Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Flame malware

  • 29-05-2012 2:55pm
    #1
    Registered Users, Registered Users 2 Posts: 367 ✭✭


    A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.


    The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.


    Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.




    Full: http://www.wired.com/threatlevel/2012/05/flame/


Comments

  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    I was reading that on the BBC news website last night. a bit nuts. it seems like its more of a framework than malware (like a malware construction kit or a spyware related metasploit) in that it can be configured with modules to target specific types of data or architectures (network and hardware).

    I'm not sure why they say its government funded though. yes the size is unusual (20mb according to the article I read) but it cant be the only clue and thats a pretty big allegation to make if its unfounded.


  • Registered Users, Registered Users 2 Posts: 1,375 ✭✭✭DoesNotCompute


    Cool, hopefuly Steve Gibson will pick up on this and report on it in this week's Security Now! podcast.


  • Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    I don't know how anybody can listen to Security Now! SpinRite Ad Podcast.
    Cool, hopefuly Steve Gibson will pick up on this and report on it in this week's Security Now! podcast.


  • Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭dalta5billion


    I don't know how anybody can listen to Security Now! SpinRite Ad Podcast.
    Cool, hopefuly Steve Gibson will pick up on this and report on it in this week's Security Now! podcast.
    It's decent for learning stuff like TCP/UDP for the first time, very well explained. But yes, I found that nearly every episode was a SpinRite ad.


  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    It would make sense that it is some kind of code generated kit.
    Its not the first time viruses have been code generated.

    Either that or its packing large libs. 20Mb is a little extreme.

    Im old enough to remember this and can nearly remember the code it generated.
    There were plenty of these toys made after this one.

    07fig11.jpg

    Full article:
    http://www.informit.com/articles/article.aspx?p=366890&seqNum=7


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    http://thehackernews.com/2012/05/flame-malware-21st-century-massive.html

    Some more detail but still not much as to its inner workings.

    Appears to be more of a metasploit with steroids.


  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    http://thehackernews.com/2012/05/flame-malware-21st-century-massive.html

    Some more detail but still not much as to its inner workings.

    Appears to be more of a metasploit with steroids.


  • Closed Accounts Posts: 310 ✭✭Annuv


    Like stuxnet, the complexity of flame is fascinating. It apparently uses an unknown MD5 chosen-prefix collision attack, which suggests that world class cryptographers were involved


  • Closed Accounts Posts: 1,620 ✭✭✭_AVALANCHE_




  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    The cert based attack it uses was disclosed back in 2008. The wpad.dat hijacking is also well known attack vector... Basically these guys just used a pimped out version of Evilgrade to own people.

    It seems the reason it is so bloody huge, is because it is packing like 9001 libraries, a LUA interpreter, ITS OWN WEBSERVER, and a bunch of other stuff bolted on.

    Bloatware, to be honest. They could have done the same thing in 10kb with Meterpreter, and avoided forensics and "uniqueness".

    JimmyCrackCorn - this is EXACTLY as you say - a Virus Creation Toolkit. Except they call it "APT Creation Centre" and it has sexy graphics using Aero or whatever :P


  • Advertisement
  • Closed Accounts Posts: 1,620 ✭✭✭_AVALANCHE_




  • Registered Users, Registered Users 2 Posts: 1,726 ✭✭✭gerryk


    I don't know how anybody can listen to Security Now! SpinRite Ad Podcast.

    You know, I find it less offensive than some other security podcasts. The only other ones I find listenable any more are social-engineer and EL. The rest might as well be CERT advisory lists being read by a machine for all the interest they inspire.

    Bring back sploitcast!


  • Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    You should check out InfoSec Daily Podcast and Risky Business.
    gerryk wrote: »
    You know, I find it less offensive than some other security podcasts. The only other ones I find listenable any more are social-engineer and EL. The rest might as well be CERT advisory lists being read by a machine for all the interest they inspire.

    Bring back sploitcast!


  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    infodox wrote: »
    The cert based attack it uses was disclosed back in 2008. The wpad.dat hijacking is also well known attack vector... Basically these guys just used a pimped out version of Evilgrade to own people.

    The md5 collision attack is unknown. The guys who came up with the most recent public attack have confirmed this (http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/). The use of terminal services certificates to sign code was known in 2008 and Microsoft didn't patch it? Got a link to that ?


  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    Gavin - not that, but MD5 hash collisions and such have been known since 2008 or so. Probably earlier. They were the "big news" at the time that someone had "broke" MD5, but no public attack tools were created, as no one really bothered I think...

    "On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash."
    - http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities

    As one can plainly see, MD5 has been f*cked for a LONG time. It has just taken something like this to show it up.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    I'm just thinking who or what country wrote this malware and for what purpose.

    Has it being stealing CC's or other personal info from randoms or is it directed at certain individuals?

    Backdoors:

    Gates controls Microsoft.
    Who controls Gates?


  • Closed Accounts Posts: 1,455 ✭✭✭RUCKING FETARD




Advertisement