Flame Malware Authors Hit Self-Destruct 260
angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."
Re:SUICIDE not good enough... (Score:3, Insightful)
No need to wipe the files if no one knows they're there.
Re:No AutoDestruct (Score:5, Insightful)
Re:No AutoDestruct (Score:5, Insightful)
That doesn't sound like a very effective worm. If they did it that way you could fix the infection with a pf rule.
Flame just gets more and more interesting (Score:5, Insightful)
Not only does Flame use a previously unknown MD5 chosen prefix attack [arstechnica.com], but now they are removing all traces of the software from machines under their control.
Now, since security researchers already have copies of the software this isn't going stop anyone further deconstructing and analysing it. The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?
Yes, "Lucky" (Score:5, Insightful)
The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive.
Or, to make everyone else stop looking.
You know all of the installations received the same self-destruct command how again?
Re:The bigger question. (Score:4, Insightful)
Why do companies outsource their factories to China? Why did AIG and several other companies leverage themselves to several times what they were worth?
Birds gotta fly. Fish gotta swim. Pointy-haired bosses gotta sacrifice the future for a monetary bonus today.
Re:Interesting (Score:2, Insightful)
The teenage hacker in a basement was never as much of a risk compared to what started happening about 15 years ago with organized crime getting involved.
This "new" kind of malware has been dubbed (I think more accurately than most) crimeware.
And whether governments do it, or the RBN, it's still crimeware.
--
BMO
Re:The bigger question. (Score:5, Insightful)
You know what's more interesting?
Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran. Iranian factories are cranking out G3s, MP5s, MG3s, all legally and for export. Not to mention the various Chinese/Russian small arms they manufacture (couldn't find out whether those were licensed or not).
I think that, before they ban software companies from doing business in Iran, they should maybe think about banning the firearm companies. Just a thought.
Re:SUICIDE not good enough... (Score:5, Insightful)
The more I learn about Flame the more it amazes me.
Arstechnica.com has more stories on it and how it worked through collision detection and much more. I am amazed yet worried as I am sure malware mobfia folks are using the source code with real NATO grade malware complete with forging certificates, turning zombies into proxy servers, and using the Md5 collision detection done by professional mathematicians.
Worse Ubuntu and other operating systems can be hit by this as they use the same algorithms for the certificates. This piece of malware was just done through conventional 0 day exploits but rather a very sophisticated means of forging certificates and might have done the cyberworld much more harm.
Re:The bigger question. (Score:5, Insightful)
Because there is no legitimate reason to not do business. The relentless war mongering against fictional bogeymen is fascinating, too.
Re:Interesting (Score:5, Insightful)
Something tells me that this wasn't designed by a teenager.
There are a limited number of possible suspects. First off, not many parties have the means to create this. The consensus is that Flame is one of the largest and most advanced pieces of malware ever created- it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability. That list is pretty short, and would include countries like the United States, China, Russia, Israel, and North Korea.
Second, let's look at the targets. The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order. Roughly half of the infections are in Iran. So whoever created Flame is worried about the Middle East, but really, really worried about Iran. More worried about Iran than any other country. The Iran fixation suggests two possible suspects- Israel and the United States.
The focus on Iran is consistent with Flame coming from the U.S., but Flame also targets several U.S. allies, including Egypt and Saudi Arabia. The other thing is, Flame doesn't target anything outside of the Middle East. If it was produced by the U.S., you'd expect Flame to be found in other countries- North Korea and Pakistan, for example- where the U.S. has security interests. But whoever created Flame doesn't really care what happens in North Korea or Pakistan. Whoever created Flame is primarily concerned with countries that are either enemies or potential enemies of Israel- Iran, Palestine, Syria, Lebanon. That strongly suggests Israel as the culprit.
Re:The bigger question. (Score:4, Insightful)
1. Because iran has money.
2. Because there are 70 million people in Iran, the vast majority of whom are not engaged in trying to kill americans or europeans.
3. Because lots of people, especially in europe, believe that US sanctions are counter productive, and so don't have such sanctions.
Also keep in mind there are lots of things that aren't barred from export to Iran, and lots of things are sold legally to other countries and then illegally re-exported to Iran. Most notably to qatar and bahrain, but other places as well.
Re:SUICIDE not good enough... (Score:3, Insightful)
When your covert operation has made the news... (Score:5, Insightful)
... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
Re:Interesting (Score:5, Insightful)
Re:In that order (Score:4, Insightful)
Re:In that order (Score:4, Insightful)
Re:When your covert operation has made the news... (Score:2, Insightful)
... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
The code, sure. But there is still value in hiding what data has been stolen. Destroying the evidence rather than deleting it in a recoverable way means that if a target realises they were infected they will have to assume that everything was taken. That's much worse than knowing exactly what was taken. Consider online store that keeps credit card details for a million users - the difference between knowing that 20 credit card details were leaked and merely knowing that you were infected could well be the difference between surviving as a company or not.
Re:In that order (Score:5, Insightful)
By the same reasoning it could have been made by Iran..
Re:SUICIDE not good enough... (Score:5, Insightful)
Right but the assumption has always been they don't vandalize their own bots because the owners would then discover they are part of a bot net. That does not hold if the bot net owner is already dismantling the network, I don't know what motivation they have to not nuke the hosts entirely to ensure there don't leave any finger prints.
The only thing I can think of is they may be concerned that if a large percentage of the public has their machines trashed all at the same time Joe Sixpack of Pakistani mangoes might wake up and start taking computer security seriously. Which could make future bot nets harder to construct.