Flame Malware Authors Hit Self-Destruct 260
angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."
Re:Nice try (Score:5, Informative)
Re:SUICIDE not good enough... (Score:5, Informative)
It overwrites with random data THEN deletes.
Makes it impossible to tell it was ever installed.
Otherwise you could scan the disk for remnants to tell if a computer was infected in the past.
Delete doesn't actually remove any data, just the filename and allocates it as free space.
Re:SUICIDE not good enough... (Score:5, Informative)
Most certificates these days use SHA1 at the very least.
This is not a issue for Linux anyway because Linux does not use certificates for code.
Some do sign repositories, however those certificates are somewhat stronger.
Remember, MD5 has been broken and deprecated for many years.
Re:SUICIDE not good enough... (Score:5, Informative)
Journals are only so deep and, more importantly, only contain file metadata.
True, but Volume shadow copy can retain past revisions of files for a considerable length of time. So can backup applications which store copies of files offline
Re:SUICIDE not good enough... (Score:5, Informative)
Journals are only so deep and, more importantly, only contain file metadata.
This is true for most installations, but not in general. Some journaling filesystems (including ext3 and ext4) let you write all data through the journal as well -- it guarantees data integrity as well as filesystem consistency.
Obviously, if the journal is on the filesystem device (internal journal, or external journal on another partition of the same disk (but WTF would you do that)), it costs you half your write bandwidth, which is why it's rarely used (though it can boost performance on fsync-heavy workloads, because it reduces seeking), but it can be effective with an external journal, or if the data integrity is worth the performance loss.
Re:SUICIDE not good enough... (Score:4, Informative)
Re:Interesting (Score:2, Informative)
Second, since when is Pakistan not in the Middle East?
Pakistan is in South Asia. Consider, for example, their membership in the SAARC.
https://en.wikipedia.org/wiki/South_Asian_Association_for_Regional_Cooperation#Current_members
They _want_ to be considered as a Middle East, or more accurately, an Arab country. There are "scholars" in Pakistan producing academic papers "proving" that Pakistanis are descended from Arabs. Not only does this ignore the complex interplay of ethnicities present in the Indian sub-continent, it is pure political revisionism to disown their shared ancestry with Indians, so that the creation of Pakistan on religious grounds gains justification.
BTW, "Indian" subcontinent is also not a term preferred in Pakistani discourse. South Asia is more acceptable.
Re:The bigger question. (Score:2, Informative)
Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran.
Not quite correct: there were factories in Iran producing those weapons under license, since the early 1970s. Not H&K factories. The Iranians originally paid a royalty on each item produced.
Are you also going to be indignant that Bell provided critical assistance in establishing the helicopter repair and production facility at Isfahan in the same period?
Re:SUICIDE not good enough... (Score:5, Informative)
As someone who works in the ITAD industry SSDs are causing an absolute shit-fit to put it lightly. No, it is not possibly to reliably overwrite any given file on an SSD. The obfuscation layer makes it impossible to do perform a true full overwrite and even harder to verify.
Sadly even formatting the whole thing is ineffective if you want to be sure that 100% of data is overwritten. SSDs have 10-30% more blocks than they let on, and the drive chooses which ones it's telling you about. If you write one day and wipe another your guess is as good as mine where the data was saved, what the software tried to overwrite, and what any effort to verify is reading. All three could be different.
Re:SUICIDE not good enough... (Score:3, Informative)
A format is not enough. You have to do a ATA Secure Erase to be really sure. But, a format or full empty space overwrite should make sure somebody will have to disassemble the drive to actually get to the data remnants. Since the visible virtualized drive part will of course remain empty, else the 'contract' of storage would be broken.
Re:SUICIDE not good enough... (Score:4, Informative)
Re:SUICIDE not good enough... (Score:5, Informative)
Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3 [freecode.com] [freecode.com]
Ubuntu bug: Bug reported 22nd September and closed the same day [launchpad.net].
Microsoft bug: attacks on MD5 widely known and carried out since 2005, [schneier.com] but Microsoft still carry on using it in Windows Update until 2012.
No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu.
Do you have any evidence that this was the action of a rogue developer? By your logic, you must no longer use a computer, as the "rogue" developer issue is one that potentially affects all software.