back to article Super-powerful Flame worm could take YEARS to dissect

The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse. Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have …

COMMENTS

This topic is closed for new posts.
  1. bpfh Bronze badge
    FAIL

    Years to dissect? Really?

    When hacker teams have keygen's and network blocking solutions for the bloatware giant Adobe Master Collection 6 within 24 hours of it's public release, the security firms really think that it would take years to dissect this? It would seem that reverse engineering, decompiling and debugging have changed a lot since my time ...

    1. Tom_

      Re: Years to dissect? Really?

      It takes a lot longer to fully analyse a piece of software than it does to look for the places where the DRM is checked and change them.

      It's weird to have to point that out on this website, though.

      1. stanimir

        Re: Years to dissect? Really?

        Still, anything interesting involves API calls. You can track 'em just as easily. I know how disassembling and reverse engineering works first hand, so years is highly overstated.

        I bet there is no motivation most of all.

        1. Anonymous Coward
          WTF?

          Re: Years to dissect? Really?

          Ok, so maybe you could do it and grab the glory. After all if it's going to take years and you can knock it up in a couple of hours, you'd easily command a very well paid job.

          Look forward to your posting next week, when you have cracked it.

          1. sed gawk

            Re: Years to dissect? Really?

            I understand the point that you are making, in that syscalls/win32 calls have a fairly destinct appearence in the dissassembled output of a native binary.

            However, there is no requirement for a malware author to use the api's for the intended purpose, meaning taking the api/syscall signatures at face value is unlikely to be helpful.

            Suppose you have large volumes of logic in a scripting language that you can generate at runtime, then your native app, is just a host with the lua generator seeds + interpreter.

            Also, what happens if all your interesting native code is application layer, and the api calls are just false flags.

            What does this do - ( this is from the IOCC - so give it a punt before you look up the answer)

            #include <pthread.h>

            #include <string.h>

            #include <stdio.h>

            #include <ctype.h>

            #undef D

            #undef E

            #undef U

            #ifndef C

            #define I int n,r;

            #define D(N) void*N(void*);

            #define C pthread_create

            #define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\

            ='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}

            #define U int

            #elif ! defined J

            #define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"

            #define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={

            #define U };

            #define D(N) N,

            #define L return fwrite("\1\t\0;",1,4,stdout)!=4;

            #define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)

            #define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K

            #else

            #define T pthread_t

            #define E char B[8][256];

            #define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}

            #define D(N) void *N(void *y) {\

            static I char *x=y;\

            T t=0;\

            if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\

            if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\

            n++;\

            if(*x) N(x+1);\

            if(t) pthread_join(t,&y);\

            return y;\

            }

            #endif

            E

            /* ____ END OF CODE __ */

            Not trying to be difficult but I'm not any sort of expert in the domain, and I reckon I'm aware of quite a few techniques to make it difficult to determine the intent.

            A simple stream cipher + interperter + randomized memory locations should slow most people down for long enought to collect the paycheck and move on to the next gig.

            Imagine what tricks you might know if this was your domain, I fully expect that there are techiques for this kind of thing that make my feeble imaginings look rather old hat but hey it's not my domain.

            Just some food for thought,

            Sed

            1. sed gawk

              Re: Years to dissect? Really?

              - didn't paste all the code..

              #include <pthread.h>

              #include <string.h>

              #include <stdio.h>

              #include <ctype.h>

              #undef D

              #undef E

              #undef U

              #ifndef C

              #define I int n,r;

              #define D(N) void*N(void*);

              #define C pthread_create

              #define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\

              ='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}

              #define U int

              #elif ! defined J

              #define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"

              #define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={

              #define U };

              #define D(N) N,

              #define L return fwrite("\1\t\0;",1,4,stdout)!=4;

              #define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)

              #define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K

              #else

              #define T pthread_t

              #define E char B[8][256];

              #define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}

              #define D(N) void *N(void *y) {\

              static I char *x=y;\

              T t=0;\

              if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\

              if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\

              n++;\

              if(*x) N(x+1);\

              if(t) pthread_join(t,&y);\

              return y;\

              }

              #endif

              E

              D(bdefhklmnprtuvwxyz57)

              D(bcdefgiopqrstz23567890K)

              D(abcdefgjopqrstz123567890K)

              D(cefghkoqstz23457890K)

              D(mntuvwxyz7)

              D(bcdefghklmnopqrsuvw256890K)

              D(aimnxy1)

              D(jkt14)

              D(abdhmprxyz0)

              D(mnoquvw237890K)

              D(abcdefghklmnopqruvw560K)

              D(befhikprs45689MK)

              D(befghjmnqprstwxyz156890MK)

              D(dghs234789M)

              D(amnoquvw90K)

              D(abcdefghjklmnopqruw4680K)

              D(aivxz40PK)

              D(ajkrtwy1247PK)

              D(abdghnqvx456K)

              D(amnosuw34890K)

              D(abdefhklmnprxz25_)

              D(bcdegijloqsuwz12356890_PK)

              D(bcdegloqstuvyz123567890_PK)

              D(cehklorsuwz1234890_K)

              D(amnqxz2_K)

              U

              #ifndef T

              #include __FILE__

              #endif

              1. Sir Runcible Spoon Silver badge

                Re: Years to dissect? Really?

                Did you just call me a cunt?

    2. ArmanX
      Boffin

      Re: Years to dissect? Really?

      Bloatware is easy to dissect, especially if all you're doing is keygen, no-cd, or other such tasks. You don't even have to know what a program does to be able to find its key-checking algorithm.

      If you want to know every detail, however, you'll need to analyze every byte of code; you can't gloss over anything. And well-obfuscated code can be a twisted mess, too; Adobe doesn't spend a majority of its time making sure no one can read a single line of code.

      1. Anonymous Coward
        Anonymous Coward

        Re: Years to dissect? Really?

        "Adobe doesn't spend a majority of its time making sure no one can read a single line of code."

        I dunno; it would explain a lot.

  2. Anonymous Coward
    Anonymous Coward

    FOI request

    How many people were employed by the US government in the development of the Stuxnet programming project?

    1. Destroy All Monsters Silver badge
      Big Brother

      Re: FOI request

      You will never know. The black budget is currently at USD 50 billion YEARLY. You can put a few excellent developers into the small interstices, then buy them a nice, large house on the coast so that they STFU.

      Then one day, an old bartender starts talking to you about this programming project...

      1. h4rm0ny

        Re: FOI request

        Just in case casual readers dismiss you as a "conspiracy theorist", the figure of $50bn for black projects, is the total amount spent by the Department of Defence on projects they list as Classified. I.e. they wont tell you where the money goes. The $50bn figure is for the year 2010.

        The USA spends *a lot* of money on things it doesn't disclose to the public.

        1. Anonymous Coward
          Anonymous Coward

          @h4rm0ny

          Sadly, in a budget the size of the US government, $50bn doesn't even make it to the category of "rounding error." And knowing some folk who work in the defense industry, $50bn doesn't actually go as far as you might think when it starts to involve hardware, which it certainly will. As in, one of my low levels friends (not involved in the spook-like classified activities, just protection of force ones) doesn't even spend serious time thinking about expenditures below $1 million.

  3. Anonymous Coward
    Anonymous Coward

    Still microsoft windows is #1

    Least this is free and in that compared to windows is realy very primative in design, Windows is still number #1 and has done so using the box/shop expliot were they get there victim to do all the hard work and pay for the priveledge.

    Any virus or malware that does not use double-enrty code and hidden op-codes etc is badly written.

    Anon or my graphics card operating system might be called a virus like some network card OS was recently :=]

    1. Anonymous Coward
      Anonymous Coward

      Re: Still microsoft windows is #1

      Funny that, I was just thinking the same, especially in the light of the gazillion patches it downloads every day and the Windows *cough* "Advantage" data going the other way, nobody would notice a data extraction The problem was that I could not see Microsoft (a) code anything that works and (b) keep it under 1GB, let alone 20MB - they haven't been forced to demonstrate tight compiling since they got rid of Borland.

      Next candidate who doesn't see privacy as a barrier: Google OS? Maybe the Chinese gave them an idea (which would also neatly count as a reverse rip off).

      Just musing probabilities. On account of the probably funding, required secrecy and total disregard for any applicable legal barriers you'd almost immediately think US - also because of where it has been found so far..

  4. Peter Mount

    Lua?

    Could it be simply because they don't know Lua?

    I'm not surprised that Angry Birds uses lua as it's quite popular within gaming circles

    1. Anonymous Coward
      Anonymous Coward

      Re: "Could it be simply because they don't know Lua?"

      Oh please, give them some credit. Why is it that the default position of reg commenters is 'assume the subjects of the article are complete idiots'?

      Shoehorning 'angry birds' into the article seems a rather lame bit of attention grabbing, too. As Mr Mount observed, lua use is widespread these days, if only because there aren't a whole lot of fast, simple, small languages intended for embedding within a larger application.

      1. Charlie Clark Silver badge
        Holmes

        Re: "Could it be simply because they don't know Lua?"

        Oh please, give them some credit.

        I think it's a reasonable remark.

        The article also notes that the worm uses the "open source" libz library. Wow, apart from the fact that I think this is usually referred to as zlib though I don't want to get in a willy-waving competition about open source libraries, what the fuck does it matter that it's an open source library? Or that SQLite is being used for persistence? Implementation - the libraries used - shouldn't be confused with design - encrypted and compressed communication.

        1. James Anderson

          Re: "Could it be simply because they don't know Lua?"

          Not really even if you have never seen piece of lua code before, the syntax is so beautifully clear and simple any half skilled programmer could work out what was going on.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Could it be simply because they don't know Lua?"

        Or maybe not everyone is a programmer?

        If I started spouting off about q931, qsig, DPNSS, SS7 and g711 of course you know these are pretty standard terms in the telecoms world wouldn't you?

    2. Anonymous Coward
      Anonymous Coward

      Re: Lua?

      The Lua interpreter has few things going for it when choosing something to execute your business logic: it's free, open source, lightweight when compiled and is designed to be statically linked from a C program so it's self-contained.

      If you want to deploy something that is [relatively] complex, and retain the ability to quickly modify it's behaviour significantly in the field then Lua is a natural fit. Much more so than either compiled languages or Python, Ruby, Java, etc.

  5. Wintermute
    Joke

    lazy team refuses to reinvent the wheel

    "it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library."

    Well, I guess someone finally discovered a use for open source software.

  6. Destroy All Monsters Silver badge
    Joke

    zlib and SQLlite, huh?

    They didn't use any software under the GNU license, so no obligation to share code. Well done.

    1. Gwyn Evans
      Joke

      Re: zlib and SQLlite, huh?

      In Soviet Russia, code shares you!

  7. PyLETS
    Boffin

    Probably self morphing and remote controlled

    If they have been really smart, the antivirus folks will forever be playing catch up, while the perps keep changing the only unencrypted bits of it the AV signatures can algorithmically detect. Maybe that's why they are using Lua, so they can more easily remote control installed instances to change the bits conforming to the AV signatures as and when it suits those operating these instances.

    Sounds like getting rid of this thing for good may well involve backing up any known good data which doesn't contain executable content, wiping the rest and reinstalling from still trusted sources and media. I doubt many Windows lusers have that capability.

    I always thought trying to keep a system secure by avoiding blacklisted software was a bad idea. Better only to execute whitelisted software if it really matters.

  8. koolholio
    WTF?

    Years to dissect?

    This is rather technically comprehensive...

    http://go.eset.com/us/threat-center/encyclopedia/threats/flame/

    1. koolholio
      FAIL

      Re: Years to dissect?

      Also, Iran CERT teams remover, pick it up from here:

      http://i.haymarket.net.au/News/Remover.rar

      Dissect the remover, and then you get how it removes it :-) SIMPLES!

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Years to dissect?

      That sounds like something hanging around on Amigas. You sure that's the right target?

  9. koolholio
    Stop

    Dissection already performed...

    http://certcc.ir/index.php?name=news&file=article&sid=1894

    From the CERT team themselves:

    Table1: Infection Components

    Content Name & Path

    Registry key existence HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages -> mssecmgr.ocx

    Malware binaries windows\system32\mssecmgr.ocx

    Windows\System32\ccalc32.sys

    Windows\System32\msglu32.ocx

    Windows\System32\boot32drv.sys

    Windows\System32\nteps32.ocx

    Windows\System32\advnetcfg.ocx

    Windows\System32\soapr32.ocx

    1. Ilgaz

      Re: Dissection already performed...

      They mean full disassembly, how it actually works. Those are just the modules files.

    2. itzman
      Linux

      Re: Dissection already performed...

      I cant find any of those files on my Linux system Should I be worried?

      1. Anonymous Coward
        Anonymous Coward

        Yes, definitely. It's now certainly not Windows compatible, so the suits upstairs will be with you shortly.

        Speaking of which, I feel left out. They promised Macs would become as vulnerable as Windows (a fact I heard played back by a Microsoft rep a few days ago - until I asked him to quantify the number of separate malware strands for each platform), so where is my copy?

        Anyone heard of malware for Google OS yet? Or has it remained too insignificant to bother? Or IS that actually Flame in user-friendly mode (given the propensities and known NSA links of the company in question)?

      2. Ilgaz

        Re: Dissection already performed...

        Better wish these black hat evil geniuses don't eye Linux for their next project.

  10. JaitcH
    WTF?

    Windows ...

    the best advertisement for Linux.

  11. jake Silver badge

    20 meg malware "threat" in the field for 2 years, undetected.

    Does nobody actually understand system security anymore?

    I weep.

    1. PyLETS
      Boffin

      Re: 20 meg malware "threat" in the field for 2 years, undetected.

      "Does nobody actually understand system security anymore?"

      Those who understand security execute only trusted executables and use software distribution and installation systems involving cryptographic chains of trust identifying all the engineers who have signed all executables installed as checked and verified. On larger general purpose systems we have to take calculated risks, of the kind: "has the team engineering this closed source component of my otherwise opensource system used as a device driver or media player been nobbled, or is there a zero day in this or some other component known to someone who wants to attack this system but not the engineer who signed it ?". On smaller security-purposed systems we have to ask the same questions but have a better chance of answering them. We keep these differently purposed systems sandboxed from each other.

      I don't think anyone who genuinely understands systems security has been highly reliant on popular software used for scanning and detection of blacklisted executables for many years. If blacklisted or not yet blacklisted executables can be installed onto your system and executed, you either don't yet properly understand, or don't yet really care about security.

      1. jake Silver badge

        @PyLETS (was: Re: 20 meg malware "threat" in the field for 2 years, undetected.)

        That's nice, PyLETS.

        I don't think you really understand my question.

        I weep.

        1. sed gawk

          Re: @PyLETS (was: 20 meg malware "threat" in the field for 2 years, undetected.)

          Hey Jake,

          Perhaps you could elucidate further.

          Sed

          1. Sir Runcible Spoon Silver badge

            Re: @PyLETS (was: 20 meg malware "threat" in the field for 2 years, undetected.)

            "Does nobody actually understand system security anymore?"

            Yes.

            Poorly framed question in my opinion.

        2. Anonymous Coward
          Anonymous Coward

          Re: @jake (was: 20 meg malware "threat" in the field for 2 years, undetected.)

          Sorry Jake - you didn't understand (or chose to ignore) his answer

          1. jake Silver badge

            Re: @jake (was: 20 meg malware "threat" in the field for 2 years, undetected.)

            My point is that the "threat" is/was 20 megs in size. And nobody noticed it? WTF? I noticed sub-64K files as few as 10 years ago ... Consumer systems are entirely too bloated, and idiots are using them in places that they don't belong. Thus the question ...

            Ah, well. Said idiots are funding my retirement :-)

    2. Ilgaz

      This could be reason of fear

      This thing seems to bypass every single heuristic detection on systems that have proper security software. Or, it pre checked the system setup without raising alarm bells and didn't infect the ones which will check things like "startup items added out of nowhere" heuristics.

      Analysts seem a bit confused about the complexity.

  12. Anonymous Coward
    Anonymous Coward

    Remotely turning on microphones

    Listening in using a private PC in some Iranian bedroom... Meheeehhhhh Mehheehhhh.

  13. David Glasgow

    Enough with the geekery, already. Whodunnit?

    Oddly and ironically enough. One candidate not listed among the 'targets' might be Syria.

    1. Anonymous Coward
      Anonymous Coward

      That may be because the smart geeks moved elsewhere already - nobody left to analyse..

      1. Nigel 11
        Black Helicopters

        Smart Geeks

        Smart Geeks also don't do work that gives anyone a reason to kill them.

        I can't remember where I first read it, but the all-time classic along this line involves pure mathematics. If you were to find a fast algorithm to factorize a huge number into its only two prime factors, your only hope (other than keeping it secret to your grave) would be to spam your paper as far and wide as you could, and then go into hiding for a few months until the powers that be worked out that it could not ever be suppressed.

        Most mathematicians believe such an algorithm to be impossible. If there are any that justifiably think otherwise, they have good reason to keep quiet about it!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019