Feeds

back to article Complex cyberwar tool 'Flame' found ALL OVER Middle East

A new super-cyberweapon targeting countries like Iran and Israel that has been knocking around in computers for two years has been discovered by researchers. "Flame", a highly sophisticated piece of malware, was unearthed by the International Telecommunication Union (ITU) and Kaspersky Lab, which said it was more complex and …

COMMENTS

This topic is closed for new posts.
Silver badge

Of Virtual Waters and Stormy Sees ...... The Great Game has New Fab Fabless Players?

Given the stealthy sophistication of the "well-coordinated, ongoing, state-run cyberespionage operation"* and its named targets/systems it is detected in [in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt*], is it more likely to be a Western state or an Eastern state intelligence service?

Or is to tar the likes of an NSA/GCHQ listening post or a Russian or Chinese operation with the responsibility, unhelpful and even subversive, as it would immediately shift global perception on the competence of nation states to defend themselves cyber intelligence wise against invisible and intangible attacks/squirmishes/sorties?

Interesting days ahead, methinks, ...... which will make a pleasant change from all of the usual sub-prime nonsense peddled to sustain dodgy markets and corrupt systems of administration.

* ..... from a Wired report on the ITU and Kaspersky Lab find.

4
6

Re: Of Virtual Waters and Stormy Sees ...... The Great Game has New Fab Fabless Players?

On the surface my bet would be the Chinese, they are not overly friendly with any country in the middle east, and this virus seem aimed at everyone in that part of the world. On the surface at least this virus seem design to gather intelligence in the region from all the major players, given the Chinese have relatively little to zero experience in this area of the world such an intelligence gathering campaign could be a prelude for the Chinese to take a greater role in this part of the world.

I am just speculating, Obama administration and elements within the US intelligence agencies do not trust the Israelis that much and I could see them spying on Israel, a country that has also be caught spying on America.

1
1

Not Chinese

I've been looking through the PDF from the Hungarians:

http://www.crysys.hu/skywiper/skywiper.pdf

I'm getting the distinct impression from the labels, filenames etc. used in the code that this is put together by native English speakers. Competent ones, at that.

1
0
Bronze badge
Black Helicopters

Re: Not Chinese

Actually, if you were state X and you were clever, it might be worthwhile to target yourself as well.

- misdirection ("see, it's not us")

- penetration testing of your own friendlies

And at some point it may become useful to "seed" the exe's contents with another country's language or mannerism.

Cool stuff, feels like Neuromancer coming to the real world. I think Gibson was already going on about Chinese hackware.

2
1
Anonymous Coward

Re: Not Chinese

"Actually, if you were state X and you were clever, it might be worthwhile to target yourself as well."

Nailed it. Clearly the Israelis are learning from previous attempts.

8
3
Thumb Up

Re: Not Chinese

Indeed. And if paranoid bosses are happy to snoop on office workers' email, imagine the lengths a paranoid, sociopathic militant dictator would go to.

"You Excellency, we have made the ultimate snooping device!"

"At last! Deploy it among our people immediately!"

0
1
Joke

Re: Not Chinese

Considering that there *is* *sum* many people from all over the world studying at universities in England and the US, it's no surprise that many of them speak English *good* and *deliciously*, *innit*.

0
0
Pint

There is a 4th option...

...a sponsor with a fetish for white cats, pools of pirhanas or sharks and under ground lairs.

Maybe once Daniel Craig gets back from floucing about with side projects, he can get started on unravelling this diabolical scheme.

Beer...because apparently Bond drinks Heinepuke instead of Vodka martini's these days.

2
1
Silver badge

Re: There is a 4th option...

I thought Levinson had already killed off Murdoch?

1
0
Bronze badge
Happy

I just want to know if those "audio conservations" are pectin-free.

4
0
Holmes

Illuminati? Fnord.

3
0
Anonymous Coward

"And now a removal tool is ready to be delivered."

What if it's just a massive game of social engineering?

Click here to install the 'FLAME Removal Tool' (really, trust us...).

LOL.

2
0
Anonymous Coward

UNPRECEDENTED SOPHISTICATION

Pull the other one. A worm using canned 'sploits with a bunch of statically-compiled libraries, that stores the data it swipes in a database. It's also 20mb big, too.

If any of these targets had any protection worth a damn (ie, a competent sysadmin, working IDS, antivirus that wasn't snakeoil), this wouldn't have been a problem for anyone. The fact that it's been circulating in the wild for at least half a decade is, truly, revolting.

"Unprecedented sophistication" my left cheek. Those two words are the sound of antivirus companies around the world backing up against the wall and pleading. Inept bureaucratic muppets who can't code crap, what a joke. As for Windows, which it targets, I have a NUMBER of comments to make about the "security" of the default installation, but I'll save that for another day.

All this is is another story of imbeciles preying on other imbeciles.

9
7

Re: UNPRECEDENTED SOPHISTICATION

half a decade?

0
0
Anonymous Coward

Re: UNPRECEDENTED SOPHISTICATION

Yeah, check out the Crysys report posted here. It's about the same malware. It's been circulating for 5 years at least.

0
0
Anonymous Coward

Re: UNPRECEDENTED SOPHISTICATION

How about we wait for the rest of the story to surface before rashly condemning it?

0
0
Anonymous Coward

Re: UNPRECEDENTED SOPHISTICATION

I too am incredibly clever. Much clever than all the people mentioned in this report. And all the other commenters. I have a NUMBER of IQ that is VERY BIG. And I post anonymously.

But I am very clever!

4
1
Anonymous Coward

Re: UNPRECEDENTED SOPHISTICATION

What's this, Windows isn't secure by default, you say?

I look forward to reading your NUMBER of comments exposing this previously-unknown weakness!

0
0
Linux

Which Os(s) are affected.....

I'm assuming its the usual suspect, i.e the one that Remond already gave the backdoor key out to various organistions.

There has never been a better time to run an opensource system.

6
2
Anonymous Coward

Re: Which Os(s) are affected.....

Don't be a tool. Everyone victimized in this situation was a moron, and no operating system or amount of audited code could have stopped them being victimized.

Given that, as far as can be ascertained, no exploits used here were 0-days, it's the fault of incompetent users and administrators. Incompetent developers play a part, too, but far less of a one in this particular case.

1
3
Devil

Re: Which Os(s) are affected.....

"I'm assuming its the usual suspect" ..

No, No, NO - it's one of Android Malware, Apple Malware or Banking Malware, didn't you get the memo ...

0
1
Anonymous Coward

Re: Which Os(s) are affected.....

you sir should never be allowed to run a system that must be highly secure.

A tailored attack can attack one of the many thousands (hundreds of I suppose depending on how many hundreds upon hundreds of updates you are behind?) vulnerabilities in both open and closed systems.

In order to be secure you have to have rigerous methods of system analysis ( a bare level of daily log checking for every world and internal facing system ), file change monitoring that automatically alerts on file change ( like ossec or trip wire ), those logs should go somewhere that is one way and preferably worm based to a degree. Everything should be upto date and well patched where possible, everything should follow a principle of minimum rights. Where possible everything should be isolated into its own instances (chroot and virtualisation.) That is of course the minimum for a secure system (secure being anything that deals with customer data) highly secure should go beyond that ( intrusion detection on the perimeter, change control, stict auditing)

I had a sales person for our shit managed service go "oh you don't have to worry about linux security" which for me was the final nail in their security coffin as it shows a complete lack of understanding for threats.

Any one in the enterprise that goes "linux is more secure" is pretty stupid. Sure in user space it's true, but in the enterprise it's just BS.

4
0
Thumb Up

Re: Which Os(s) are affected.....

Upvoted, and yes you are correct. These are not 'normal' virii and are unlikely to be delivered via 'normal' routes. I suspect a degree of observation and of social engineering takes places beforehand (old fashioned spying) to ensure delivery. There may even be collusion. I also doubt that any operating system would act as much of a safeguard against this this level of attack.

If anyone thinks that this infection is due to pure stupidity, they are naive and inexperienced. The infection may, at some point, have taken advantage of human fallibility, but thats not the same thing.

3
0
Silver badge

Potato / Potaaaaato (Re: Which Os(s) are affected.....)

"These are not 'normal' virii"

..and that is not a normal word - be careful with it as it is the source of many a pointless battle. That said, whether you favour vira, viri or viruses - with an 'i' or an 'ī' in the first vowel - you can pretty much bet against virii.

For an entertaining, interesting but not too in depth poke at this, you might want to have a butchers at

http://www.ofb.net/~jlm/virus.html

if you've not already... it's actually quite a good read - especially considering it's from a Perl-monger [0]

[0] Perl users should note this is too be interpreted in a 'humour' rather than scalar, or other, context.

1
1
Bronze badge
Linux

Re: Which Os(s) are affected.....

Given the amount of money some people will pay for backdoor access and the fact that attempts to backdoor Linux clearly have been made it's not necessarily the case that none have succeeded. The code snippet in the attempt shown linked above is sufficiently small and innocent looking at first glance, such that we can't be certain such attempts will inevitably be noticed. One factor in our favour is the fact that all Linux code changes are signed and tracked so the identity of the attacker, or the compromised contributer would probably become clear.

I'm also much more concerned about backdoors in Linux userspace code, especially things like Flashplayer which most users of desktop Linux use, but which can't be code audited other than by someone with a massive reverse engineering budget.

Unfortunately most of our systems are too complex these days for code visibility to carry the same levels of security protection this once gave. That said, someone wanting a genuinely hardened Linux system (e.g. based upon a specialist distribution such as Gentoo) would be starting in a better place than any Microsoft or Apple customer.

2
0

Re: Not Chinese

A country like Israel is going to have plenty of people within its own borders that it would like to spy on.

0
1

Re: Not Chinese

A bit like the UK then

1
0
Bronze badge

Re: Not Chinese

And almost every other state.

1
0
Silver badge
WTF?

The Kraken wakes?

the ITU? who woke them up?

1
0
Pint

How can I now flame Flame ? My flame-thrower is soo hot.

I could be codescending about Windows, about their caesar crypto, cheer their use of SQL. But I think I got the message. Its like this collision thing a few years ago.

Let's have a beer.

0
0
Silver badge

countries like Iran and Israel???

wtf?

one is a rogue state intent on genocide though nuclear war, and the other is iran.

7
8
Bronze badge

Re: countries like Iran and Israel???

"one is a rogue state intent on genocide though nuclear war, and the other is iran."

Israel has probably had nuclear weapons for about 25 years (maybe longer) but I missed reports that they had actually used any of them.

4
0
Anonymous Coward

Re: countries like Iran and Israel???

Hahaha... oh... I get it!! Is funny because JEWS SHOULD DIE?!

Is that you Borat?

2
3

Re: countries like Iran and Israel???

mate, I wouldn't even bother. he is just another ignorant troll.

2
3
Silver badge
Facepalm

Re: countries like Iran and Israel???

Naughtyhorse - don't you know you aren't allowed to make jokes involving Israel? The same people that arrested Paul Chambers will be round shortly to take your sense of humour away in no uncertain terms. The PC police have spoken.

1
0
Silver badge
Facepalm

Re: countries like Iran and Israel???

Apparently the modern state of Israel and the religion of Judaism are the same thing in some peoples' minds. These are usually the same people who view any negative comment about the religion, justified or otherwise, as being anti-semitic (try having a discussion about the morality of circumcising a child without it coming up). This means it's impossible to criticise the actions of the state without appearing in their eyes as a jackboot wearing far right bigot.

1
0
Stop

Here's what I never understood

It's one thing to have malware infecting a 'domestic' PC - home users, non-security-critical businesses etc. And I can see how the malware would be introduced, by some doofus with a USB drive. But surely machines in sensitive environments have a limited number of ways to report back to their controller...and all those routes are through closely-monitored choke points? For example, getting outbound http or dns requires you to go through particular servers, and the bofhs watch those like hawks looking for deviations from the norm. "Hmm, 200 queries for 432rewfds.weirdo.com today. Sounds fishy."

What am I missing?

3
0

This post has been deleted by its author

Facepalm

Re: Here's what I never understood

Human nature aka human stupidity.

0
0
Bronze badge
Boffin

@KingZongo Re: Here's what I never understood

'getting outbound http or dns requires you to go through particular servers, and the bofhs watch those like hawks looking for deviations from the norm. "Hmm, 200 queries for 432rewfds.weirdo.com today. Sounds fishy."

What am I missing?'

You're overestimating the budget such places spend on BOFHs. Watching network packets is as boring as watching CCTV cameras, and both activities tend to have sleep inducing effects upon those so tasked.

Those who want to spend good money on securing highly sensitive computing environments are more likely to employ techniques such as Ranum's ultimate firewall than an army of BOFH's inspecting network packets.

0
1
Silver badge

Welcome to AIBeta Man Management Operations .....

..... with Illuminating News of Enlightened Perception for Delivery of Alternate Realities*

It is an inescapable undeniable fact, which is and/or can also be a quite fabulous novel fiction, that one cannot defend nor provide defence against virtually invisible and intangible enemies and SMARTR Trojans ...... such as spooky Stuxnet Flames ...... unless one can provide stealthily launched attacks with them, plausibly deniable as a preposterous suggestion?

* .... aka Virtual Reality in Live Operational Virtual Environment Fields of Greater Great Game Play with Future Builders. And quite definitely not an almost perfect Bilderberger tool and preposterous suggestion to be plausibly denied. Well, not presently anyway, but who knows what the future will bring.

Human nature aka human stupidity. ..... Peter Galbavy posted Tuesday 29th May 2012 01:26 GMT

Ah, yes .... an infinite source of power for control with thought control, but not a new observation and facility, PG, for does not Einstein undoubtedly agree with you that it is natural? ......... "Two things are infinite: the universe and human stupidity; and I'm not even sure about the universe."~~ Albert Einstein (1879-1955)

2
2
Bronze badge

Not Chinese?

If the CrySyS report is to be believed: Mostly re-appropriated open source code that they aren't using quite right, lots of random bloat, debug information left intact (wtf?), proprietary variants of well known algorithms that don't quite work right. Same process injected with the same module six(!) times. Looks just like the code our Asian devs send over daily.

Somebody did a touch up on the English. I guess they couldn't find a way to use Chinese function names but assure the reader that they're to be read with a Taiwanese accent.

2
0
Bronze badge
Unhappy

So which operating systems were affected?

I have read this article, Slashdot's and Wired's and read the Kaspersky thread. I would have thought at least one report would contain the useful information that it has hit Windows machines, or that it has hit both Windows and Linux machines.

Or was it just Apple's carte that was upset?

And if it was on the Minister of Oil's computers it must have been on their server. So what are they running?

It can't be Windows 2000 because even a backward state like Great Britain is now using XP.

0
1

Er?

Flame appears to be a perfectly normal piece of Lua software

http://webcache.googleusercontent.com/search?q=cache:1AN7HX2o45oJ:wiki.martin.lncc.br/instalacao-flame-en&hl=en&gl=uk&prmd=imvns&strip=1

Google cache as sited hosed...

0
0
Silver badge
Flame

I have nothing to add

I just noticed that no one has used the "flame" icon.

That is all.

0
0
This topic is closed for new posts.