
Kaspersky researcher cracks Flame malware password - headShrinker
http://www.networkworld.com/news/2012/091812-kaspersky-flame-262531.html
======
WestCoastJustin
PDF report by symantec of how the C&C was configured and how it works:
[http://www.symantec.com/content/en/us/enterprise/media/secur...](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf)

Full Analysis of Flame's Command & Control servers by Kaspersky Lab Expert
[http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame...](http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame_s_Command_Control_servers)

~~~
vinhboy
I find it really interesting that this is all done in a simple LAMP stack. And
they made a bunch of mistakes in their code.

------
xal
> The hash - 27934e96d90d06818674b98bec7230fa - was resolved to the plain text
> password 900gage!@# by Bestuzhev.

What? How did they crack this if brute force failed? That's scary as hell.

~~~
miles
Not only that: " _Kaspersky analyst Dmitry Bestuzhev cracked the hash for the
password Sept. 17 just hours after Symantec put out a public request for help_
"

How is it possible to crack 900gage!@# in a few hours?

~~~
moxie
I run cloudcracker.com, which would have gotten this pretty quickly.

If you look at public password compromises, the components of this password
"900", "gage", and "!@#" each appear pretty frequently. So using a data-driven
approach to build context free grammars based on real-world passwords you've
found or already cracked will get passwords like this every time.

Basically, everyone thinks they're clever when they choose a password, but for
the most part people are all being "clever" in the same way. If you think up
your password, chances are you've lost.

~~~
miles
Thanks for your reply, Moxie! How would cloudcracker fare against the four-
word combos recently popularized by xkcd[1]? Even if it were known that the
password was made up of four English words, what sort of time frame might it
require to crack?

1 <http://xkcd.com/936/>

~~~
defen
The comic claims an entropy of 44 bits for a 4-word phrase. That means 11 bits
per word, so a dictionary of 2048 words, which sounds reasonable for "common
English words".

A single ATI 5970 can compute 2300M SHA-1 hashes per second. So you're looking
at about two and a half hours to run through the entire keyspace. Fewer on a
farm (which Amazon will rent to you for a few bucks). That's assuming you know
the dictionary, of course.

Of course, if the password is hashed with bcrypt or scrypt it will take much
longer, although I'm not sure how to do that calculation.

~~~
miles
_you're looking at about two and a half hours to run through the entire
keyspace_

That's a little faster than howsecureismypassword.net's estimate (154
octillion years on a desktop PC to crack "correct horse battery staple"
(without quotes)).

~~~
koopajah
Yes but don't forget the other part of his sentence : _That's assuming you
know the dictionary, of course._

~~~
huggah
It's pretty likely you do. Just take the N most common English words, and
retry with a higher N if that doesn't work. That will crack "correct horse
battery staple" quickly.

------
Steko
So I guess this was a previously cracked MD5 hash, 6th result below:

[http://www.google.com/search?q=900gage!%40%23&hl=en&...](http://www.google.com/search?q=900gage!%40%23&hl=en&safe=active&client=firefox-a&hs=O5U&rls=org.mozilla%3Aen-
US%3Aofficial&sa=X&ei=-lZaUPnMJ8mi2QWgsIDgBw&ved=0CAkQpwUoBg&source=lnt&tbs=cdr%3A1%2Ccd_min%3A%2Ccd_max%3A9%2F16%2F2012&tbm=)

{restricted date to before a few days ago}

~~~
bcoates
Google's web search by date works by parsing dates on pages, not by loading
actual historical search data, so it's possible to backdate information with
it.

------
luu
Do people still think this was created by the NSA? It seems extraordinarily
unlikely that they would use such a weak password, one that you would expect
to fall to a rules based engine. The only way I could even imagine that
happening is as a bit of misdirection, and there must surely be misdirection
you can do that doesn't compromise your security.

~~~
WestCoastJustin
It was reported in the nytimes that this is indeed a cyberweapons [1].

[1] [http://www.nytimes.com/2012/06/01/world/middleeast/obama-
ord...](http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-
of-cyberattacks-against-iran.html)

~~~
danielweber
That article doesn't seem to say that. It's suspected but the US has denied
it.

Who the heck lives at 900 Gage Road, though?

~~~
001sky
Title: _Obama Order Sped Up Wave of Cyberattacks Against Iran_ [1]

_____________

[1] There's no doubt that the US has developed cyberweapons, cyberweapons have
been used under Obama, or that flame is one of such a class of weapons. The
attribution of flame is sort of a moot point re: "It was reported in the
nytimes that this is indeed a cyberweapons". Viz:

"Mr. Obama decided that the cyberattacks should proceed..." "The United States
government...acknowledged developing cyberweapons"...and now "another
cyberweapon called Flame that was recently discovered to have attacked" etc.
per NYT.

------
madsravn
Breaking a password and then forcing access to the server - isn't that illegal
regardless of who does it?

~~~
gknoy
I imagine that someone would have to come forward to complain that it was
unauthorized access. I doubt anyone wants to claim to be running a botnet.

~~~
insertnickname
This reminds me of the story about the guy who called the police because he
had his weed stolen from him I read in a local paper recently.

------
YZF
How much anonymity does this scheme buy you? If the server is discovered
presumably traffic can be traced back to its operators, no?

~~~
ianhawes
Presumably, the operators accessing it are using other compromised servers as
proxies to connect to the C&C servers. Their initial connection from HQ is
probably to an overseas VPN that has been setup by an IC shell company (shell
being a front, not computer shell).

~~~
wahsd
With enough investigation all of that could be tracked and disclosed. It is
not impossible to track the origins of either methods of obfuscation if one is
determined. Not that it's relevant because it was essentially already admitted
that it was a US operation, possibly/probably in collaboration with Israelis;
but that was basically obvious to all but the naive from the get-go.

------
TomAnthony
Did I miss something? The C&C servers are still online and running?

------
superuser2
How did Kaspersky get the hash?

~~~
YZF
They got access to the server through some other undisclosed means, the hash
was there.

------
drivebyacct2
Am I right in reading the Symantec C&C report and seeing that the servers were
on Linux machines? Were the hiding the activity from themselves in case they
were compromised? I assumed that they were infecting machines and using them
as servers. Was there a linux vulnerability too?

