Flame Malware Authors Hit Self-Destruct 260
angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."
SUICIDE not good enough... (Score:5, Funny)
Re: (Score:3, Insightful)
No need to wipe the files if no one knows they're there.
Re:SUICIDE not good enough... (Score:5, Informative)
It overwrites with random data THEN deletes.
Makes it impossible to tell it was ever installed.
Otherwise you could scan the disk for remnants to tell if a computer was infected in the past.
Delete doesn't actually remove any data, just the filename and allocates it as free space.
Re:SUICIDE not good enough... (Score:5, Insightful)
The more I learn about Flame the more it amazes me.
Arstechnica.com has more stories on it and how it worked through collision detection and much more. I am amazed yet worried as I am sure malware mobfia folks are using the source code with real NATO grade malware complete with forging certificates, turning zombies into proxy servers, and using the Md5 collision detection done by professional mathematicians.
Worse Ubuntu and other operating systems can be hit by this as they use the same algorithms for the certificates. This piece of malware was just done through conventional 0 day exploits but rather a very sophisticated means of forging certificates and might have done the cyberworld much more harm.
Re:SUICIDE not good enough... (Score:5, Informative)
Most certificates these days use SHA1 at the very least.
This is not a issue for Linux anyway because Linux does not use certificates for code.
Some do sign repositories, however those certificates are somewhat stronger.
Remember, MD5 has been broken and deprecated for many years.
Re:SUICIDE not good enough... (Score:5, Interesting)
Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3 [freecode.com]
No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu. This news also appeared on Slashdot, but it's mysteriously disappeared since then (this is where I originally heard about it).
Re:SUICIDE not good enough... (Score:5, Informative)
Except when stuff like this comes out: http://freecode.com/articles/ubuntu-new-apt-packages-fix-security-vulnerabilities-3 [freecode.com] [freecode.com]
Ubuntu bug: Bug reported 22nd September and closed the same day [launchpad.net].
Microsoft bug: attacks on MD5 widely known and carried out since 2005, [schneier.com] but Microsoft still carry on using it in Windows Update until 2012.
No one should dismiss the likelihood of rogus developers submitting changes to key components of popular distros like Ubuntu to exploit. Combined with a MITM attack, your Ubuntu system is owned. This is one reason I no longer use Ubuntu.
Do you have any evidence that this was the action of a rogue developer? By your logic, you must no longer use a computer, as the "rogue" developer issue is one that potentially affects all software.
Re:SUICIDE not good enough... (Score:5, Interesting)
The more I learn about Flame the more it amazes me.
The more I learn about the whole cyberwar program [nytimes.com] the more I am impressed.
Re: (Score:2)
Many file systems will allocate new blocks when overwriting data. Not sure what Windows does. There is also the problem of scrubbing old versions of the files whenever updates are recieved.
Re:SUICIDE not good enough... (Score:4, Informative)
Comment removed (Score:5, Interesting)
Re: (Score:2)
Re:SUICIDE not good enough... (Score:5, Insightful)
Right but the assumption has always been they don't vandalize their own bots because the owners would then discover they are part of a bot net. That does not hold if the bot net owner is already dismantling the network, I don't know what motivation they have to not nuke the hosts entirely to ensure there don't leave any finger prints.
The only thing I can think of is they may be concerned that if a large percentage of the public has their machines trashed all at the same time Joe Sixpack of Pakistani mangoes might wake up and start taking computer security seriously. Which could make future bot nets harder to construct.
Re:SUICIDE not good enough... (Score:5, Informative)
As someone who works in the ITAD industry SSDs are causing an absolute shit-fit to put it lightly. No, it is not possibly to reliably overwrite any given file on an SSD. The obfuscation layer makes it impossible to do perform a true full overwrite and even harder to verify.
Sadly even formatting the whole thing is ineffective if you want to be sure that 100% of data is overwritten. SSDs have 10-30% more blocks than they let on, and the drive chooses which ones it's telling you about. If you write one day and wipe another your guess is as good as mine where the data was saved, what the software tried to overwrite, and what any effort to verify is reading. All three could be different.
Re: (Score:3)
Modern hard drives can do similar things though the probability is lower because they only do it as a fault recovery mechanism rather than as part of normal operation.
Some drives (both HDD and SSD) have a built in secure erase function but you have to trust the drive manufacturer to have implemented it right.
Bottom line if you have a modern storage device (whether solid state or spinning rust) and need to be absoloutely sure the data won't fall into enemy hands your only option is to reduce it to dust.
Comment removed (Score:5, Interesting)
Re: (Score:3, Informative)
A format is not enough. You have to do a ATA Secure Erase to be really sure. But, a format or full empty space overwrite should make sure somebody will have to disassemble the drive to actually get to the data remnants. Since the visible virtualized drive part will of course remain empty, else the 'contract' of storage would be broken.
Re:SUICIDE not good enough... (Score:5, Interesting)
But, a format or full empty space overwrite should make sure somebody will have to disassemble the drive to actually get to the data remnants
That is almost certainly false. The vendor almost certainly has commands to let them retrieve the full data from the drive over the bus.
Re:SSD file deletion and overwriting (Score:4, Interesting)
"They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker."
Re:SUICIDE not good enough... (Score:5, Interesting)
Journals are only so deep and, more importantly, only contain file metadata. You might, sometimes, be able to use them to determine that a file used to exist on a computer, but not what its contents were.
Re:SUICIDE not good enough... (Score:5, Informative)
Journals are only so deep and, more importantly, only contain file metadata.
True, but Volume shadow copy can retain past revisions of files for a considerable length of time. So can backup applications which store copies of files offline
Re: (Score:2)
Sure, so can copy-on-write filesystems and lots of other mechanisms.
Re: (Score:3, Insightful)
Re:SUICIDE not good enough... (Score:4, Informative)
Re:SUICIDE not good enough... (Score:5, Informative)
Journals are only so deep and, more importantly, only contain file metadata.
This is true for most installations, but not in general. Some journaling filesystems (including ext3 and ext4) let you write all data through the journal as well -- it guarantees data integrity as well as filesystem consistency.
Obviously, if the journal is on the filesystem device (internal journal, or external journal on another partition of the same disk (but WTF would you do that)), it costs you half your write bandwidth, which is why it's rarely used (though it can boost performance on fsync-heavy workloads, because it reduces seeking), but it can be effective with an external journal, or if the data integrity is worth the performance loss.
Interesting (Score:5, Interesting)
Re: (Score:2, Insightful)
The teenage hacker in a basement was never as much of a risk compared to what started happening about 15 years ago with organized crime getting involved.
This "new" kind of malware has been dubbed (I think more accurately than most) crimeware.
And whether governments do it, or the RBN, it's still crimeware.
--
BMO
Re: (Score:3)
This "new" kind of malware has been dubbed (I think more accurately than most) crimeware
I think Mobware is a more accurate description
"Crime" can be mere petty crime
But "Mob" is a total different animal altogether
Re: (Score:3)
How about "WarioWare"?
Re:Goverment Crimeware? (Score:4)
It's an illegal activity, whether done by governments or by the mob.
So if the government murders (we call it war) or kidnaps (we call it arrest), is it also illegal? I understand and sympathize with a lot of the "fuck da man" libertarianism around here, but nobody's ever seriously argued that the government shouldn't have more power to affect a person than the average person. The trade-off is all the accountability they're supposed to have. We don't let your neighbor tie you up and lock you in his house, but we let the police - if they can justify it.
Re:Interesting (Score:5, Insightful)
Something tells me that this wasn't designed by a teenager.
There are a limited number of possible suspects. First off, not many parties have the means to create this. The consensus is that Flame is one of the largest and most advanced pieces of malware ever created- it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability. That list is pretty short, and would include countries like the United States, China, Russia, Israel, and North Korea.
Second, let's look at the targets. The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order. Roughly half of the infections are in Iran. So whoever created Flame is worried about the Middle East, but really, really worried about Iran. More worried about Iran than any other country. The Iran fixation suggests two possible suspects- Israel and the United States.
The focus on Iran is consistent with Flame coming from the U.S., but Flame also targets several U.S. allies, including Egypt and Saudi Arabia. The other thing is, Flame doesn't target anything outside of the Middle East. If it was produced by the U.S., you'd expect Flame to be found in other countries- North Korea and Pakistan, for example- where the U.S. has security interests. But whoever created Flame doesn't really care what happens in North Korea or Pakistan. Whoever created Flame is primarily concerned with countries that are either enemies or potential enemies of Israel- Iran, Palestine, Syria, Lebanon. That strongly suggests Israel as the culprit.
Re:In that order (Score:2)
"The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order."
Why would Israel create malware that hits themselves second? So they can play innocent?
Re: (Score:2)
Re:In that order (Score:4, Insightful)
Re:In that order (Score:4, Insightful)
Re:In that order (Score:5, Insightful)
By the same reasoning it could have been made by Iran..
Re:Interesting (Score:5, Insightful)
Re: (Score:3)
You need SEVERAL smart people and A LOT OF time. If they only work weekends for free, on something this massive and complex, your project will be finished in 15 years and be already obsolete.
You have seriously underestimate the productivity of really really smart programmers
It has been estimated that a very talented programmer is more effective than the output of 300 garden variety code monkeys combined
And in my time I've in several occasions the privilege to work with some of the top brains of the programming field, and I can tell you that it has been such a blessing
Re: (Score:3)
also the 20mbyte claim is misleading, since it includes runtimes so that they could get away with coding less native code and more scripting..
Re:Interesting (Score:5, Interesting)
it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability.
The thing weighing in at 20 megs is not an achievement, rather its an embarrassment showing total lack of craft. Much of the code in this thing is not the malware itself either, its interpreters and support libraries to run it, and much of open source and otherwise stuff that serves other purposes. Its not an efficiently built thing at all.
The only achievement here if there is one is somebody manged to deliver a payload that large, so often undetected and reliably. I agree it looks state sponsored to me, only government contractors could create a turd this large and still polish it enough that it mostly worked.
Re:Interesting (Score:4, Interesting)
Re: (Score:2, Informative)
Second, since when is Pakistan not in the Middle East?
Pakistan is in South Asia. Consider, for example, their membership in the SAARC.
https://en.wikipedia.org/wiki/South_Asian_Association_for_Regional_Cooperation#Current_members
They _want_ to be considered as a Middle East, or more accurately, an Arab country. There are "scholars" in Pakistan producing academic papers "proving" that Pakistanis are descended from Arabs. Not only does this ignore the complex interplay of ethnicities present in the Indian sub-continent, it is pure political revisionism to disown
Re: (Score:3, Funny)
Second, since when is Pakistan not in the Middle East?
Pakistan has never been in the Middle East.
Re: (Score:3)
Something tells me that this wasn't designed by a teenager.
Arguably, yes it was. According to the NYT, it was designed under George Bush. [nytimes.com]
That's not what the article says. It says Olympic Games began under George Bush's administration. The article doesn't say who developed Flame, only that forensic analysis is underway.
That explains it. (Score:5, Funny)
My mother was wondering why her computer suddenly was working so much better.
Thanks dudes!
Re: (Score:2)
Of course the performance bump had nothing at all to do with you removing all your TrueCrypted porn and finally freeing up more than 1% of the drive....
No AutoDestruct (Score:5, Interesting)
Re:No AutoDestruct (Score:5, Insightful)
Re:No AutoDestruct (Score:5, Insightful)
That doesn't sound like a very effective worm. If they did it that way you could fix the infection with a pf rule.
Re: (Score:2)
This is why most organizations should treat the Internet the same way they treat firewalls: block everything then whitelist only what's actually needed for employees to do their work.
Re: (Score:2)
Is that really feasible? You'd have to whitelist DNS queries, every single email address (good luck if you need to contact customers), etc.
For example, Google Docs can be pretty useful, right? But allowing it gives an attack a full proxy: http://hackaday.com/2012/01/31/using-google-documents-as-a-web-proxy/ [hackaday.com]
Re: (Score:2)
From those comments, one more: do you allow www.google.com? One more proxy! http://www.google.com/gwt/n [google.com]
Re: (Score:2)
Heh. A virus dead man's switch.
Re:No AutoDestruct (Score:5, Interesting)
If this is a real professional job I would not be surprised if it leaves some backdoors opened for another different piece of malware. It wouldn't surprise me if Cisco router rootkits exist. After all evidence points in China they are doing just this, as they did with Nortel routers with a backdoor.
Re:No AutoDestruct (Score:5, Interesting)
The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.
A secondary implication is that Flame has fulfilled it's purpose. Again, what that is, no one is exactly sure (espionage, certainly, but you don't create something this advanced without some specific target in mind) and wasn't worth maintaining anymore.
Re: (Score:3)
Alternatively, the fact that it was discovered may mean the current deployment was aborted and there will be (or already is) a new version of Flame to replace the old one.
Re: (Score:2)
The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.
A secondary implication is that Flame has fulfilled it's purpose. Again, what that is, no one is exactly sure (espionage, certainly, but you don't create something this advanced without some specific target in mind) and wasn't worth maintaining anymore.
It's probably. I think the main reason however is, that a large portion of people who have been infected don't know it yet, and the people in charge prefer to keep it that way.
Re: (Score:2)
In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained.
Well, there's always version 2.0 after all. Maybe we'll see that feature, among many others I'm sure, in the next version. Somehow I doubt that we've seen the last of Flame or the people who created it [wikia.com].
Re: (Score:2)
If it's intended to run on not networked control systems (say the ones being used in hardened bunkers to make nuclear weapons components) that wouldn't help you a lot.
Those computers probably start network connected to get setup, and are then disconnected for work, precisely the time you want your malware to do its thing. They circumvent the hooks into windows update knowing that they'll all have windows updates run on them before the get pulled off.
Re: (Score:2)
Perhaps a military private network is compromised when someone attaches a compromised laptop to it. Perhaps information is then snuck out or instructions fed in on subsequent occasions that such a laptop is connected, sneaker-n
Re: (Score:2)
There are also images of Flame components on a lot of the backups of every significant system that was infected. An unrelated malware that simply crashed computers in a way that forced reloads from backups would not be difficult to construct, and could possibly assure that Flame components would again be in active residence on the networks.
Flame may very well be capable of becoming undead. To assure that this could not happen, it may be necessary to destroy all backups since the days before Flame.
A relate
Re:No AutoDestruct (Score:5, Interesting)
Imagine if everything had gone according to plan. They've gotten all the data they need, and have not been detected. They issue a self-destruct order, and bam. Nobody will ever know they were even there.
Now, as for why they're doing it now, there's another reason. I imagine the target has figured out they're infected. But maybe they don't know every computer that was infected. And if the virus has self-destructed, they may never know for sure which machines were hit. Even if they actually *did* ID every machine, the fact that the creators did this may make them think they missed some.
Re: (Score:3)
If the blackhats can wipe all active instances of Flame in such a way that no one can tell it was ever there, AND they can do so before Flame is fully analyzed, then they only need to wait until some critical computers have to be restored from backups, where some backups are assuredly dirty with Flame. This way Flame has a better chance of coming back as undead malware.
I rather suspect that whoever constructed Flame is also capable of arranging things so that certain computers will need to be restored from
Re: (Score:3)
They're shutting down now because they have the data they need and they're erasing now to try to prevent the target from knowing they have been compromised.
The bigger question. (Score:5, Interesting)
Re:The bigger question. (Score:5, Interesting)
I have a hunch money's involved...
Re:The bigger question. (Score:4, Insightful)
Why do companies outsource their factories to China? Why did AIG and several other companies leverage themselves to several times what they were worth?
Birds gotta fly. Fish gotta swim. Pointy-haired bosses gotta sacrifice the future for a monetary bonus today.
Re: (Score:2)
It's a lot more understandable when you remember that it's someone else's future being sacrificed.
Re: (Score:2)
FTFY
Re: (Score:2)
Why do companies outsource their factories to China?
Because it's beneficial for them and for poor Chinese people, not to mention to us who get cheaper stuff? Why shouldn't they outsource to China?
Re:The bigger question. (Score:5, Insightful)
You know what's more interesting?
Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran. Iranian factories are cranking out G3s, MP5s, MG3s, all legally and for export. Not to mention the various Chinese/Russian small arms they manufacture (couldn't find out whether those were licensed or not).
I think that, before they ban software companies from doing business in Iran, they should maybe think about banning the firearm companies. Just a thought.
Re: (Score:2)
I'm not criticizing anyone. Just thought it was odd, considering all the blanket sanctions that actually do ban software companies, and anyone else for that matter from working in the country.
Re: (Score:3)
Nice catch.
I recall reading some thirty years back that the last parties to lose money in a depression are cosmetics and booze; by examination and extrapolation they seem to do pretty well in good times as well.
Arms merchants transcend that - there's always people wanting to mess over others, and other people wanting to defend themselves. I expect that given net and scope of profit and the realpolitik of weaponry, it's a no-lose proposition. Guns and bullets have no morals, nor, essentially, do their make
Re: (Score:2)
Re: (Score:2)
Nobody ever went broke selling weapons. My cousin went into weapons, now he owns his own moon. Me? I opened a bar in the back end of Space.
- Quark
Or something like that.
Also:
Rule of Acquisition #34: war is good for business.
Why does nobody go to war with Switzerland?
Because Switzerland is the home of the largest banks in the world, and the largest weapons manufacturers in the world. They supply money and arms to everybody. One man's money is as good as another's, be he Western despot or Eastern hero
Re: (Score:2, Informative)
Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran.
Not quite correct: there were factories in Iran producing those weapons under license, since the early 1970s. Not H&K factories. The Iranians originally paid a royalty on each item produced.
Are you also going to be indignant that Bell provided critical assistance in establishing the helicopter repair and production facility at Isfahan in the same period?
Re: (Score:2)
Re:The bigger question. (Score:5, Insightful)
Because there is no legitimate reason to not do business. The relentless war mongering against fictional bogeymen is fascinating, too.
Re:The bigger question. (Score:4, Insightful)
1. Because iran has money.
2. Because there are 70 million people in Iran, the vast majority of whom are not engaged in trying to kill americans or europeans.
3. Because lots of people, especially in europe, believe that US sanctions are counter productive, and so don't have such sanctions.
Also keep in mind there are lots of things that aren't barred from export to Iran, and lots of things are sold legally to other countries and then illegally re-exported to Iran. Most notably to qatar and bahrain, but other places as well.
Re: (Score:3)
why are European and American software companies doing business with Iran in the first place?
Why not? How is it significantly different from Russia, or China, or Vietnam, or Saudi Arabia?
Re: (Score:2)
... or Israel?
Flame just gets more and more interesting (Score:5, Insightful)
Not only does Flame use a previously unknown MD5 chosen prefix attack [arstechnica.com], but now they are removing all traces of the software from machines under their control.
Now, since security researchers already have copies of the software this isn't going stop anyone further deconstructing and analysing it. The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?
Yes, "Lucky" (Score:5, Insightful)
The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive.
Or, to make everyone else stop looking.
You know all of the installations received the same self-destruct command how again?
The Other (Score:5, Funny)
maybe it self destructs when it can't find a LAN connection?
Works for Diablo 3...
That's it, I'm officially convinced (Score:5, Funny)
The people who wrote Flame are the same fine ladies and gentlemen who have brought us CleanMyPC.com. Apparently their accountant is on vacation or something, because removing malware is generally a service that they charge for.
Re: (Score:3, Interesting)
Dude the more you spam for it the higher the Google page ranking it gets. Out of curiosity I did a google search for malware and cleanPC was 4 out of the 5 links listed. Good god talk about SEO to the extreme
Red Mercury next? (Score:2)
Oh oh..... can I name the next one? Let's call it "Red Mercury", and it should be taking out a reactor in 5, 4, 3, 2
Re: (Score:2)
Re: (Score:2)
Material Defender.
Descent.
When your covert operation has made the news... (Score:5, Insightful)
... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
Re: (Score:2, Insightful)
... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.
The code, sure. But there is still value in hiding what data has been stolen. Destroying the evidence rather than deleting it in a recoverable way means that if a target realises they were infected they will have to assume that everything was taken. That's much worse than knowing exactly what was taken. Consider online store that keeps credit card details for a million users - the difference between knowing that 20 credit card details were leaked and merely knowing that you were infected could well be the d
Re: (Score:3)
Sure, but who says the point was trying to avoid being discovered
To me it sounds more like a method to avoid being detected where it hadn't been yet. Let's say the biggest bad ass in the neighborhood just got to know about Flame. As others have pointed, unless he backed up his computer, he will never be able to find out if he was infected. For whomever built this, I'd say this is very valuable.
Best reason to hide this is 'Intelligence'. (Score:5, Interesting)
As in those who were infected that lost important data can no longer know (for a surety) that their important data kept on their computer/server was compromised or not.
"So our top-sekret 'eyes-only' data may or may not be compromised and they may know everything. But we don't know if they actually know anything about everything. So we can't trust anything that we've stored on a computer in the last year."
Talk about your security nightmare situation for an Intelligence Agency of some acronym.
Coincidentally (Score:3)
Download rate for MyCleanPC is up in Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
Re:Nice try (Score:5, Informative)
Re: (Score:2)
He wasn't implying it had anything to do with someone doing anything to their own machine. He was implying that Flame is a government intelligence tool and someone came up with a better way of making sure that's never proven.
Re: (Score:2)
Bleh, sorry. The way the thread was set up it looked like your reply was to someone else.
Re: (Score:2)
it will be, but the TLAs will deny deny deny.
Re:Nice try (Score:5, Interesting)
Does it close the doors on the way out and patch the various exploits it used to get in to the system in the first place, or does it just leave the system ripe for future re-exploitation by the same or similar tools?
In other news, over in Oz - the man who was behind the curtain is not only unimportant, but not there now, so please stop looking.
Re: (Score:3)
Which is why it's sound engineering for a computer to have a bios loader burned into a rom chip that can reflash the bios.