As someone who doesn't keep up with the crypto/security communities, one thing that has surprised me is how the cutting-edge news on this Flame story has been coming from antivirus vendors like Kaspersky Lab and Symantec. General sentiment seems to be that AV vendors are low-tech operations that don't have the best people when it comes to security. Other comments even on this very thread reflect this sentiment "timaelliott: Symantec is just jealous these guys can remove viruses from a machine so damn efficiently." Do these guys deserve more respect than we give them?
I'm not sure where the cutting edge work is being done in this case, but generally speaking we 'hear' from Kaspersky/Symantec in these sorts of press stories primarily because they have notable press/marketing operations with tight relationships to mainstream news organizations.
Even if they were doing little more than independently confirming the cutting edge work of other firms, their voice is massively 'louder' and today's mass media landscape is tilted away from the independent investigation that we could rely upon to properly attribute the work being done in such technical situations.
Firstly, there is nothing at all special or interesting about how flame removes itself. It deletes a list of files that the author knows they created.
Secondly, you have to remember that these companies employ many free-thinking humans with varied jobs and abilities. Among those are some skilled analysts who simply take apart viruses for a paycheck. A lot of AV companies have at least a few people who are best of breed at this stuff. They post writeups and share the work of what is interesting. Marketing is generally not involved in the technical blog posts that you see.
IMHO, the antivirus makers deserve even less credit than we give them. They have been demonstrating their competence, so why is their software a bloated mess that slows computers to a crawl and still lets through unsophisticated crapware like the fake antivirus stuff?
Kaspersky runs a security news operation, competing with trade press operations like "Dark Reading", staffed with former writers from places like ZDNet. It is from what I can tell an extraordinarily effective marketing tool.
Symantec is gobbling up headlines specifically to make you believe they are a high-tech operation. There are many other private firms and state operations which you will never hear about, running rings around Symantec.
It could be a case of PhDs who can't code. Basically being smart in one area doesn't make you smart in another, and in fact will often blind you to other areas. So poor UX and the always behind nature of AV(attackers can see what you have done but you can't see what they are up to until it is too late) means you always appear incompetent no matter how good you are.
Flame sounds awesome. I am always fascinated by clever bits of kit like this.
I read a piece about conficker a while ago. I thought it was super cool that it patched the security vulnerability on infected conputers to protect itself. Its just really clever. Now you have Flame which has done what it has done and is now trying to kill itself to make it look like it never existed.
Obviously though it is also deeply concerning. States are investing more and more into cyber warfare. If anything more money needs to be spent hardening computer networks and systems to protect from exactly these kind of threats.
> The command located every Flame file sitting on a PC, removed it and then overwrote memory locations with gibberish to thwart forensic examination.
I'd like to know how many writes it did since this would finally settle the issue of whether FBI / NSA can read erased data. If one write is good enough for them, you know they can't recover anything with one write either.
Researchers already have samples of Flame saved. Nobody needs to do forensic analysis to try and recover deleted files here.
In all likelihood, all the Flame authors are trying to do is prevent computer owners from casually detecting that they were infected, now that Flame is public knowledge.
There is also the little fact that Flame seems to have been targeting Iran, Syria, and the West Bank. Not proof that a nation state was involved, but surely there are more profitable targets for a criminal master mind capable of inventing new cryptographic methods.
There are lots of academic crypto researchers, there are some state-sponsored (i.e. secret-service) crypto researchers, and there are even a scant few commercial crypto researchers; the academics and commercial entities are usually reasonably open about their work, so that leaves state-sponsored cryptographers.
(Of course, they could be criminals. But there are other reasons to suspect that that is unlikely, most importantly the fact that Flame doesn't appear to steal credit cards.)
It depends on what the malware is designed to do. Cui bono, as they say.
If the malware is designed to grab bank passwords or steal money, then you can assume there's a criminal enterprise behind it.
But if the malware is specifically targeting certain "problem" countries; and stealing documents and other things of non-monetary value, then it's very likely that there's a government behind it. Which criminal mastermind will say, "tomorrow, I'll steal Word documents of all Syrians" ? What will he do with them anyways? Given the abundance of low-hanging fruit, why would a criminal jump through all these hoops?
From the other articles I've read, its my understanding that they're basically saying Flame is so sophisticated, it was probably developed by a team of really, really smart people with time and resources at their disposal.
It doesn't necessarily rule out criminals, but its much more likely that its state-sponsored.
> Flame targeted countries such as Iran and Israel and sought to steal large amounts of sensitive data.
I had heard that Flame targeted Iran, which was one of the reasons people suspected US and/or Israel. This says Israel was targeted. Am I misinterpreting something here? If other evidence supposedly points to a nation-state, what nation-state dislikes both Iran and Israel? Something's not adding up.
Edit: Thanks. "Spy on friends" or "Spy on yourself to deflect attention" seem as viable as any other theories out there, if not more.
Another article on this (I don't have the link) indicated that the operators were carefully picking their targets and uninstalling it from uninteresting systems. If you have a virus like this, you can target people in your own country and help deflect suspicion at the same time.
Iran has sectarian differences with most of its neighbours: its Supreme Leader is a Shia cleric, whereas most countries in the Middle East are majority Sunni. So it isn't exactly surrounded by friends.
At first I thought, why bother. But of course you would want to try to leave your target with no immediate way to determine which machines had been hit. Wonder why they didn't do it sooner. Perhaps they were worried about losing control if too many c&c servers were taken out.
Surely they're not actually maintaining those hosts themselves (imagine the embarassment of doing a RDNS lookup and getting "flame-cc1.nsa.gov"). They are almost certainly compromised machines owned by someone else, which makes "securing" them in the classic sense pretty much impossible.
Meow. Who says they would want to put the cat back in the bag. Part of war is showing the other side that your guns are bigger and meaner. If the US is responsible, and like others I am reasonably confident we are, then the US just flashed a really nice show of what we are capable of in a real cyberwar.
[+] [-] haberman|13 years ago|reply
[+] [-] roc|13 years ago|reply
Even if they were doing little more than independently confirming the cutting edge work of other firms, their voice is massively 'louder' and today's mass media landscape is tilted away from the independent investigation that we could rely upon to properly attribute the work being done in such technical situations.
[+] [-] lawnchair_larry|13 years ago|reply
Secondly, you have to remember that these companies employ many free-thinking humans with varied jobs and abilities. Among those are some skilled analysts who simply take apart viruses for a paycheck. A lot of AV companies have at least a few people who are best of breed at this stuff. They post writeups and share the work of what is interesting. Marketing is generally not involved in the technical blog posts that you see.
[+] [-] notatoad|13 years ago|reply
[+] [-] tptacek|13 years ago|reply
[+] [-] guelo|13 years ago|reply
[+] [-] ahsteele|13 years ago|reply
[+] [-] stonemetal|13 years ago|reply
[+] [-] qdog|13 years ago|reply
[+] [-] bobsy|13 years ago|reply
I read a piece about conficker a while ago. I thought it was super cool that it patched the security vulnerability on infected conputers to protect itself. Its just really clever. Now you have Flame which has done what it has done and is now trying to kill itself to make it look like it never existed.
Obviously though it is also deeply concerning. States are investing more and more into cyber warfare. If anything more money needs to be spent hardening computer networks and systems to protect from exactly these kind of threats.
[+] [-] Pewpewarrows|13 years ago|reply
[+] [-] thirdsun|13 years ago|reply
Very fascinating.
[+] [-] fl3tch|13 years ago|reply
I'd like to know how many writes it did since this would finally settle the issue of whether FBI / NSA can read erased data. If one write is good enough for them, you know they can't recover anything with one write either.
[+] [-] tjohns|13 years ago|reply
In all likelihood, all the Flame authors are trying to do is prevent computer owners from casually detecting that they were infected, now that Flame is public knowledge.
[+] [-] sp332|13 years ago|reply
[+] [-] hartleybrody|13 years ago|reply
"The design of this new variant required world-class cryptanalysis"
to
"The finding gives support to claims that Flame must have been built by a nation state rather than cybercriminals."
Doesn't that assume world-class cryptographers only work for governments? Are there are other reasons people are assuming this was state-sponsored?
[+] [-] gahahaha|13 years ago|reply
[+] [-] JoachimSchipper|13 years ago|reply
(Of course, they could be criminals. But there are other reasons to suspect that that is unlikely, most importantly the fact that Flame doesn't appear to steal credit cards.)
[+] [-] ajays|13 years ago|reply
If the malware is designed to grab bank passwords or steal money, then you can assume there's a criminal enterprise behind it.
But if the malware is specifically targeting certain "problem" countries; and stealing documents and other things of non-monetary value, then it's very likely that there's a government behind it. Which criminal mastermind will say, "tomorrow, I'll steal Word documents of all Syrians" ? What will he do with them anyways? Given the abundance of low-hanging fruit, why would a criminal jump through all these hoops?
[+] [-] noodle|13 years ago|reply
It doesn't necessarily rule out criminals, but its much more likely that its state-sponsored.
[+] [-] joshuahedlund|13 years ago|reply
I had heard that Flame targeted Iran, which was one of the reasons people suspected US and/or Israel. This says Israel was targeted. Am I misinterpreting something here? If other evidence supposedly points to a nation-state, what nation-state dislikes both Iran and Israel? Something's not adding up.
Edit: Thanks. "Spy on friends" or "Spy on yourself to deflect attention" seem as viable as any other theories out there, if not more.
[+] [-] mkr-hn|13 years ago|reply
[+] [-] cabalamat|13 years ago|reply
Saudi Arabia
[+] [-] Spooky23|13 years ago|reply
[+] [-] GlennS|13 years ago|reply
[+] [-] lawnchair_larry|13 years ago|reply
[+] [-] mithaler|13 years ago|reply
[+] [-] eli|13 years ago|reply
[+] [-] timaelliott|13 years ago|reply
[+] [-] philbarr|13 years ago|reply
[+] [-] stcredzero|13 years ago|reply
[+] [-] losethos|13 years ago|reply
[deleted]
[+] [-] fibertbh|13 years ago|reply
[+] [-] ajross|13 years ago|reply
[+] [-] ascendant|13 years ago|reply
[+] [-] guelo|13 years ago|reply
[+] [-] AsylumWarden|13 years ago|reply
[+] [-] eevilspock|13 years ago|reply
[+] [-] ktizo|13 years ago|reply
[+] [-] jorgeleo|13 years ago|reply