back to article 'Super-powerful' Flame worm actually boring BLOATWARE

Flame may be big in size but it's nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code. The cyber-espionage …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

20Mb? Modular beyond all reason? It sounds like "enterprise grade" malware to me...

10
0

Which of course is really the point of all the hype.

Up till now, these things have been unprofessional but this one as you say is enterprise level.

0
0
Trollface

20MB???

But that's not even big enough for a MickeySoft EULA

3
1
Mushroom

And to keep it all in perspective...

Stuxnet = 2010 Bugatti Veyron

Flame = 1976 Cadillac Fleetwood

Luxury cars both, one lean, fast and tight to the road, built with custom parts

the other huge, soft, padded and drives like a fishing boat on the ocean, built from repriced Chevrolet parts.

0
0
Silver badge

Re: 20MB???

That's only 15 floppies. Of course they could put it on a CD and mail it out too. Some customers might appreciate having a backup.

0
0

Why don't you get it already?

The issue is how could it go undetected for years. Do you know how real antivirus, security companies work? They got thousands of impossible to tell otherwise "unprotected" machines, software automatically doing dumbest things, Spam traps subscribing to every single stupid mailing system even opting in.

They got guys wondering around, social engineering most of the time endangering their life in black hat forums and darknets.

That is why commercial, professional antivirus is pay or freemium.

2
2
Silver badge
Coat

Re: Why don't you get it already?

> most of the time endangering their life in black hat forums and darknets

Blackwater "Operator" Antivirus? I would buy it.

0
0
Mushroom

Re: Why don't you get it already?

Heh, about 1,000 computers in countries that aren't very trusting of Western Technology and afraid already of being spied on? How could it go undetected for very long? Very easily...

If the Iranian government was eating less of the stupid sauce, there'd be normal business relationships between commerce within Iran and the companies that produce anti-malware. There isn't, so you have a breeding ground for this stuff to be sent to.

0
0
Paris Hilton

IF I READ THIS ARTICLE RIGHT

THEN YOU HAVE TO BE SPTUPID TO GET THE FLAME WORM GOOD I HAVE NOTHING TO WORRY ABOUT

5
10
Anonymous Coward

Re: IF I READ THIS ARTICLE RIGHT

No, not stupid - just a foreign country that may or may not have access to nukes.

So yes you're still safe I hope and pray ;-)

0
0
Anonymous Coward

more likely

if you're Homer Simpson there's nothing worth stealing on your machine so if Flame does get a foothold on your system the masters of the worm will remove it themselves.

1
0
Joke

Re: IF I READ THIS ARTICLE RIGHT

@ (appropriately titled) Big Dumb Guy 55 16:07

"I have to be stupid to get this virus" Well, if you're posting in ALL CAPS with a name like big dumb guy 57 you're in with a pretty good chance of getting it!

5
2
Bronze badge

Re: "A foreign country that may or may not have access to nukes"

"A foreign country that may or may not have access to nukes" describes every single country in the world, other than what ever country a particular reader is a citizen of.

1
0
Silver badge

it's SPTUPID

stupid!

3
0
Silver badge

Re: IF I READ THIS ARTICLE RIGHT

Lions 3, Christians 0. Another round goes to the BDG.

0
0
Silver badge
Devil

http://en.wikipedia.org/wiki/Mimivirus

"Mimivirus, short for "mimicking microbe", is so called to reflect its large size. Mimivirus possesses many characteristics which place it at the boundary of living and non-living."

Similarly, Flame possesses many characteristics which place it into the genus of bloatware, media players and nagware.

5
0

This article reads strangely, at least to a non-professional in the security field

Reading some paragraphs the virus was in no way special or clever (though it was big), while reading others it managed to go on completely undetected for an unspecified number of years, while deleting critical information and performing other functions which can't be ascertained or traced back to a culprit.

Likewise, the coding of the virus is not especially unusual or exciting, but will take months and possibly years to decipher.

It may be because I work in a commercial word used to trumpetting even modest failure as startling success, but if I'd delivered a project that met such clearly defined goals over such a long period and didn't leave any significant threads for people to pull apart at the end then I'd feel like i'd done a pretty good job.

11
0
WTF?

Re: This article reads strangely, at least to a non-professional in the security field

that's for sure.. everything about this threat looks extremely sophisticated, but the fact that its spread is apparently limited and controlled gives the author licence to dismiss it as bloatware? that is infantile bloviating. if this is "boring" then lets hear all about the exciting ones??

3
0

Re: This article reads strangely, at least to a non-professional in the security field

Agreed. It seems the significance of Flame would be in it's apparent (but not really known) effectiveness...and possibly over a rather extended period of time. Being small, creating a large botnet, or being innovative, getting pats on the back from The Register, obviously weren't primary design goals.

5
0
Silver badge
Black Helicopters

Re: author licence to dismiss it as bloatware? that is infantile bloviating.

Too true. So I guess that mean the next big question is:

Is John Leyden now on the payroll of said spooks and spreading disinformation about the threat?

0
0
Silver badge
Holmes

"...most vendors spinning that Flame did not spread very far and that was the reason why it escaped detection for so long."

The real question is when did it first spread to a machine with an active, licensed, up-to-date antivirus/antimalware installation on it. Because that's exactly when this excuse became invalid.

3
0
Bronze badge

Would a government require AV vendors based in it to miss malware it created?

Most likely more than 2 years ago, since the sorts of computers it has been found on would have been well protected.

Kind of embarrassing for the AV vendors whose products are used in the middle east, so they want to minimize it.

Would a government require AV vendors based in it to miss malware it created?

One of a few reasons I use Kaspersky is that, being in Canada, I'm more worried about the USA or Canada spying on me than Russia.

2
1
Silver badge

Re: Would a government require AV vendors based in it to miss malware it created?

WHY would a government require AV vendors based in it[s jurisdiction] to miss malware it created?

Given that there is no jurisdiction that adequately covers all AV vendors, said government would have to make the malware as difficult to detect as possible anyway.

Disclosing the existence of the malware to people in its jurisdiction [especially those most likely to incur financial losses in the event their collusion were discovered] would significantly increase the risk of the malware being detected.

0
0

Flame - Why did it take so long to detect?

I'm curious about a slightly different question....."Did it take the TARGETS two to five years to detect it?"

After all, the malware is huge, and the alleged data gathering impact must have created significant network traffic.

And if the targets knew about Flame all along, how much MISINFORMATION have they passed along to the spooks who own Flame?

Preppy

1
0
Happy

Memories

It was a little surprise for me to see L0pht and BO2K mentioned (but now Cult of the Dead Cow). I haven't heard much about them in a while.

0
0

Confusing article

The title and summary seem to contradict the article and its conclusion. The article says it is an advanced and complex piece of targeted malware that must have been made by a nation/state that will take months if not years to analyze, while the title and summary say it is just boring bloatware. Which is it?

3
1
(Written by Reg staff) Silver badge

Re: Confusing article

It's possible to get a big team to write a huge piece of software that then doesn't do anything earth-shatteringly evil. Yes, it does bad things, but so does a lot of malware. It's not the weapon of annihilation first feared, although there is still a lot of code to get through.

C.

1
1

Re: Confusing article

>It's not the weapon of annihilation first feared,

>although there is still a lot of code to get through.

Conclusion before analysis. Logic failure. Propaganda detected.

0
1
Black Helicopters

Re: Confusing article

@diodesign: that's a somewhat complacent and narrow view. A not unlikely scenario is that this was created by a security agency like the CIA who have a well-documented penchant "extraordinarily rendering" (read: violently kidnapping) foreign citizens to assorted locations around the globe to be detained and tortured.

They have done this with the flimsiest of suspicion (bearing in mind that extra-judicial kidnapping, imprisonment, torture and assassination are illegal by definition and in many other ways). So if they happened to have had a tool like this to target potential "terrorists" over the past few years it would almost certainly have been used to assist such actions.

No, Flame/sKyWIper is not a "weapon of annihilation" (nice paper tiger!) but that wouldn't be much comfort to anyone languishing in an interrogation facility in Uzbekistan, would it?

1
0
Silver badge

Re: Confusing article

> A not unlikely scenario is that this was created by a security agency like the CIA who have a

> well-documented penchant "extraordinarily rendering"

A fallacious argument (specifically argumentum ad misericordiam). Even if there were evidence that Flame was created by the CIA, you've demonstrated no logical association between extraordinary rendition (however vile and unethical that may be) and the thesis, which is that Flame is in some fashion an interesting or important piece of malware.

Extraordinary rendition is believed to usually involve the use of airplanes. That does not, in itself, make airplanes interesting.

0
0

A couple of observations. First I would not quote Kaspersky as if they were top level experts. They are second rate at best. We currently use them but will stop once the contract expires. They, far and away, have the biggest negative impact on system performance of any of the leading antivirus publishers. Internet speed is literally cut in half when using the internet protection feature as opposed to when that feature is turned off. Their support's first suggestion is 'trying reboot comrade - this is fixing much problem' and when you demand better support it becomes 'Am being very sorry comrade, we are sending new improved version as we are believing this will be helping much'. They simply can't support their product.

Another observation is that it seems odd that several people say this is a 'remote control' and/or data collection and transmission type of malware. I am not a hacker or even a very good programmer but I am a computer scientist and it occurs to me that if you know the code is transmitting data then you would also know where it is being sent to. Likewise if it is being remote controlled then you know where that control is coming from. Why then is it such a mystery 'who' is controlling or receiving transmissions?

0
3
Boffin

DNS Flux

Pretty simple you programmatically create more almost random strings as domain names and automatically register them as your bot farm switches between them.

You register these domains under false names with less than stellar domain registries and keep the records pointing at a number of servers you have already compromised and can retrieve your information from at leisure. You access them through a string of other proxies and a tor network and hey presto you can go about these things relatively undetected. Especially if some of the hosts are in jurisdictions that don't play nice with western governments when they are investigating.

See here for what other internet randoms say about it: http://en.wikipedia.org/wiki/Fast_flux

1
0
Bronze badge

Kaspersky is only second rate if you rank your AVs on something other than virus detection capability.

If you want a good AV in a world full of malware, that AV is going to need some cycles to run.

Virus Bulletin and the VB100 is a good place to start.

1
0
Bronze badge

Re: DNS Flux

Perhaps a non-western country, but not necessarily.

If the domain registries are in western jurisdictions that have laws requiring employees cooperate with security services and have stiff criminal penalties for publicizing requests from security services this DNS flux could be done here.

In the UK for example, I understand that if a domain name registry employee informed his employer of requests by MI6 he could face proscution under the Regulation of Investigatory Powers Act (or whatever the RIP Act stands for).

The USA has its laws, but patriotism alone would probably be enough to create the silent obedience necessary.

I'm not saying this was a western government, but I do not think we can close our minds to that possibility now, OR IN THE FUTURE.

0
0
WTF?

Re: DNS Flux

You do know that it is possible to use a registrar that is outside your local vicinity right? Also that there are things like credit card fraud so the person of record on the 1000s of domains may not actually be the perpetrator?

It is one of the reasons that RIPA and Patriot act are pretty much useless in this regard.

1
0
Silver badge

Obviously not getting it

The purpose of Flame is not to spy on users or infect many systems, but to give meaning to the ITU. The ITU fears becoming useless in a world dominated by lightweight patent-free Internet standards which can be implemented within a day.

This is why the ITU wants to re-brand itself as "cyber security experts". I wouldn't be surprised if the ITU sponsored the development of Flame.

0
4
Headmaster

hehehehehe... he said firm.... hehehehe

"The security firm reckons a military sub-contractor was likely to have carried out the work than a intelligence agency."

0
0
Meh

Who knows...

...you may have a variant of flame sitting on machine right now waiting for its next command? Just seems like it's a Swiss army knife of hacking tools rather than relying on one set of attributes/commands that are already preset within the malware. Very impressive but crap scary.

Just hoping the top security guys and gals are already on the case.

2
0
Silver badge
Linux

How can malware stay undetected...

Very easy, it is enough with not do anything too noticeable like slowing your computer down, encrypt your files and ask for a ransom, or steal all your bandwidth.

If you do not possess a decent border router/firewall that you inspect often and can not identify strange system processes, as long as the malware doesn't do anything to alert the user of the computer, it can stay undetected forever.

0
0
Coat

BLOATWARE?

So it wouldn't be noticed on a Microsoft system then?

2
1
Silver badge
Happy

Re: BLOATWARE?

Heck! MS-Windows would welcome it with open arms as one of the family.

1
0
Silver badge

Re: BLOATWARE?

actually, 20mb would trigger alarms being much smaller than other running system apps.

2
0
Silver badge
Pint

AV vendors exaggerate...

AB vendors exaggerate both the threat and their own supposed skill levels. Whatever they say should be right-shifted twice (times ¼) if you wish to approximate the truth.

0
0
Anonymous Coward

Whatever

Going undetected for years, while only infecting a 1000 or so machines? Sounds about right. I'm actually surprised it was found.

Meanwhile the article itself is extremely inconsistent. There are numerous places where wide reaching statements are made... And the very next statement takes a 180 degree turn.

Regarding av firms in general: I know they are trying hard, but they need to kick the marketing people off of the development teams. This is a hard thing to do right and the bloat ware ( av itself, not the virus ) is just too much.

Quite frankly I'm wondering who is having a bad sales year. We've seen a number of virus articles lately on things that just don't impact us. Marketing I'm sure.

At the end of the day we figured out that the cost of an actual infection is much cheaper than paying the "protection" racketeers. I'm sure others are figuring that out as well.

2
0
Bronze badge

best designed, most dangerous malware is malware that went undetected

Just as the best spies are spies that went undetected, the best designed, most dangerous malware to find on your computer is malware that went undetected for long periods of time.

Flame fits that description perfectly.

Those AV vendors that were not called in by the ITU are simply jealous of Kaspersky.

2
0

Bond like

You know, guy never hides his name or purpose. This 20mb thing doesn't even use executable compression looks like "look, I am in your machines for years. Just think what would I do if you keep messing".

Sounded crazy? What about launching a satellite to space just to shoot it down and competitor doing the exact same thing? Happened, China vs USA. Wikileaks.

0
0
Gold badge
Coat

So, then.

Bloated? Check.

Only works with Windows? Check.

Doesn't seem to do anything really clever or innovative in all that code? Check.

Has loads of bugs? Check.

QED: It's a Microsoft product.

1
0
Bronze badge

Kaspersky employee Aleks's blog on securelist is worth reading over

This link in the original Reg article is well worth reading for yourself:

http://www.securelist.com/en/blog?weblogid=208193522

Here are my thoughts on reading it:

1. "While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame."

So actually they weren't even looking for Flame, they were looking for other malware and happened to find Flame.

They still have not found Wiper.

2. The security service (if it was a security service) spreading Flame would likely have been commanding Flame to remove itself from systems that did not hold valuable information, because being on as few systems as possible is key to going undetected.

Aleks says, "According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields – they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections."

So really, if there are 1,000 systems infected now, there could have been 10,000, 20,000, 30,000 systems infected in the past two years -- nobody other than the Flame admins has any clue how many systems were infected.

(If I was writing Flame Mk II, I'd make sure the computers it infected were already well protected, so that they would not get infected by something noticeable that would attract scrutiny.)

3. There could be dozens of similar sorts of malware on Apple, Windows and Unix computers and we would not know it.

This malware was only found on a Windows computer by chance, and the more computers are running an OS, the more chance of an accidental discovery, and the more scrutiny the OS gets. (History shows open source Unix has had vulnerabilities discovered that were there for several years. The chance to review an open source program does not mean the open source program was reviewed.)

4. Kaspersky says Flame will use Bluetooth when it is available.

My thoughts are that, if so then bulk information could have been sent from some infected computers via Bluetooth. If just one computer in a business was bluetooth enabled, that computer could relay the information from all the other computers to a hostile Bluetooth device planted near the installation by the security service. Hence there would be less for an admin to see in his firewall logs.

3
0

Bluetooth part bugs me

Lets hope there isn't an undetected mobile part of virus which will be abused to extract info to an innocent victim using him/ her as carrier. It would be really hard to explain while you are being questioned in some basement.

You know the line "I have no clue how this white powder ended up in my baggage"

0
0
FAIL

Re: Kaspersky employee Aleks's blog on securelist is worth reading over

Your 2nd point is EXACTLY what my first thoughts were when the author plays down the infection rates.

If it is capable of erasing it's presence and has had at least 2 years, maybe 5 years to spread and gobble info, the fact that only 1000 concurrent infections have been verified means FA.

If the "insert large governmental institution of your choice" had 1000 people each tasked with slurping the useful stuff off a machine each day, then spreading and finding the most interesting one the next day lets do the math:

1000 * 5 (working days a week) * 48 (working weeks a year) * 5 (years) = 6 million possible machines infected at this work rate.

So that is in the same order of magnitude as conficker etc. Of course I have zero evidence to back this up, however Mr. Author, you also have zero evidence the impact was so small and benign.

And what is this about wiper? It strikes me that if you didn't want to bring in 1000 people on this you could easily have your corporate hacker team write a script to very much automate the infect, check pc for keywords/data types, spread, delete self routine and maybe hit every "connected" machine on earth in the same timescale. Maybe this script is also pretty smart and happens to go by the "Wiper" name?

0
0

Page:

This topic is closed for new posts.

Forums