20Mb? Modular beyond all reason? It sounds like "enterprise grade" malware to me...
'Super-powerful' Flame worm actually boring bloatware
Flame may be big in size but it's nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code. The cyber-espionage …
-
Thursday 31st May 2012 16:05 GMT Ilgaz
Why don't you get it already?
The issue is how could it go undetected for years. Do you know how real antivirus, security companies work? They got thousands of impossible to tell otherwise "unprotected" machines, software automatically doing dumbest things, Spam traps subscribing to every single stupid mailing system even opting in.
They got guys wondering around, social engineering most of the time endangering their life in black hat forums and darknets.
That is why commercial, professional antivirus is pay or freemium.
-
Sunday 3rd June 2012 15:10 GMT gollux
Re: Why don't you get it already?
Heh, about 1,000 computers in countries that aren't very trusting of Western Technology and afraid already of being spied on? How could it go undetected for very long? Very easily...
If the Iranian government was eating less of the stupid sauce, there'd be normal business relationships between commerce within Iran and the companies that produce anti-malware. There isn't, so you have a breeding ground for this stuff to be sent to.
-
Thursday 31st May 2012 16:11 GMT Destroy All Monsters
http://en.wikipedia.org/wiki/Mimivirus
"Mimivirus, short for "mimicking microbe", is so called to reflect its large size. Mimivirus possesses many characteristics which place it at the boundary of living and non-living."
Similarly, Flame possesses many characteristics which place it into the genus of bloatware, media players and nagware.
-
Thursday 31st May 2012 16:44 GMT Bernard
This article reads strangely, at least to a non-professional in the security field
Reading some paragraphs the virus was in no way special or clever (though it was big), while reading others it managed to go on completely undetected for an unspecified number of years, while deleting critical information and performing other functions which can't be ascertained or traced back to a culprit.
Likewise, the coding of the virus is not especially unusual or exciting, but will take months and possibly years to decipher.
It may be because I work in a commercial word used to trumpetting even modest failure as startling success, but if I'd delivered a project that met such clearly defined goals over such a long period and didn't leave any significant threads for people to pull apart at the end then I'd feel like i'd done a pretty good job.
-
Thursday 31st May 2012 19:39 GMT peabody3000
Re: This article reads strangely, at least to a non-professional in the security field
that's for sure.. everything about this threat looks extremely sophisticated, but the fact that its spread is apparently limited and controlled gives the author licence to dismiss it as bloatware? that is infantile bloviating. if this is "boring" then lets hear all about the exciting ones??
-
Thursday 31st May 2012 19:40 GMT Drew32
Re: This article reads strangely, at least to a non-professional in the security field
Agreed. It seems the significance of Flame would be in it's apparent (but not really known) effectiveness...and possibly over a rather extended period of time. Being small, creating a large botnet, or being innovative, getting pats on the back from The Register, obviously weren't primary design goals.
-
-
Thursday 31st May 2012 17:19 GMT Steve Knox
"...most vendors spinning that Flame did not spread very far and that was the reason why it escaped detection for so long."
The real question is when did it first spread to a machine with an active, licensed, up-to-date antivirus/antimalware installation on it. Because that's exactly when this excuse became invalid.
-
Friday 1st June 2012 07:45 GMT WatAWorld
Would a government require AV vendors based in it to miss malware it created?
Most likely more than 2 years ago, since the sorts of computers it has been found on would have been well protected.
Kind of embarrassing for the AV vendors whose products are used in the middle east, so they want to minimize it.
Would a government require AV vendors based in it to miss malware it created?
One of a few reasons I use Kaspersky is that, being in Canada, I'm more worried about the USA or Canada spying on me than Russia.
-
Friday 1st June 2012 16:36 GMT Steve Knox
Re: Would a government require AV vendors based in it to miss malware it created?
WHY would a government require AV vendors based in it[s jurisdiction] to miss malware it created?
Given that there is no jurisdiction that adequately covers all AV vendors, said government would have to make the malware as difficult to detect as possible anyway.
Disclosing the existence of the malware to people in its jurisdiction [especially those most likely to incur financial losses in the event their collusion were discovered] would significantly increase the risk of the malware being detected.
-
-
-
Thursday 31st May 2012 17:50 GMT preppy
Flame - Why did it take so long to detect?
I'm curious about a slightly different question....."Did it take the TARGETS two to five years to detect it?"
After all, the malware is huge, and the alleged data gathering impact must have created significant network traffic.
And if the targets knew about Flame all along, how much MISINFORMATION have they passed along to the spooks who own Flame?
Preppy
-
Thursday 31st May 2012 19:26 GMT Fill
Confusing article
The title and summary seem to contradict the article and its conclusion. The article says it is an advanced and complex piece of targeted malware that must have been made by a nation/state that will take months if not years to analyze, while the title and summary say it is just boring bloatware. Which is it?
-
Thursday 31st May 2012 19:29 GMT diodesign
Re: Confusing article
It's possible to get a big team to write a huge piece of software that then doesn't do anything earth-shatteringly evil. Yes, it does bad things, but so does a lot of malware. It's not the weapon of annihilation first feared, although there is still a lot of code to get through.
C.
-
Friday 1st June 2012 14:20 GMT Ian McNee
Re: Confusing article
@diodesign: that's a somewhat complacent and narrow view. A not unlikely scenario is that this was created by a security agency like the CIA who have a well-documented penchant "extraordinarily rendering" (read: violently kidnapping) foreign citizens to assorted locations around the globe to be detained and tortured.
They have done this with the flimsiest of suspicion (bearing in mind that extra-judicial kidnapping, imprisonment, torture and assassination are illegal by definition and in many other ways). So if they happened to have had a tool like this to target potential "terrorists" over the past few years it would almost certainly have been used to assist such actions.
No, Flame/sKyWIper is not a "weapon of annihilation" (nice paper tiger!) but that wouldn't be much comfort to anyone languishing in an interrogation facility in Uzbekistan, would it?
-
Friday 1st June 2012 17:34 GMT Michael Wojcik
Re: Confusing article
> A not unlikely scenario is that this was created by a security agency like the CIA who have a
> well-documented penchant "extraordinarily rendering"
A fallacious argument (specifically argumentum ad misericordiam). Even if there were evidence that Flame was created by the CIA, you've demonstrated no logical association between extraordinary rendition (however vile and unethical that may be) and the thesis, which is that Flame is in some fashion an interesting or important piece of malware.
Extraordinary rendition is believed to usually involve the use of airplanes. That does not, in itself, make airplanes interesting.
-
-
-
Thursday 31st May 2012 19:40 GMT rman33
A couple of observations. First I would not quote Kaspersky as if they were top level experts. They are second rate at best. We currently use them but will stop once the contract expires. They, far and away, have the biggest negative impact on system performance of any of the leading antivirus publishers. Internet speed is literally cut in half when using the internet protection feature as opposed to when that feature is turned off. Their support's first suggestion is 'trying reboot comrade - this is fixing much problem' and when you demand better support it becomes 'Am being very sorry comrade, we are sending new improved version as we are believing this will be helping much'. They simply can't support their product.
Another observation is that it seems odd that several people say this is a 'remote control' and/or data collection and transmission type of malware. I am not a hacker or even a very good programmer but I am a computer scientist and it occurs to me that if you know the code is transmitting data then you would also know where it is being sent to. Likewise if it is being remote controlled then you know where that control is coming from. Why then is it such a mystery 'who' is controlling or receiving transmissions?
-
Thursday 31st May 2012 20:17 GMT fatchap
DNS Flux
Pretty simple you programmatically create more almost random strings as domain names and automatically register them as your bot farm switches between them.
You register these domains under false names with less than stellar domain registries and keep the records pointing at a number of servers you have already compromised and can retrieve your information from at leisure. You access them through a string of other proxies and a tor network and hey presto you can go about these things relatively undetected. Especially if some of the hosts are in jurisdictions that don't play nice with western governments when they are investigating.
See here for what other internet randoms say about it: http://en.wikipedia.org/wiki/Fast_flux
-
Friday 1st June 2012 07:54 GMT WatAWorld
Re: DNS Flux
Perhaps a non-western country, but not necessarily.
If the domain registries are in western jurisdictions that have laws requiring employees cooperate with security services and have stiff criminal penalties for publicizing requests from security services this DNS flux could be done here.
In the UK for example, I understand that if a domain name registry employee informed his employer of requests by MI6 he could face proscution under the Regulation of Investigatory Powers Act (or whatever the RIP Act stands for).
The USA has its laws, but patriotism alone would probably be enough to create the silent obedience necessary.
I'm not saying this was a western government, but I do not think we can close our minds to that possibility now, OR IN THE FUTURE.
-
Friday 1st June 2012 08:04 GMT fatchap
Re: DNS Flux
You do know that it is possible to use a registrar that is outside your local vicinity right? Also that there are things like credit card fraud so the person of record on the 1000s of domains may not actually be the perpetrator?
It is one of the reasons that RIPA and Patriot act are pretty much useless in this regard.
-
-
-
-
Thursday 31st May 2012 20:09 GMT Christian Berger
Obviously not getting it
The purpose of Flame is not to spy on users or infect many systems, but to give meaning to the ITU. The ITU fears becoming useless in a world dominated by lightweight patent-free Internet standards which can be implemented within a day.
This is why the ITU wants to re-brand itself as "cyber security experts". I wouldn't be surprised if the ITU sponsored the development of Flame.
-
Thursday 31st May 2012 22:35 GMT the-it-slayer
Who knows...
...you may have a variant of flame sitting on machine right now waiting for its next command? Just seems like it's a Swiss army knife of hacking tools rather than relying on one set of attributes/commands that are already preset within the malware. Very impressive but crap scary.
Just hoping the top security guys and gals are already on the case.
-
Thursday 31st May 2012 22:37 GMT John Sanders
How can malware stay undetected...
Very easy, it is enough with not do anything too noticeable like slowing your computer down, encrypt your files and ask for a ransom, or steal all your bandwidth.
If you do not possess a decent border router/firewall that you inspect often and can not identify strange system processes, as long as the malware doesn't do anything to alert the user of the computer, it can stay undetected forever.
-
Friday 1st June 2012 04:01 GMT Anonymous Coward
Whatever
Going undetected for years, while only infecting a 1000 or so machines? Sounds about right. I'm actually surprised it was found.
Meanwhile the article itself is extremely inconsistent. There are numerous places where wide reaching statements are made... And the very next statement takes a 180 degree turn.
Regarding av firms in general: I know they are trying hard, but they need to kick the marketing people off of the development teams. This is a hard thing to do right and the bloat ware ( av itself, not the virus ) is just too much.
Quite frankly I'm wondering who is having a bad sales year. We've seen a number of virus articles lately on things that just don't impact us. Marketing I'm sure.
At the end of the day we figured out that the cost of an actual infection is much cheaper than paying the "protection" racketeers. I'm sure others are figuring that out as well.
-
Friday 1st June 2012 07:36 GMT WatAWorld
best designed, most dangerous malware is malware that went undetected
Just as the best spies are spies that went undetected, the best designed, most dangerous malware to find on your computer is malware that went undetected for long periods of time.
Flame fits that description perfectly.
Those AV vendors that were not called in by the ITU are simply jealous of Kaspersky.
-
Friday 1st June 2012 10:53 GMT Ilgaz
Bond like
You know, guy never hides his name or purpose. This 20mb thing doesn't even use executable compression looks like "look, I am in your machines for years. Just think what would I do if you keep messing".
Sounded crazy? What about launching a satellite to space just to shoot it down and competitor doing the exact same thing? Happened, China vs USA. Wikileaks.
-
-
Friday 1st June 2012 08:29 GMT WatAWorld
Kaspersky employee Aleks's blog on securelist is worth reading over
This link in the original Reg article is well worth reading for yourself:
http://www.securelist.com/en/blog?weblogid=208193522
Here are my thoughts on reading it:
1. "While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame."
So actually they weren't even looking for Flame, they were looking for other malware and happened to find Flame.
They still have not found Wiper.
2. The security service (if it was a security service) spreading Flame would likely have been commanding Flame to remove itself from systems that did not hold valuable information, because being on as few systems as possible is key to going undetected.
Aleks says, "According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields – they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections."
So really, if there are 1,000 systems infected now, there could have been 10,000, 20,000, 30,000 systems infected in the past two years -- nobody other than the Flame admins has any clue how many systems were infected.
(If I was writing Flame Mk II, I'd make sure the computers it infected were already well protected, so that they would not get infected by something noticeable that would attract scrutiny.)
3. There could be dozens of similar sorts of malware on Apple, Windows and Unix computers and we would not know it.
This malware was only found on a Windows computer by chance, and the more computers are running an OS, the more chance of an accidental discovery, and the more scrutiny the OS gets. (History shows open source Unix has had vulnerabilities discovered that were there for several years. The chance to review an open source program does not mean the open source program was reviewed.)
4. Kaspersky says Flame will use Bluetooth when it is available.
My thoughts are that, if so then bulk information could have been sent from some infected computers via Bluetooth. If just one computer in a business was bluetooth enabled, that computer could relay the information from all the other computers to a hostile Bluetooth device planted near the installation by the security service. Hence there would be less for an admin to see in his firewall logs.
-
Friday 1st June 2012 10:45 GMT Ilgaz
Bluetooth part bugs me
Lets hope there isn't an undetected mobile part of virus which will be abused to extract info to an innocent victim using him/ her as carrier. It would be really hard to explain while you are being questioned in some basement.
You know the line "I have no clue how this white powder ended up in my baggage"
-
Friday 1st June 2012 12:31 GMT Brian Miller 1
Re: Kaspersky employee Aleks's blog on securelist is worth reading over
Your 2nd point is EXACTLY what my first thoughts were when the author plays down the infection rates.
If it is capable of erasing it's presence and has had at least 2 years, maybe 5 years to spread and gobble info, the fact that only 1000 concurrent infections have been verified means FA.
If the "insert large governmental institution of your choice" had 1000 people each tasked with slurping the useful stuff off a machine each day, then spreading and finding the most interesting one the next day lets do the math:
1000 * 5 (working days a week) * 48 (working weeks a year) * 5 (years) = 6 million possible machines infected at this work rate.
So that is in the same order of magnitude as conficker etc. Of course I have zero evidence to back this up, however Mr. Author, you also have zero evidence the impact was so small and benign.
And what is this about wiper? It strikes me that if you didn't want to bring in 1000 people on this you could easily have your corporate hacker team write a script to very much automate the infect, check pc for keywords/data types, spread, delete self routine and maybe hit every "connected" machine on earth in the same timescale. Maybe this script is also pretty smart and happens to go by the "Wiper" name?
-
Sunday 3rd June 2012 04:56 GMT Mephistro
Re: Kaspersky employee Aleks's blog on securelist is worth reading over
"that computer could relay the information from all the other computers to a hostile Bluetooth device planted near the installation by the security service"
Alternatively, it could be very handy for any secret service to have the ability to connect to and control mobile devices through Bluetooth, enabling them to use the phones as bugs or gps trackers, or having them relaying all their mails/SMSs to some server sieving the data, Echelon style, searching for certain keywords.
If a secret service is interested in any particular zone, they could install devices for slurping the data through the Bluetooth interface in nearby places with high density of pedestrians -i.e. railway stations, public parks, hotels...- and then sending said data to big DB servers that perform analysis on it .
I want also to stress the importance of the fact that the data stolen by the virus can be hand-picked and used to select the most interesting subjects and their most interesting contacts. With e-mail chances are you need less than six hops to go from some beggar in the street to a member of a Government. And you don't need 1000 guys sieving the data manually to make this scheme work. A dozen guys -a much more manageable crew, in terms of security- could compromise thousands of 'interesting machines' in a few weeks.
-