back to article Source code smoking gun links Stuxnet AND Flame

A direct link exists between the infamous uranium enrichment sabotage worm Stuxnet and the newly uncovered Flame mega-malware, researchers have claimed. Russian virus protection outfit Kaspersky Lab said in a blog post yesterday that although two separate teams worked on Stuxnet and Flame, the viruses' programmers "cooperated …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    So is the US going to pay for some new centrifuges? I don't see how this is any different from blowing them up with bombs (assuming nobody was inside).

    Pretty sure you need congressional approval for that kind of thing (or UN approval if you listen to some American generals).

    1. DrXym

      Sounds to me like the US did the smart thing here, sabotaging Iran's enrichment program and setting it back a year or more without provoking the sort of international outrage and condemnation that would have followed if they and/or Israel had dropped bombs on the place.

      1. Destroy All Monsters Silver badge
        Mushroom

        Orientalists creeping out of the woodwork, fellating President Bomborama

        Here is a heads up

        0) Iran is still in good standing regarding their nuclear ambitions and all the top brass, even the military and intelligence ones, say that serious action towards building nukes has stopped in 2003 and hasn't continued since then. The fact that politicians disagree is neither here nor there as these are sociopaths without morals who will kill anyone for a longer stint at their taxpayer-provided desk.

        1) Iran is not contravening any international treaty whatsoever in running their centrifuges. Indeed, they are adhering to the NPT which certain other countries haven't even signed.

        2) Iranian religious authorities consider building nukes as morally reprehensible and issued a fatwa along those lines. How serious can you get?

        2) Attacking some country because one feels like it and because it can be done is generally followed by war crimes trials and ropes hanging from rafters, mmmokay?

        3) Indeed even threatening it with the usual "options on the table" bull is right out as per the UN charter.

        4) So is killing random people on the streets of Tehran by gun or sticky bomb.

        5) Cyber-attacking is also a no-no. Remember our western geniuses saying "act of war" about that kind of retardation?

        1. Jello
          Thumb Up

          Re: Orientalists creeping out of the woodwork, fellating President Bomborama

          +1 from me, purely because your numerical list is zero indexed :)

        2. DrXym

          Re: Orientalists creeping out of the woodwork, fellating President Bomborama

          I didn't say it was right they did it, just that it was smart. And given the success of the attack and the damage, it was highly successful too. I also don't buy the BS that Iran aren't processing rods for weapons development either. Israel has a bomb, Pakistan has a bomb, the US / UK have a bomb. It is clearly of massive importance to Iran to obtain a bomb if only for their own self defence or regional influence and some fatwa to the contrary shouldn't fool anybody.

        3. Spoonsinger
          Unhappy

          Re: Orientalists creeping out of the woodwork, fellating President Bomborama

          1) Really?

          2) Good point

          3) Perks of being the victor, (you have too give the grunts something to do)

          4) Most of the UN sanctioned war's since the late 1940's have been done because one country or another has abstained.

          5) Not sure about that, (links? etc)

          6) Yep according to the US, Cyber attacks are an act of war. However they don't seem to realize that it's exactly the same as the old MAD based stuff, when they commit the offense. (dumb arsed art's student type politicians).

        4. streaky
          FAIL

          @Destroy All Monsters

          1) Well, they are, but whatever, nobody could care about their civilian program.

          0 + 1) Erm, Arak?

          2) Okay so it mist be true then, lets all go home and leave Iran to it. I believe them.

          2 AKA 2.5 maybe?) Nobody attacked anybody yet.

          4) Because Iran has never and would never do anything like that (despite overwhelming evidence to the contrary).

          5) Whut?

      2. Tom 7

        The smart thing

        giving Iran some of the most powerful mallware ever written?

        They must hate MS as much as the freetards.

    2. mark 63 Silver badge

      @ac 11.51

      "So is the US going to pay for some new centrifuges? I don't see how this is any different from blowing them up with bombs (assuming nobody was inside)."

      The US dont generally compensate their military targets, it kind of defeats the object.

  2. NoneSuch Silver badge
    Linux

    Did anyone actually doubt there was a link?

    1. Tim Parker

      Re : Did anyone actually doubt there was a link?

      According to John Leyden, the "'Super-powerful' Flame worm actually boring BLOATWARE" (although he does then seem to go on an agree without most of what was actually said at the time). His critique does seem to indicate he doesn't (or didn't) see much of a link (which may be slight at best, perhaps just the module re-use, we just don't know).

      Kaspersky Labs have a habit of fanning the flames (to be kind to them), but it doesn't necessarily mean they're always wrong.

      1. streaky
        Black Helicopters

        @Tim Parker

        "Kaspersky Labs have a habit of fanning the flames (to be kind to them), but it doesn't necessarily mean they're always wrong."

        But they refuse to provide proof at every turn. Any idiot can make assumptions. It's also provably the case that flame was directed at western computer systems and was for corporate espionage. To be honest I've got two countries listed in my head and one of them sold Iran their kit in the first place and would have good cause to start back-pedalling.

        As has been pointed out quite often flame is a monstrosity that could be written by basically anybody and stuxnet could have been written by.. basically anybody too. But no we've decided it's the US govt because why?

        Don't get me wrong I'm sure the US govt has it's programs for this sort of thing, but all the stuxnet code I've seen (which is most of it, reverse-engineered) is somewhat unimpressive.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Tim Parker

          Ah yes, 'here you are everybody, this is the whole assembly reverse engineered so that you can redesign it and attack the target of your choice'. Riiiiiiiiiiiiiiiiiiiiiight.

          1. streaky
            Facepalm

            Re: @Tim Parker

            What? It's not hard to reverse engineer code you know..

  3. Zaphod.Beeblebrox
    Black Helicopters

    "sounds an awful lot like a James Bond mission gone wrong"

    After better than two years without detection this sounds more like "We've known this would happen someday, time to go boys. Form an orderly queue, the bus is waiting outside."

    1. Anonymous Coward
      Holmes

      More likely they have the replacement for this one either ready to go or already in place. They know it's a matter or time before it's discovered and lay out plans ready :)

      I'm more interested in these unknown vulnerabilities they used. Do they have a team of elite hackers searching for vulnerabilities, or do they purchase them on the black market, or do they just pay a guy who works at MS to take care of it?

      I've never believed the stories of CIA backdoors added in by MS, but a CIA operative working undercover at MS adding the odd vulnerability and letting the boss at Langley know? That's actually pretty plausible, and would explain the rumours.

      1. Anonymous Coward
        Anonymous Coward

        Why stop at undercover CIA?

        1. Anonymous Coward
          Anonymous Coward

          Well, look at it this way. You're the head of a foreign intelligence service, employing lots of spies. Many of your targets run large windows networks. A coder working at MS in your pocket would certainly be a valuable asset wouldn't it?

          So I wouldn't be at all surprised if there's a whole bunch of people working somebody other than their actual employer at MS, google, apple, oracle, etc. It would be pretty surprising if there wasn't!

          Tin foil hat firmly in place here - but you seriously need it when dealing with the spy services.

      2. Uncle Slacky Silver badge
        Linux

        If they depend on Windows...

        ...then it's another good reason not to use it, I'd've thought...

        1. Anonymous Coward
          Anonymous Coward

          Re: If they depend on Windows...

          and you have checked the linux code base and all those tools you use on it?

          Me neither :(

          1. eulampios

            Re: If they depend on Windows...

            Can Flame work on Linux? Do you know any other (esp. self-replicating) malware in the wild last 5 years to work on GNU/Linux? I don't either.

            1. Anonymous Coward
              Anonymous Coward

              Re: If they depend on Windows...

              Of course windows malware will not work on linux.

              But are you confident that none of the linux software you run has been compromised in the source and does naughty things.

              Just 'cos you get it from ubuntu does not make it safe

  4. Arachnoid
    Flame

    On the other hand if a certain agency discovered one or other of the devices and incorporated part of it in their own device as a quick fix then that could be misconstrued could it not?

  5. Anonymous Coward
    Anonymous Coward

    Yes yes yes, but what future patent of Apple does this break

    :).

    But anything that is not hand crafted at machine code level will have similarities to other bits of code, overheads of compilers, go figure. Could have (C) USA all over it with the authors name and office location in both bits of code, still proves nothing beyond reasonble doubt.

    1. Tim Parker

      @PXG

      "Could have (C) USA all over it with the authors name and office location in both bits of code, still proves nothing beyond reasonble doubt."

      I think the traditional concept of 'reasonable doubt' being a defense, plays little role in the real-world games people who use, or retaliate against, such things are involved in.

  6. Joeman
    FAIL

    Two Years Undetected??

    So how do Kaspersky Labs explain that the virus went undetected for two years?? are they saying that thier AV products count detect the spread of the malware?? bad PR for Kaspersky...

    1. Surreal
      Devil

      Re: Two Years Undetected??

      I hope you haven't believed that "Antivirus" was any protection against new malware, Shockingly, I have a security analogy not based on cars:

      Antivirus is like posting Wanted Posters for criminals. Officer Kaspersky spies a known felon, and nabs him! The wanted posters are useless against Thugston J. Never-Arrested (0-day).

      So, no. AV products don't detect the spread of malware. That's a job for an integrity monitor, but those are a royal pain to maintain and the AV money just keeps rollin' in, so why bother?

    2. Anonymous Coward
      Anonymous Coward

      It is not PR

      Kaspersky isn't bragging, f-secure boss wrote an article on wired to explain how security industry feel about these threats.

      These guys are in PC security for decades and I haven't seen them shocked that much. This was never about PR, you don't advertise by openly saying you missed a virus for 2 years.

      " Why Antivirus Companies Like Mine Failed to Catch Flame .."

      http://www.wired.com/threatlevel/2012/06/internet-security-fail/

    3. Al_21

      Re: Two Years Undetected??

      Collective intelligence using the 'cloud' - maybe a log of all hashes and potentially countries it's been found in.

  7. Alan Brown Silver badge

    Heuristics

    A lot of AV these days uses heuristics to pick up suspicious behaviour. The authors have widely agreed that tagging only known stuff is whackamole.

    The single biggest problem is lack of oversight. It appears it's not just the US military who forgot about sneakernet as a viable means of security leak (obBrandlyManning reference there)

    Even more important than this wee scandal is the issue of virus-infested logistics systems contributing to the death of the folks on the Spanair flight which crashed a couple of years ago. THAT particular issue seems to have fallen right off the radar.

    1. Ilgaz

      Re: Heuristics

      What if the virus politely knocked door to see if there are any clever guards in PC? I use commercial antivirus and there is no way you can add your stuff to startup out of nowhere (e.g. System idling).

      I bet they also do some kind of early "check" to see if system is capable of heuristics.

  8. Paul Hovnanian Silver badge

    "A lot of AV these days uses heuristics to pick up suspicious behaviour. The authors have widely agreed that tagging only known stuff is whackamole."

    Which will work against virii that attack any system they are installed on. But for those that target specific installations, or don't hog resources on systems they inhabit, they could be difficult to detect.

    Stuxnet could have been caught sooner by anyone running PCs connected to Siemens PLCs running Uranium enriching centrifuges. On any other machine, the virus lays low, possibly propagating itself to USB media or over the 'Net.

  9. JeffyPooh
    Pint

    Headline: "Source code..." and Kaspersky Lab

    Headline indicates that Kaspersky Lab has access to the source code. ???

    Kaspersky also seem to know quite a bit about exactly what happened and when, right down to what the malware authors had for lunch and the brand of vodka they used to wash it down.

    Hmmmm... ;-)

    1. Ilgaz

      Re: Headline: "Source code..." and Kaspersky Lab

      I know you are joking but the task they try to accomplish is really insane.

      They will disassemble that gigantic piece of evil genius team's code, hex by hex and will try to figure what the hell it really does/ did and capable of.

      They have clearly noticed a pattern in a module, that is all. Nobody, except some guys in an secret underground silo/ data center has access to real source code. Or, based on their style, it could be in an internet Cafe middle of nowhere. The genius trick is, it didn't really try to hide at first place so heuristics failed miserably.

  10. thomaskwscott
    Paris Hilton

    Declaring War

    I cannot believe that after recently declaring cyber attacks as "Acts of War" a nation would interfere by partnering with a country that already has massive tensions with Iran to deliver its own attack. We are lucky Iran is taking a sensible approach to this as it is well within its rights to consider itself at war and launch counter attacks (cyber or real) of its own.

    Paris because even she's not dumb enough to pull this one.

  11. Tony Paulazzo
    Gimp

    >The fact that politicians disagree is neither here nor there as these are sociopaths without morals who will kill anyone for a longer stint at their taxpayer-provided desk.<

    Love IT!

This topic is closed for new posts.

Other stories you might like