

Flame: Massive cyber-attack discovered, researchers say - Juha
http://www.bbc.com/news/technology-18238326#?utm_source=twitterfeed&utm_medium=twitter

======
swatkat
Kaspersky blog has more info:
[http://www.securelist.com/en/blog/208193522/The_Flame_Questi...](http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers)

~~~
gaius
Aren't these the guys who wigged out because they thought Duqu was written in
an entirely new custom virus language? And it was actually Visual C++? The
second most common compiler on the planet? (after GCC) I would take their
analysis with a big pinch of salt.

~~~
swordswinger12
Give them some credit. Duqu was written using a nonstandard C extension for OO
and it was pretty heavily obfuscated iirc.

~~~
gaius
Not really; they just did OO with C structs and function pointers, this is
actually how it used to be done in high- performance code like computer
graphics before C++ got fast enough. And the " obfuscation" was passing the -O
flag to the compiler...

~~~
__alexs
s/used to be done/is/

Also, the Linux kernel, and any other half decent large C program.

------
haberman
_The reason why Flame is [20MB] is because it includes many different
libraries, such as for compression (zlib, libbz2, ppmd) and database
manipulation (sqlite3), together with a LUA virtual machine._

SQLite is 500kB, Lua is 150kb, zlib is 80kB, libbz2 is 60kB. Together this
comes to less than 1MB, not 20MB. You would need an awful lot of libraries
like this to get anywhere close to 20MB.

~~~
runjake
I don't get the point of your comment. Are you saying you doubt it's 20MB? Or
that it doesn't include a lot of libraries?

What point are you trying to make exactly?

~~~
fusiongyro
He's pointing out that the explanation for the size given in the article isn't
adequate because the facts don't bear it out.

~~~
haberman
Exactly. I particularly wanted to mention that it's entirely possible to ship
software that uses libraries like this but isn't 20MB large. But maybe there
are a lot more libraries included than are mentioned here (as another poster
suggested).

------
thursley
More technical details (pdf) on: <http://www.crysys.hu/skywiper/skywiper.pdf>

Although the naming differs it has been noted on several blogs that it is the
same malware.

~~~
LiquidSummer
I always hesitate a little bit when I open a pdf, specially when it is one on
malware

~~~
FreakLegion
Note that while the _exploit_ is in the PDF, the _vulnerability_ is in the PDF
reader. In practice, Adobe's software is the only attack surface anyone ever
exploits, so you can read exploit-laden PDFs worry-free by using a less
popular alternative. The same is true with Word/Excel files, etc.

You should still have some kind of comprehensive security solution in place,
particularly for a business environment, but use of non-standard software is
an effective fail-safe for when your "real" security craps out on you (as it
inevitably will).

~~~
makomk
I've no idea why everyone only exploits Adobe's software though. For instance,
pretty much all the open source PDF readers are based on a single PDF library
called Poppler with a history of security vulnerabilities - exploit that and
you should be able exploit all of them in one fell swoop.

------
radagaisus
>> Our estimation of development ‘cost’ in LUA is over 3000 lines of code,
which for an average developer should take about a month to create and debug.

They should do project estimation instead of Security Analysis.

------
munin
"It’s easier to hide a small file than a larger module." my mind is blown.
small files are not like small rocks. it's a computer!

~~~
gue5t
Assuming fairly dense formats (no .wavs or .bmp images), large files
necessarily mean more than small files, so they draw more attention to
themselves. "Why is /foo/bar using 300MB of disk?" is a much more likely
avenue of inquiry than "Why is /foo/bar using 50KB of disk?".

~~~
moe
Except the last time when 20MB was "large" was in the early 1990s. Today, even
_if_ someone goes to clean out their harddrive, a 20MB file is unlikely to
even appear on the radar.

~~~
cstejerean
Unless you're dealing with most corporate mail systems.

~~~
duaneb
I don't quite understand what you mean - the 20MB file would stand out on a
mail server? I find that unlikely, unless they're running OpenBSD. Is the 20MB
file attached to mail messages? That also seems unlikely, if only because
that's a really stupid way to design a virus.

~~~
Travis
The reason it's a stupid way to design a virus currently is because that was
one of the primary attack vectors in the past. Yes, most decent mail systems
will protect against this. But some might not -- might as well use what's
worked in the past as well as other options.

Also, what if the mail component were used to hide/archive the virus? Hide a
virus attachment from someone to themself, then have some bootstrap code
(Outlook/email client exploit, perhaps) that loads the email archived virus
back onto the comp.

------
count
Didn't Sub7 do all of that back in the 90s?

~~~
hippich
right. and it was NOT developed by state.

~~~
makomk
I think hobbyist development of exploits of the kind that lead to Sub7 has
mostly fallen out of fashion, to be honest. Most of the stuff out there these
days seems to be commercially-driven scamware and phishing and its developers
don't have the same incentive to make their code as 1337 as possible. So
90s-style exploit kits and RATs are quite unusual in 2012.

------
tomrod
Man, I love hearing the nitty-gritty security details. More like this, please!

------
vecinu
I assume we are going to see a complicated and interesting dissection a la
Stuxnet? The Stuxnet TED talk [0] was really interesting, I ended up giving a
talk to my department at work afterwards.

[0] - <http://www.youtube.com/watch?v=CS01Hmjv1pQ>

~~~
jacquesgt
Here's a much deeper and more technical presentation Ralph Langner gave on
Stuxnet.

<http://vimeopro.com/s42012/s4-2012/video/35806770>

------
mikegirouard
> "Currently there are three known classes of players who develop malware and
> spyware: hacktivists, cybercriminals and nation states."

Surely that can't be all-inclusive… is it?

~~~
dfc
How could it not be? That is a very broad group. Who else has the motivation
to develop and maintain large scale malware/spyware? If you want to be
pedantic about it cybercriminal is probably broad enough to be all inclusive.

I guess you could include companies like Sony but they were probably excluded
for not having the same malicious intent.

------
tlack
I'd love to know more about the command and control servers. If any of them
involve paid hosting that might help to out the guilty party.

~~~
duaneb
I would love to see the binary, even if it means waiting until vulnerabilities
are patched.

~~~
josephkern
At 20MB I would be suprised if it didn't patch itself with new exploits.

~~~
duaneb
Hopefully the infected would not only patch but perform quarantines.

------
LiquidSummer
I'm fed up by these technically lacking stories that don't give you the
details but tell you that its "complex". While I realise that the BBC website
is aimed towards the general public I think that it would be beneficial to
include at least some technical details.

~~~
davidandgoliath
If you're fed up with that, avoid the mainstream media & delve into the blog
post linked up above :)

~~~
LiquidSummer
Haha! yeah I just finished reading the kinda-more-informative analysis
([http://www.securelist.com/en/blog/208193522/The_Flame_Questi...](http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers)).
Seems very interesting. I wish that they would share the samples so other
hobbyists could also see what it is like

------
NelsonMinar
The Wired ThreatLevel article is a good alternative summary to the BBC
article. <http://www.wired.com/threatlevel/2012/05/flame/>

------
DrummerHead
Those paragraphs are so short that it makes me angry.

------
gcb
Their conclusion that because it doesn't steal money it can't belong to
cybercriminals is bogus and show how little they understand of the industry.

I've heard of researchers from one company dumpster diving the competition. A
worm (as amateur as a 20mb one ) could easily be the work of those kind. But i
think it gets less press than "evil country" "omg world cyber war" ...not that
it may not be happening anyway.

------
fishcakes
We should just convert the comments to a poll. Who is behind this?

~~~
maayank
How would we keep track of scores? would you keep editing your post to reflect
changes in voting?

(this is besides the point if it is a good or bad idea. In any case, it is
certainly seems novel to me)

