> 7. The stolen info is sent out by infecting USB sticks that are used in an infected machine and copying an encrypted SQLLite database to the sticks, to be sent when they are used outside of the closed environment. This way data can be exfiltrated even from a high-security environment with no network connectivity.
> "Agent.BTZ did something like this already in 2008. Flame is lame."
Flame's approach is different and more impressive. Agent.BTZ copied itself and used an easy-to-discover autorun.inf file in the root directory of attached disks or network shares. Flame exports its database by encrypting it and then writing it to the USB disk as a file called '.' (just a period, meaning 'current directory')
When you run a directory listing you can't see it. You can't open it. The windows API doesn't allow you to create a file with that name and Flame accomplishes this by opening the disk as a raw device and directly writing to the FAT partition. Impressive, right.
While a lot of these individual features alone are not impressive the sum of the parts, combined with the collision attack on the certificate signature are very impressive.
As for the main point of Mikko's post, I have never understood why so many folks in the netsec industry are arrogantly pessimistic about the innovation of others. I found Flame jaw-droppingly amazing.
Nobody knew about it for years, yet it was derided when discovered and documented.
As for the main point of Mikko's post, I have never understood why so many folks in the netsec industry are arrogantly pessimistic about the innovation of others. I found Flame jaw-droppingly amazing.
Infosec is an inherently pessimistic enterprise, although spending time here makes me think it's not a perspective limited to security.
Just look at how almost every post here ends up littered with comments like "This isn't new. My XYZ already does all of this." People like to feel superior (it helps reinforce the individual nerd exceptionalism)
> This isn't new. My XYZ already does all of this.
This is exactly the attitude used by some negative minded mediocre people to demotivate free thinkers. To be fair, to most of them it probably also doesn't seem new in reality, because their grey cells lack the sophistication required to understand the difference.
I think it is more a case of the public information security field moving from a small, highly technical niche of hackers (example list[1]) to a mainstream career path that openly trains and employs thousands of people that may not have a traditional “hacker mind-set”[2][3].
BIFF[4] is still remembered by many within the early niche group of hackers. It is likely that similar psychology has been driving the ridicule at hacker conferences in recent years towards mainstream reporting on “cyber” topics and use of buzz phases such as “Advanced Persistent Threat”.
>I have never understood why so many folks in the netsec industry are arrogantly pessimistic about the innovation of others. I found Flame jaw-droppingly amazing.
People are unsure as to why it has such a large file size (do we know why yet?). One very common explanation is that it is bloated because of poor software engineering, some of the people that believe this explanation attempt to fit the facts to that narrative.
Also Consider the culture of the demo scene/exploit writers. The smaller code the better the programmer.
Personally I like to think that the flame authors intentionally exploited this prejudice and made it large so that: 1. it wouldn't look like malware, 2. if it was discovered no one would take it seriously and look deeper, 3. reverse engineering it would be complicated by it's large file size (cost > benefit from an AV perspective).
The same question was asked of Stuxnet; the answer is probably boring: state-sponsored malware authors are not like demo scene writers and do not care if their code is particularly elegant. They probably care more that it's J2EE-style maintainable.
And IMO (coming from a demoscener who's dabbled in malware dev for fun), they made the right choice. Sure, you pack Flame down and cut out everything non-essential, and you get it down to 64k. Good luck trying to add a new exploit later, once your target has adapted to your old ways. The goal of Flame and Stuxnet is not to be elegant or small or academically interesting (though I believe they are). The goal is to deliver a payload to their target in the most consistent way; they seem to be pretty damn dead on in hitting that goal.
Software that appears to be packed/obfuscated throws up red flags.
Rather than attempting to look like some badass in leather, flame/stuxnet dresses in a cheap ill-fitting suit with a bad microsoft tie so no one will suspect it.
It is worth noting that the 8.3 short name of the hidden file was HUB001.DAT[1]. This is because VFAT allows the specification of both a short name (8.3) and long name (LFN) for each file/directory.
You can find 8.3 '.' entry names by searching a partition for \x2e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
A file with an LFN of '.' could be found with (hopefully this is correct) \x00\x2e\x00\x00\x00\x00\xff\xff\xff\xff\x0f
It appears as if 8.3 file names starting with '.' are treated specially but LFNs starting with '.' carry no significant meaning.
I struggled to find references to other malware that has used a similar approach. Does anyone have more information?
Surely Windows does not attempt to automatically execute files with a LFN (UTF-16 name) of '.'?
As for the main point of Mikko's post, I have never understood why so many folks in the netsec industry are arrogantly pessimistic about the innovation of others. I found Flame jaw-droppingly amazing.
Security folks often lack development experience, specifically in products that ship, to appreciate the big picture. This is why certain people on HN were so fixated on a lack of code obfuscation to give credit to the massive QA effort behind making all of stuxnet work on such a complex target.
I say this as a security person who has previously done dev on product teams.
> "Agent.BTZ did something like this already in 2008. Flame is lame."
Flame's approach is different and more impressive. Agent.BTZ copied itself and used an easy-to-discover autorun.inf file in the root directory of attached disks or network shares. Flame exports its database by encrypting it and then writing it to the USB disk as a file called '.' (just a period, meaning 'current directory')
When you run a directory listing you can't see it. You can't open it. The windows API doesn't allow you to create a file with that name and Flame accomplishes this by opening the disk as a raw device and directly writing to the FAT partition. Impressive, right.
While a lot of these individual features alone are not impressive the sum of the parts, combined with the collision attack on the certificate signature are very impressive.
As for the main point of Mikko's post, I have never understood why so many folks in the netsec industry are arrogantly pessimistic about the innovation of others. I found Flame jaw-droppingly amazing.
Nobody knew about it for years, yet it was derided when discovered and documented.