Flame malware

29-05-2012 3:55pm #1

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

Full: http://www.wired.com/threatlevel/2012/05/flame/

LoLth · 29-05-2012 5:20pm

I was reading that on the BBC news website last night. a bit nuts. it seems like its more of a framework than malware (like a malware construction kit or a spyware related metasploit) in that it can be configured with modules to target specific types of data or architectures (network and hardware).

I'm not sure why they say its government funded though. yes the size is unusual (20mb according to the article I read) but it cant be the only clue and thats a pretty big allegation to make if its unfounded.

DoesNotCompute · 29-05-2012 5:26pm

Cool, hopefuly Steve Gibson will pick up on this and report on it in this week's Security Now! podcast.

BaconZombie · 29-05-2012 8:55pm

I don't know how anybody can listen to Security Now! SpinRite Ad Podcast.

DoesNotCompute wrote: »

Cool, hopefuly Steve Gibson will pick up on this and report on it in this week's Security Now! podcast.

dalta5billion · 30-05-2012 2:45pm

BaconZombie wrote: »

I don't know how anybody can listen to Security Now! SpinRite Ad Podcast.

DoesNotCompute wrote: »

Cool, hopefuly Steve Gibson will pick up on this and report on it in this week's Security Now! podcast.

It's decent for learning stuff like TCP/UDP for the first time, very well explained. But yes, I found that nearly every episode was a SpinRite ad.

JimmyCrackCorn · 31-05-2012 3:30am

It would make sense that it is some kind of code generated kit.
Its not the first time viruses have been code generated.

Either that or its packing large libs. 20Mb is a little extreme.

Im old enough to remember this and can nearly remember the code it generated.
There were plenty of these toys made after this one.

Full article:
http://www.informit.com/articles/article.aspx?p=366890&seqNum=7

JimmyCrackCorn · 06-06-2012 2:27am

http://thehackernews.com/2012/05/flame-malware-21st-century-massive.html

Some more detail but still not much as to its inner workings.

Appears to be more of a metasploit with steroids.

JimmyCrackCorn · 06-06-2012 2:37am

http://thehackernews.com/2012/05/flame-malware-21st-century-massive.html

Some more detail but still not much as to its inner workings.

Appears to be more of a metasploit with steroids.

Annuv · 08-06-2012 8:14pm

Like stuxnet, the complexity of flame is fascinating. It apparently uses an unknown MD5 chosen-prefix collision attack, which suggests that world class cryptographers were involved

_AVALANCHE_ · 09-06-2012 1:06am

Even comes with it's own uninstaller!

infodox · 09-06-2012 4:03pm

The cert based attack it uses was disclosed back in 2008. The wpad.dat hijacking is also well known attack vector... Basically these guys just used a pimped out version of Evilgrade to own people.

It seems the reason it is so bloody huge, is because it is packing like 9001 libraries, a LUA interpreter, ITS OWN WEBSERVER, and a bunch of other stuff bolted on.

Bloatware, to be honest. They could have done the same thing in 10kb with Meterpreter, and avoided forensics and "uniqueness".

JimmyCrackCorn - this is EXACTLY as you say - a Virus Creation Toolkit. Except they call it "APT Creation Centre" and it has sexy graphics using Aero or whatever :P

_AVALANCHE_ · 12-06-2012 2:50am

http://www.theverge.com/2012/6/11/3078291/missing-link-flame-stuxnet-cyberweapons

gerryk · 13-06-2012 5:11pm

BaconZombie wrote: »

I don't know how anybody can listen to Security Now! SpinRite Ad Podcast.

You know, I find it less offensive than some other security podcasts. The only other ones I find listenable any more are social-engineer and EL. The rest might as well be CERT advisory lists being read by a machine for all the interest they inspire.

Bring back sploitcast!

BaconZombie · 13-06-2012 7:32pm

You should check out InfoSec Daily Podcast and Risky Business.

gerryk wrote: »

You know, I find it less offensive than some other security podcasts. The only other ones I find listenable any more are social-engineer and EL. The rest might as well be CERT advisory lists being read by a machine for all the interest they inspire.

Bring back sploitcast!

Gavin · 17-06-2012 2:24pm

infodox wrote: »

The cert based attack it uses was disclosed back in 2008. The wpad.dat hijacking is also well known attack vector... Basically these guys just used a pimped out version of Evilgrade to own people.

The md5 collision attack is unknown. The guys who came up with the most recent public attack have confirmed this (http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/). The use of terminal services certificates to sign code was known in 2008 and Microsoft didn't patch it? Got a link to that ?

infodox · 17-06-2012 4:04pm

Gavin - not that, but MD5 hash collisions and such have been known since 2008 or so. Probably earlier. They were the "big news" at the time that someone had "broke" MD5, but no public attack tools were created, as no one really bothered I think...

"On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash."
- http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities

As one can plainly see, MD5 has been f*cked for a LONG time. It has just taken something like this to show it up.

20-06-2012 4:53am

I'm just thinking who or what country wrote this malware and for what purpose.

Has it being stealing CC's or other personal info from randoms or is it directed at certain individuals?

Backdoors:

Gates controls Microsoft.
Who controls Gates?

RUCKING FETARD · 20-06-2012 2:59pm

Confirmed: Flame created by US and Israel to slow Iranian nuke program

Flame malware

Comments