Feeds

back to article Super-powerful Flame worm could take YEARS to dissect

The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse. Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have …

COMMENTS

This topic is closed for new posts.
Bronze badge
FAIL

Years to dissect? Really?

When hacker teams have keygen's and network blocking solutions for the bloatware giant Adobe Master Collection 6 within 24 hours of it's public release, the security firms really think that it would take years to dissect this? It would seem that reverse engineering, decompiling and debugging have changed a lot since my time ...

1
15

Re: Years to dissect? Really?

It takes a lot longer to fully analyse a piece of software than it does to look for the places where the DRM is checked and change them.

It's weird to have to point that out on this website, though.

15
2
Boffin

Re: Years to dissect? Really?

Bloatware is easy to dissect, especially if all you're doing is keygen, no-cd, or other such tasks. You don't even have to know what a program does to be able to find its key-checking algorithm.

If you want to know every detail, however, you'll need to analyze every byte of code; you can't gloss over anything. And well-obfuscated code can be a twisted mess, too; Adobe doesn't spend a majority of its time making sure no one can read a single line of code.

8
0
Silver badge

Re: Years to dissect? Really?

"Adobe doesn't spend a majority of its time making sure no one can read a single line of code."

I dunno; it would explain a lot.

9
0

Re: Years to dissect? Really?

Still, anything interesting involves API calls. You can track 'em just as easily. I know how disassembling and reverse engineering works first hand, so years is highly overstated.

I bet there is no motivation most of all.

1
1
Silver badge
WTF?

Re: Years to dissect? Really?

Ok, so maybe you could do it and grab the glory. After all if it's going to take years and you can knock it up in a couple of hours, you'd easily command a very well paid job.

Look forward to your posting next week, when you have cracked it.

4
2

Re: Years to dissect? Really?

I understand the point that you are making, in that syscalls/win32 calls have a fairly destinct appearence in the dissassembled output of a native binary.

However, there is no requirement for a malware author to use the api's for the intended purpose, meaning taking the api/syscall signatures at face value is unlikely to be helpful.

Suppose you have large volumes of logic in a scripting language that you can generate at runtime, then your native app, is just a host with the lua generator seeds + interpreter.

Also, what happens if all your interesting native code is application layer, and the api calls are just false flags.

What does this do - ( this is from the IOCC - so give it a punt before you look up the answer)

#include <pthread.h>

#include <string.h>

#include <stdio.h>

#include <ctype.h>

#undef D

#undef E

#undef U

#ifndef C

#define I int n,r;

#define D(N) void*N(void*);

#define C pthread_create

#define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\

='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}

#define U int

#elif ! defined J

#define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"

#define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={

#define U };

#define D(N) N,

#define L return fwrite("\1\t\0;",1,4,stdout)!=4;

#define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)

#define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K

#else

#define T pthread_t

#define E char B[8][256];

#define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}

#define D(N) void *N(void *y) {\

static I char *x=y;\

T t=0;\

if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\

if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\

n++;\

if(*x) N(x+1);\

if(t) pthread_join(t,&y);\

return y;\

}

#endif

E

/* ____ END OF CODE __ */

Not trying to be difficult but I'm not any sort of expert in the domain, and I reckon I'm aware of quite a few techniques to make it difficult to determine the intent.

A simple stream cipher + interperter + randomized memory locations should slow most people down for long enought to collect the paycheck and move on to the next gig.

Imagine what tricks you might know if this was your domain, I fully expect that there are techiques for this kind of thing that make my feeble imaginings look rather old hat but hey it's not my domain.

Just some food for thought,

Sed

0
0

Re: Years to dissect? Really?

- didn't paste all the code..

#include <pthread.h>

#include <string.h>

#include <stdio.h>

#include <ctype.h>

#undef D

#undef E

#undef U

#ifndef C

#define I int n,r;

#define D(N) void*N(void*);

#define C pthread_create

#define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\

='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}

#define U int

#elif ! defined J

#define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"

#define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={

#define U };

#define D(N) N,

#define L return fwrite("\1\t\0;",1,4,stdout)!=4;

#define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)

#define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K

#else

#define T pthread_t

#define E char B[8][256];

#define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}

#define D(N) void *N(void *y) {\

static I char *x=y;\

T t=0;\

if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\

if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\

n++;\

if(*x) N(x+1);\

if(t) pthread_join(t,&y);\

return y;\

}

#endif

E

D(bdefhklmnprtuvwxyz57)

D(bcdefgiopqrstz23567890K)

D(abcdefgjopqrstz123567890K)

D(cefghkoqstz23457890K)

D(mntuvwxyz7)

D(bcdefghklmnopqrsuvw256890K)

D(aimnxy1)

D(jkt14)

D(abdhmprxyz0)

D(mnoquvw237890K)

D(abcdefghklmnopqruvw560K)

D(befhikprs45689MK)

D(befghjmnqprstwxyz156890MK)

D(dghs234789M)

D(amnoquvw90K)

D(abcdefghjklmnopqruw4680K)

D(aivxz40PK)

D(ajkrtwy1247PK)

D(abdghnqvx456K)

D(amnosuw34890K)

D(abdefhklmnprxz25_)

D(bcdegijloqsuwz12356890_PK)

D(bcdegloqstuvyz123567890_PK)

D(cehklorsuwz1234890_K)

D(amnqxz2_K)

U

#ifndef T

#include __FILE__

#endif

0
0
Silver badge

Re: Years to dissect? Really?

Did you just call me a cunt?

0
0
Anonymous Coward

FOI request

How many people were employed by the US government in the development of the Stuxnet programming project?

2
6
Silver badge
Big Brother

Re: FOI request

You will never know. The black budget is currently at USD 50 billion YEARLY. You can put a few excellent developers into the small interstices, then buy them a nice, large house on the coast so that they STFU.

Then one day, an old bartender starts talking to you about this programming project...

3
1
Silver badge

Re: FOI request

Just in case casual readers dismiss you as a "conspiracy theorist", the figure of $50bn for black projects, is the total amount spent by the Department of Defence on projects they list as Classified. I.e. they wont tell you where the money goes. The $50bn figure is for the year 2010.

The USA spends *a lot* of money on things it doesn't disclose to the public.

2
1
Anonymous Coward

@h4rm0ny

Sadly, in a budget the size of the US government, $50bn doesn't even make it to the category of "rounding error." And knowing some folk who work in the defense industry, $50bn doesn't actually go as far as you might think when it starts to involve hardware, which it certainly will. As in, one of my low levels friends (not involved in the spook-like classified activities, just protection of force ones) doesn't even spend serious time thinking about expenditures below $1 million.

0
0
Anonymous Coward

Still microsoft windows is #1

Least this is free and in that compared to windows is realy very primative in design, Windows is still number #1 and has done so using the box/shop expliot were they get there victim to do all the hard work and pay for the priveledge.

Any virus or malware that does not use double-enrty code and hidden op-codes etc is badly written.

Anon or my graphics card operating system might be called a virus like some network card OS was recently :=]

0
15
Anonymous Coward

Re: Still microsoft windows is #1

Funny that, I was just thinking the same, especially in the light of the gazillion patches it downloads every day and the Windows *cough* "Advantage" data going the other way, nobody would notice a data extraction The problem was that I could not see Microsoft (a) code anything that works and (b) keep it under 1GB, let alone 20MB - they haven't been forced to demonstrate tight compiling since they got rid of Borland.

Next candidate who doesn't see privacy as a barrier: Google OS? Maybe the Chinese gave them an idea (which would also neatly count as a reverse rip off).

Just musing probabilities. On account of the probably funding, required secrecy and total disregard for any applicable legal barriers you'd almost immediately think US - also because of where it has been found so far..

2
1

Lua?

Could it be simply because they don't know Lua?

I'm not surprised that Angry Birds uses lua as it's quite popular within gaming circles

0
4
Anonymous Coward

Re: "Could it be simply because they don't know Lua?"

Oh please, give them some credit. Why is it that the default position of reg commenters is 'assume the subjects of the article are complete idiots'?

Shoehorning 'angry birds' into the article seems a rather lame bit of attention grabbing, too. As Mr Mount observed, lua use is widespread these days, if only because there aren't a whole lot of fast, simple, small languages intended for embedding within a larger application.

5
2
Anonymous Coward

Re: Lua?

The Lua interpreter has few things going for it when choosing something to execute your business logic: it's free, open source, lightweight when compiled and is designed to be statically linked from a C program so it's self-contained.

If you want to deploy something that is [relatively] complex, and retain the ability to quickly modify it's behaviour significantly in the field then Lua is a natural fit. Much more so than either compiled languages or Python, Ruby, Java, etc.

2
1
Silver badge
Holmes

Re: "Could it be simply because they don't know Lua?"

Oh please, give them some credit.

I think it's a reasonable remark.

The article also notes that the worm uses the "open source" libz library. Wow, apart from the fact that I think this is usually referred to as zlib though I don't want to get in a willy-waving competition about open source libraries, what the fuck does it matter that it's an open source library? Or that SQLite is being used for persistence? Implementation - the libraries used - shouldn't be confused with design - encrypted and compressed communication.

1
1

Re: "Could it be simply because they don't know Lua?"

Not really even if you have never seen piece of lua code before, the syntax is so beautifully clear and simple any half skilled programmer could work out what was going on.

0
0
Anonymous Coward

Re: "Could it be simply because they don't know Lua?"

Or maybe not everyone is a programmer?

If I started spouting off about q931, qsig, DPNSS, SS7 and g711 of course you know these are pretty standard terms in the telecoms world wouldn't you?

0
0
Joke

lazy team refuses to reinvent the wheel

"it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library."

Well, I guess someone finally discovered a use for open source software.

1
1
Silver badge
Joke

zlib and SQLlite, huh?

They didn't use any software under the GNU license, so no obligation to share code. Well done.

11
0
Joke

Re: zlib and SQLlite, huh?

In Soviet Russia, code shares you!

5
0
Boffin

Probably self morphing and remote controlled

If they have been really smart, the antivirus folks will forever be playing catch up, while the perps keep changing the only unencrypted bits of it the AV signatures can algorithmically detect. Maybe that's why they are using Lua, so they can more easily remote control installed instances to change the bits conforming to the AV signatures as and when it suits those operating these instances.

Sounds like getting rid of this thing for good may well involve backing up any known good data which doesn't contain executable content, wiping the rest and reinstalling from still trusted sources and media. I doubt many Windows lusers have that capability.

I always thought trying to keep a system secure by avoiding blacklisted software was a bad idea. Better only to execute whitelisted software if it really matters.

0
1
WTF?

Years to dissect?

This is rather technically comprehensive...

http://go.eset.com/us/threat-center/encyclopedia/threats/flame/

0
0
FAIL

Re: Years to dissect?

Also, Iran CERT teams remover, pick it up from here:

http://i.haymarket.net.au/News/Remover.rar

Dissect the remover, and then you get how it removes it :-) SIMPLES!

0
0
Silver badge
Paris Hilton

Re: Years to dissect?

That sounds like something hanging around on Amigas. You sure that's the right target?

0
0
Stop

Dissection already performed...

http://certcc.ir/index.php?name=news&file=article&sid=1894

From the CERT team themselves:

Table1: Infection Components

Content Name & Path

Registry key existence HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages -> mssecmgr.ocx

Malware binaries windows\system32\mssecmgr.ocx

Windows\System32\ccalc32.sys

Windows\System32\msglu32.ocx

Windows\System32\boot32drv.sys

Windows\System32\nteps32.ocx

Windows\System32\advnetcfg.ocx

Windows\System32\soapr32.ocx

0
2

Re: Dissection already performed...

They mean full disassembly, how it actually works. Those are just the modules files.

2
0
Silver badge
Linux

Re: Dissection already performed...

I cant find any of those files on my Linux system Should I be worried?

6
6
Anonymous Coward

Yes, definitely. It's now certainly not Windows compatible, so the suits upstairs will be with you shortly.

Speaking of which, I feel left out. They promised Macs would become as vulnerable as Windows (a fact I heard played back by a Microsoft rep a few days ago - until I asked him to quantify the number of separate malware strands for each platform), so where is my copy?

Anyone heard of malware for Google OS yet? Or has it remained too insignificant to bother? Or IS that actually Flame in user-friendly mode (given the propensities and known NSA links of the company in question)?

0
1

Re: Dissection already performed...

Better wish these black hat evil geniuses don't eye Linux for their next project.

0
0
Silver badge
WTF?

Windows ...

the best advertisement for Linux.

3
3
Silver badge

20 meg malware "threat" in the field for 2 years, undetected.

Does nobody actually understand system security anymore?

I weep.

0
2
Boffin

Re: 20 meg malware "threat" in the field for 2 years, undetected.

"Does nobody actually understand system security anymore?"

Those who understand security execute only trusted executables and use software distribution and installation systems involving cryptographic chains of trust identifying all the engineers who have signed all executables installed as checked and verified. On larger general purpose systems we have to take calculated risks, of the kind: "has the team engineering this closed source component of my otherwise opensource system used as a device driver or media player been nobbled, or is there a zero day in this or some other component known to someone who wants to attack this system but not the engineer who signed it ?". On smaller security-purposed systems we have to ask the same questions but have a better chance of answering them. We keep these differently purposed systems sandboxed from each other.

I don't think anyone who genuinely understands systems security has been highly reliant on popular software used for scanning and detection of blacklisted executables for many years. If blacklisted or not yet blacklisted executables can be installed onto your system and executed, you either don't yet properly understand, or don't yet really care about security.

2
0
Silver badge

@PyLETS (was: Re: 20 meg malware "threat" in the field for 2 years, undetected.)

That's nice, PyLETS.

I don't think you really understand my question.

I weep.

0
3

This could be reason of fear

This thing seems to bypass every single heuristic detection on systems that have proper security software. Or, it pre checked the system setup without raising alarm bells and didn't infect the ones which will check things like "startup items added out of nowhere" heuristics.

Analysts seem a bit confused about the complexity.

0
0

Re: @PyLETS (was: 20 meg malware "threat" in the field for 2 years, undetected.)

Hey Jake,

Perhaps you could elucidate further.

Sed

0
0
Silver badge

Re: @PyLETS (was: 20 meg malware "threat" in the field for 2 years, undetected.)

"Does nobody actually understand system security anymore?"

Yes.

Poorly framed question in my opinion.

0
0
Anonymous Coward

Re: @jake (was: 20 meg malware "threat" in the field for 2 years, undetected.)

Sorry Jake - you didn't understand (or chose to ignore) his answer

0
0
Silver badge

Re: @jake (was: 20 meg malware "threat" in the field for 2 years, undetected.)

My point is that the "threat" is/was 20 megs in size. And nobody noticed it? WTF? I noticed sub-64K files as few as 10 years ago ... Consumer systems are entirely too bloated, and idiots are using them in places that they don't belong. Thus the question ...

Ah, well. Said idiots are funding my retirement :-)

1
0
Anonymous Coward

Remotely turning on microphones

Listening in using a private PC in some Iranian bedroom... Meheeehhhhh Mehheehhhh.

1
0

Enough with the geekery, already. Whodunnit?

Oddly and ironically enough. One candidate not listed among the 'targets' might be Syria.

0
0
Anonymous Coward

That may be because the smart geeks moved elsewhere already - nobody left to analyse..

0
0
Silver badge
Black Helicopters

Smart Geeks

Smart Geeks also don't do work that gives anyone a reason to kill them.

I can't remember where I first read it, but the all-time classic along this line involves pure mathematics. If you were to find a fast algorithm to factorize a huge number into its only two prime factors, your only hope (other than keeping it secret to your grave) would be to spam your paper as far and wide as you could, and then go into hiding for a few months until the powers that be worked out that it could not ever be suppressed.

Most mathematicians believe such an algorithm to be impossible. If there are any that justifiably think otherwise, they have good reason to keep quiet about it!

2
0
This topic is closed for new posts.