
Flame Malware Makers Send 'Suicide' Code - ytNumbers
http://www.bbc.com/news/technology-18365844
======
haberman
As someone who doesn't keep up with the crypto/security communities, one thing
that has surprised me is how the cutting-edge news on this Flame story has
been coming from antivirus vendors like Kaspersky Lab and Symantec. General
sentiment seems to be that AV vendors are low-tech operations that don't have
the best people when it comes to security. Other comments even on this very
thread reflect this sentiment "timaelliott: Symantec is just jealous these
guys can remove viruses from a machine so damn efficiently." Do these guys
deserve more respect than we give them?

~~~
lawnchair_larry
Firstly, there is nothing at all special or interesting about how flame
removes itself. It deletes a list of files that the author knows they created.

Secondly, you have to remember that these companies employ many free-thinking
humans with varied jobs and abilities. Among those are some skilled analysts
who simply take apart viruses for a paycheck. A lot of AV companies have at
least a few people who are best of breed at this stuff. They post writeups and
share the work of what is interesting. Marketing is generally not involved in
the technical blog posts that you see.

~~~
iuguy
> Firstly, there is nothing at all special or interesting about how flame
> removes itself.

Actually I'd disagree. The interesting thing for me is that it overwrites
memory locations to thwart memory forensics. This isn't a common thing at all,
but is something that I covered in a talk at a DC4420 meeting a year or two
ago.

------
bobsy
Flame sounds awesome. I am always fascinated by clever bits of kit like this.

I read a piece about conficker a while ago. I thought it was super cool that
it patched the security vulnerability on infected conputers to protect itself.
Its just really clever. Now you have Flame which has done what it has done and
is now trying to kill itself to make it look like it never existed.

Obviously though it is also deeply concerning. States are investing more and
more into cyber warfare. If anything more money needs to be spent hardening
computer networks and systems to protect from exactly these kind of threats.

~~~
Pewpewarrows
Self-destruct codes and patching up the hole you came in through are both
pretty par for the course when it comes to non-trivial malware.

~~~
adgar
It's par for the course, but it's still a spectacle to see a malware so
big/important/advanced self-destruct in front of our eyes, in the news.

------
fl3tch
> The command located every Flame file sitting on a PC, removed it and then
> overwrote memory locations with gibberish to thwart forensic examination.

I'd like to know how many writes it did since this would finally settle the
issue of whether FBI / NSA can read erased data. If one write is good enough
for them, you know they can't recover anything with one write either.

~~~
tjohns
Researchers already have samples of Flame saved. Nobody needs to do forensic
analysis to try and recover deleted files here.

In all likelihood, all the Flame authors are trying to do is prevent computer
owners from casually detecting that they were infected, now that Flame is
public knowledge.

~~~
robocat
Presumably it is purging machine specific (targeted) configuration, code
updates, and spooled data too, i.e. not just the virus code.

Knowing specfically what the virus was looking for, which machines were
infected, and what data was snarfed is of critical importance to the targets.

Purging makes the targets job of forensics much much harder.

Edit: flame code is not monolithic - forensics would be very interested in
getting code for all modules: "Later, the operators can choose to upload
further modules, which expand Flame’s functionality. There are about 20
modules in total and the purpose of most of them is still being investigated."
-
[http://www.richardsilverstein.com/tikun_olam/2012/05/28/flam...](http://www.richardsilverstein.com/tikun_olam/2012/05/28/flame-
israels-new-contribution-to-middle-east-cyberwar/)

------
hartleybrody
Not sure I follow the logic of

"The design of this new variant required world-class cryptanalysis"

to

"The finding gives support to claims that Flame must have been built by a
nation state rather than cybercriminals."

Doesn't that assume world-class cryptographers only work for governments? Are
there are other reasons people are assuming this was state-sponsored?

~~~
ajays
It depends on what the malware is designed to do. Cui bono, as they say.

If the malware is designed to grab bank passwords or steal money, then you can
assume there's a criminal enterprise behind it.

But if the malware is specifically targeting certain "problem" countries; and
stealing documents and other things of non-monetary value, then it's very
likely that there's a government behind it. Which criminal mastermind will
say, "tomorrow, I'll steal Word documents of all Syrians" ? What will he do
with them anyways? Given the abundance of low-hanging fruit, why would a
criminal jump through all these hoops?

~~~
eigenvector
> What will he do with them anyways?

He'll sell them to a state actor. Even if something is non-monetary, if
someone with money wants it, it can be monetized.

~~~
kamjam
If you're gonna go to that amount of trouble then why not steal everything,
including CC numbers and why not target everyone, not just specific states?

------
joshuahedlund
> _Flame targeted countries such as Iran and Israel and sought to steal large
> amounts of sensitive data._

I had heard that Flame targeted Iran, which was one of the reasons people
suspected US and/or Israel. This says Israel was targeted. Am I
misinterpreting something here? If other evidence supposedly points to a
nation-state, what nation-state dislikes both Iran and Israel? Something's not
adding up.

Edit: Thanks. "Spy on friends" or "Spy on yourself to deflect attention" seem
as viable as any other theories out there, if not more.

~~~
Spooky23
"Liking" a nation does not preclude other nations from spying on them. I'm
sure the US and Israel spy on each other.

~~~
kamjam
I'm sure the US spies on pretty much everyone, friend or foe... and it's
probably the same the other way round too!

~~~
daniel_solano
Sure. It's also a great way to get around domestic wiretapping laws. Assuming
you can cooperate well enough with a foreign power, you can have a "I'll show
you yours if you show me mine." sort of situation.

~~~
Volscio
The US has some very close allies for sharing intel, and it'd be a massive
incident if it got out that such allied countries were spying on each other.
It happens to some degree, but if stuff gets out, the White House & State can
make heads roll, so you'd only see pretty routine spycraft occur between
allies (counter-intel, rumor mill, feelers).

~~~
kamjam
The trick is not to get caught... and if you do get caught, then blame it in
on the Chinese/Russians/flavour-of-the-month :D

In all seriousness, the spying may not be as hardcore or blatant(!) as say
US/China or US/Russia but they are not looking for the same kind of intel
between US/UK. I wuold be very very surprised if there was not some intel
gathering at some level.

------
eli
At first I thought, why bother. But of course you would want to try to leave
your target with no immediate way to determine which machines had been hit.
Wonder why they didn't do it sooner. Perhaps they were worried about losing
control if too many c&c servers were taken out.

------
timaelliott
Symantec is just jealous these guys can remove viruses from a machine so damn
efficiently.

~~~
philbarr
Yeah, it's much harder to fully remove, say, Norton Antivirus from your
computer.

~~~
X-Istence
I've been nuking my computers from orbit, has anyone found an alternate that
works better?

------
fibertbh
Since a nation state is supposedly behind this, wouldn't they have secured
their command & control hosts better?

~~~
ajross
Surely they're not actually maintaining those hosts themselves (imagine the
embarassment of doing a RDNS lookup and getting "flame-cc1.nsa.gov"). They are
almost certainly compromised machines owned by someone else, which makes
"securing" them in the classic sense pretty much impossible.

~~~
Splines
How far down the rabbit hole would you have to go before you find a connection
from a .gov machine?

Or do nation-state malware programmers maintain a strict no-contact policy to
keep the government's hands clean?

I suppose we'll never know the answer.

~~~
ceejayoz
I'd imagine the folks doing this have a windowless van parked outside a
Starbucks. I'm fairly certain you'd never be able to trace it back to a .gov
computer without physically finding the computers themselves.

------
ascendant
The cat can never be put back into the bag.

~~~
guelo
Obama has been careless when it comes to giving the military free rein with
new weapons without considering the consequences or legal precedent.

~~~
drivebyacct2
Well that's a whole boat-load of assumptions and accusations. And some rather
funny/naive ones at that.

~~~
guelo
How about telling me what it is you think instead of condescendingly calling
me funny and naive. Besides the use of weaponized computer viruses, which the
NY Times confirmed was done by Obama in the Stuxnet case, I am also thinking
of the massive increase in drone strike assassinations, including of American
citizens, in countries we are not at war with, namely Pakistan and Yemen. The
only assumption I made is that Flame was also done by Obama but I don't think
that is a big leap.

------
ktizo
so, is it officially the future yet?

------
jorgeleo
But... Did the first officer concurr???

