2012-06-07 15:51 · Score: 4, Informative
  
  Journals are only so deep and, more importantly, only contain file metadata.
  True, but Volume shadow copy can retain past revisions of files for a considerable length of time. So can backup applications which store copies of files offline
6. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-07 16:08 · Score: 5, Informative
  
  Journals are only so deep and, more importantly, only contain file metadata.
  This is true for most installations, but not in general. Some journaling filesystems (including ext3 and ext4) let you write all data through the journal as well -- it guarantees data integrity as well as filesystem consistency.
  Obviously, if the journal is on the filesystem device (internal journal, or external journal on another partition of the same disk (but WTF would you do that)), it costs you half your write bandwidth, which is why it's rarely used (though it can boost performance on fsync-heavy workloads, because it reduces seeking), but it can be effective with an external journal, or if the data integrity is worth the performance loss.
7. Re:SUICIDE not good enough... by catmistake · 2012-06-07 16:10 · Score: 5, Interesting
  
  The more I learn about Flame the more it amazes me.
  The more I learn about the whole cyberwar program the more I am impressed.
  
  --
  The Admin and the Engineer
8. Re:SUICIDE not good enough... by hairyfeet · 2012-06-07 17:43 · Score: 4, Interesting
  
  Which brings up something I've been wondering about...is it even POSSIBLE to overwrite a file if its on an SSD? Sure its easy enough to do on a HDD without having to wipe the whole drive, but since the SSD basically "lies" to the OS about where the data is actually at so it can perform wear leveling is it even possible to overwrite just a few files on an SSD with random data, or would one have to format the whole thing?
  As for TFA just more proof it was written by a government and NOT a criminal, because a criminal would have been more likely just to wipe the whole drive just to be pricks. Lets face it when it comes to malware we have a lot more cases of the writers being pricks than we do of them being nice, so it just makes me think even more these new bugs are just government works for hire.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-07 19:22 · Score: 5, Informative
  
  As someone who works in the ITAD industry SSDs are causing an absolute shit-fit to put it lightly. No, it is not possibly to reliably overwrite any given file on an SSD. The obfuscation layer makes it impossible to do perform a true full overwrite and even harder to verify.
  Sadly even formatting the whole thing is ineffective if you want to be sure that 100% of data is overwritten. SSDs have 10-30% more blocks than they let on, and the drive chooses which ones it's telling you about. If you write one day and wipe another your guess is as good as mine where the data was saved, what the software tried to overwrite, and what any effort to verify is reading. All three could be different.
10. Re:SUICIDE not good enough... by detritus. · 2012-06-07 20:07 · Score: 5, Interesting
  
  Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3
  No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu. This news also appeared on Slashdot, but it's mysteriously disappeared since then (this is where I originally heard about it).
11. Re:SUICIDE not good enough... by DarkOx · 2012-06-07 21:37 · Score: 4, Insightful
  
  Right but the assumption has always been they don't vandalize their own bots because the owners would then discover they are part of a bot net. That does not hold if the bot net owner is already dismantling the network, I don't know what motivation they have to not nuke the hosts entirely to ensure there don't leave any finger prints.
  The only thing I can think of is they may be concerned that if a large percentage of the public has their machines trashed all at the same time Joe Sixpack of Pakistani mangoes might wake up and start taking computer security seriously. Which could make future bot nets harder to construct.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
12. Re:SUICIDE not good enough... by Anonymous Coward · 2012-06-07 22:09 · Score: 4, Informative
  
  Actually, yes - my Mac does it automatically.
13. Re:SUICIDE not good enough... by chrb · 2012-06-07 22:15 · Score: 5, Informative
  
  Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3 [freecode.com]
  Ubuntu bug: Bug reported 22nd September and closed the same day.
  Microsoft bug: attacks on MD5 widely known and carried out since 2005, but Microsoft still carry on using it in Windows Update until 2012.
  
  No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu.
  Do you have any evidence that this was the action of a rogue developer? By your logic, you must no longer use a computer, as the "rogue" developer issue is one that potentially affects all software.
14. Re:SUICIDE not good enough... by drinkypoo · 2012-06-07 22:40 · Score: 4, Interesting
  
  But, a format or full empty space overwrite should make sure somebody will have to disassemble the drive to actually get to the data remnants
  That is almost certainly false. The vendor almost certainly has commands to let them retrieve the full data from the drive over the bus.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
15. Re:SUICIDE not good enough... by hairyfeet · 2012-06-08 02:24 · Score: 5, Interesting
  
  Please don't do that. you'd be surprised how many people out there can't afford a PC at all and how many guys there are like me that donate their time refurbing give aways from businesses so that those poor folks can have a PC. I have yet to see ANYONE recover squat from a spinning rust drive wiped with DoD-3, which is what I use on all donations, so please don't destroy the drives because with the price of HDDs still so high that just means that many more machines can't be refurbed to help the poor. Do a DoD-3 and then use whatever software you wish to try to recover but you won't find anything, then donate it, if you don't know about anyone like me your local churches or Freecycle will be glad to help.
  But so far if things continue as they have been frankly you won't have to give away that SSD, it'll already be dead before you get a chance. The amount of failures from SSDs is just insane, every one of my gamer customers that tried to switch ended going with the hybrids or raptors simply because of how quickly they die.
  But when it comes to HDDs please just do a DoD-3, there are folks out there that would look upon that old P4 or early dual as a real blessing, thanks.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Interesting by Anonymous Coward · 2012-06-07 14:18 · Score: 5, Interesting

Something tells me that this wasn't designed by a teenager.
1. Re:Interesting by flyingsquid · 2012-06-07 15:41 · Score: 5, Insightful
  
  Something tells me that this wasn't designed by a teenager.
  There are a limited number of possible suspects. First off, not many parties have the means to create this. The consensus is that Flame is one of the largest and most advanced pieces of malware ever created- it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability. That list is pretty short, and would include countries like the United States, China, Russia, Israel, and North Korea.
  Second, let's look at the targets. The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order. Roughly half of the infections are in Iran. So whoever created Flame is worried about the Middle East, but really, really worried about Iran. More worried about Iran than any other country. The Iran fixation suggests two possible suspects- Israel and the United States.
  The focus on Iran is consistent with Flame coming from the U.S., but Flame also targets several U.S. allies, including Egypt and Saudi Arabia. The other thing is, Flame doesn't target anything outside of the Middle East. If it was produced by the U.S., you'd expect Flame to be found in other countries- North Korea and Pakistan, for example- where the U.S. has security interests. But whoever created Flame doesn't really care what happens in North Korea or Pakistan. Whoever created Flame is primarily concerned with countries that are either enemies or potential enemies of Israel- Iran, Palestine, Syria, Lebanon. That strongly suggests Israel as the culprit.
2. Re:Interesting by viperidaenz · 2012-06-07 16:45 · Score: 4, Insightful
  
  ... because small groups of smart people can't create something complex? It's software, you don't need massive amounts of funding, all you need is a few smart people and some time.
3. Re:Interesting by DarkOx · 2012-06-07 21:47 · Score: 5, Interesting
  
  it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability.
  
  The thing weighing in at 20 megs is not an achievement, rather its an embarrassment showing total lack of craft. Much of the code in this thing is not the malware itself either, its interpreters and support libraries to run it, and much of open source and otherwise stuff that serves other purposes. Its not an efficiently built thing at all.
  The only achievement here if there is one is somebody manged to deliver a payload that large, so often undetected and reliably. I agree it looks state sponsored to me, only government contractors could create a turd this large and still polish it enough that it mostly worked.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
4. Re:Interesting by cryptizard · 2012-06-08 00:04 · Score: 4, Interesting
  
  Actually quite the opposite. It has been stated by antivirus folks that its large size and structure actually helped it hide for longer. AV software is used to viruses being super-optimized and obfuscated. Flame on the other hand looks like any other desktop application, complete with included runtimes.
That explains it. by Anonymous Coward · 2012-06-07 14:20 · Score: 5, Funny

My mother was wondering why her computer suddenly was working so much better.
Thanks dudes!
Re:Nice try by Dunbal · 2012-06-07 14:28 · Score: 4, Informative

Er no, this is infected machines being remotely instructed to clean themselves up by the person controlling the "virus". It has nothing to do with you doing anything to your machine. They sent the virus an instruction, and the virus is removing all traces of itself from a machine.

--
Seven puppies were harmed during the making of this post.
No AutoDestruct by bengoerz · 2012-06-07 14:29 · Score: 5, Interesting

In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained. As it stands, there's still evidence of Flame sitting on disconnected machines.
1. Re:No AutoDestruct by nanoflower · 2012-06-07 14:36 · Score: 4, Insightful
  
  All too true. I'm sure the authors will be taking that into account for their next version. Hopefully everyone will be on the lookout and catch it quicker than they did this one.
2. Re:No AutoDestruct by Anonymous Coward · 2012-06-07 14:37 · Score: 5, Insightful
  
  That doesn't sound like a very effective worm. If they did it that way you could fix the infection with a pf rule.
3. Re:No AutoDestruct by gman003 · 2012-06-07 14:52 · Score: 5, Interesting
  
  Imagine if everything had gone according to plan. They've gotten all the data they need, and have not been detected. They issue a self-destruct order, and bam. Nobody will ever know they were even there.
  Now, as for why they're doing it now, there's another reason. I imagine the target has figured out they're infected. But maybe they don't know every computer that was infected. And if the virus has self-destructed, they may never know for sure which machines were hit. Even if they actually *did* ID every machine, the fact that the creators did this may make them think they missed some.
4. Re:No AutoDestruct by Billly+Gates · 2012-06-07 15:17 · Score: 5, Interesting
  
  If this is a real professional job I would not be surprised if it leaves some backdoors opened for another different piece of malware. It wouldn't surprise me if Cisco router rootkits exist. After all evidence points in China they are doing just this, as they did with Nortel routers with a backdoor.
  
  --
  http://saveie6.com/
5. Re:No AutoDestruct by Baloroth · 2012-06-07 15:21 · Score: 5, Interesting
  
  The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.
  A secondary implication is that Flame has fulfilled it's purpose. Again, what that is, no one is exactly sure (espionage, certainly, but you don't create something this advanced without some specific target in mind) and wasn't worth maintaining anymore.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
The bigger question. by multicoregeneral · 2012-06-07 14:37 · Score: 4, Interesting

Sure, all this business with Flame is absolutely fascinating. But even more fascinating: why are European and American software companies doing business with Iran in the first place?

--
This signature intentionally left blank.
1. Re:The bigger question. by Hamsterdan · 2012-06-07 14:44 · Score: 4, Interesting
  
  I have a hunch money's involved...
  
  --
  I've got better things to do tonight than die.
2. Re:The bigger question. by gman003 · 2012-06-07 15:04 · Score: 5, Insightful
  
  You know what's more interesting?
  Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran. Iranian factories are cranking out G3s, MP5s, MG3s, all legally and for export. Not to mention the various Chinese/Russian small arms they manufacture (couldn't find out whether those were licensed or not).
  I think that, before they ban software companies from doing business in Iran, they should maybe think about banning the firearm companies. Just a thought.
3. Re:The bigger question. by fullback · 2012-06-07 15:36 · Score: 5, Insightful
  
  Because there is no legitimate reason to not do business. The relentless war mongering against fictional bogeymen is fascinating, too.
Flame just gets more and more interesting by tick-tock-atona · 2012-06-07 14:42 · Score: 5, Insightful

Not only does Flame use a previously unknown MD5 chosen prefix attack, but now they are removing all traces of the software from machines under their control.
Now, since security researchers already have copies of the software this isn't going stop anyone further deconstructing and analysing it. The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?
Yes, "Lucky" by SuperKendall · 2012-06-07 14:47 · Score: 4, Insightful

The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive.
Or, to make everyone else stop looking.
You know all of the installations received the same self-destruct command how again?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That's it, I'm officially convinced by Voyager529 · 2012-06-07 15:00 · Score: 4, Funny

The people who wrote Flame are the same fine ladies and gentlemen who have brought us CleanMyPC.com. Apparently their accountant is on vacation or something, because removing malware is generally a service that they charge for.
The Other by SuperKendall · 2012-06-07 15:23 · Score: 5, Funny

maybe it self destructs when it can't find a LAN connection?
Works for Diablo 3...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Nice try by griffjon · 2012-06-07 15:26 · Score: 4, Interesting

Does it close the doors on the way out and patch the various exploits it used to get in to the system in the first place, or does it just leave the system ripe for future re-exploitation by the same or similar tools?
In other news, over in Oz - the man who was behind the curtain is not only unimportant, but not there now, so please stop looking.

--
Returned Peace Corps IT Volunteer
When your covert operation has made the news... by Arancaytar · 2012-06-07 16:20 · Score: 4, Insightful

... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
Best reason to hide this is 'Intelligence'. by arthurh3535 · 2012-06-07 16:28 · Score: 5, Interesting

As in those who were infected that lost important data can no longer know (for a surety) that their important data kept on their computer/server was compromised or not.
"So our top-sekret 'eyes-only' data may or may not be compromised and they may know everything. But we don't know if they actually know anything about everything. So we can't trust anything that we've stored on a computer in the last year."
Talk about your security nightmare situation for an Intelligence Agency of some acronym.

--
No! It's a *SIG*. Keep the Special Interest Groups away! (Con joke!)
Re:In that order by Bevilr · 2012-06-07 17:33 · Score: 4, Insightful

Have you bothered to read other articles on Flame? It's ability to record and gather information and transmit it back to C&C servers means that it's an excellent tool not just to do large government espionage, but also to listen in on individual conversations. As a tool in a fight against domestic terrorism, and counter espionage. I imagine it would be very effective, it's like a wiretap, without having to ask a judge for a wiretap. Infections in Israel/Palestine aren't broken down by Israel vs Palestine anywhere I've seen, which may mean that the vast majority are in Palestine. If that's true, it is another pretty large piece of evidence in favor of Israeli authorship.
Re:In that order by slashmojo · 2012-06-07 19:43 · Score: 4, Insightful

By the same reasoning it could have been made by Iran..