Anti-Spyware Forums


Reply
Thread Tools Display Modes

Powerful "Flame" cyber weapon found in Iran

 
 
Virus Guy
Guest
Posts: n/a

 
      29-05-2012, 03:54 AM
Powerful "Flame" cyber weapon found in Iran

http://www.reuters.com/article/2012/...84R0E420120528

BOSTON (Reuters) - Security experts said on Monday a highly
sophisticated computer virus is infecting computers in Iran and other
Middle East countries and may have been deployed at least five years ago
to engage in state-sponsored cyber espionage.

Evidence suggest that the virus, dubbed Flame, may have been built on
behalf of the same nation or nations that commissioned the Stuxnet worm
that attacked Iran's nuclear program in 2010, according to Kaspersky
Lab, the Russian cyber security software maker that took credit for
discovering the infections.

Kaspersky researchers said they have yet to determine whether Flame had
a specific mission like Stuxnet, and declined to say who they think
built it.

(of course it was either the US or Israel)

Iran has accused the United States and Israel of deploying Stuxnet.

Cyber security experts said the discovery publicly demonstrates what
experts privy to classified information have long known: that nations
have been using pieces of malicious computer code as weapons to promote
their security interests for several years.

"This is one of many, many campaigns that happen all the time and never
make it into the public domain," said Alexander Klimburg, a cyber
security expert at the Austrian Institute for International Affairs.

A cyber security agency in Iran said on its English website that Flame
bore a "close relation" to Stuxnet, the notorious computer worm that
attacked that country's nuclear program in 2010 and is the first
publicly known example of a cyber weapon.

Iran's National Computer Emergency Response Team also said Flame might
be linked to recent cyber attacks that officials in Tehran have said
were responsible for massive data losses on some Iranian computer
systems.

Kaspersky Lab said it discovered Flame after a U.N. telecommunications
agency asked it to analyze data on malicious software across the Middle
East in search of the data-wiping virus reported by Iran.

STUXNET CONNECTION

Experts at Kaspersky Lab and Hungary's Laboratory of Cryptography and
System Security who have spent weeks studying Flame said they have yet
to find any evidence that it can attack infrastructure, delete data or
inflict other physical damage.

Yet they said they are in the early stages of their investigations and
that they may discover other purposes beyond data theft. It took
researchers months to determine the key mysteries behind Stuxnet,
including the purpose of modules used to attack a uranium enrichment
facility at Natanz, Iran.

If Kaspersky's findings are validated, Flame could go down in history as
the third major cyber weapon uncovered after Stuxnet and its
data-stealing cousin Duqu, named after the Star Wars villain.

The Moscow-based company is controlled by Russian malware researcher
Eugene Kaspersky. It gained notoriety after solving several mysteries
surrounding Stuxnet and Duqu.

Officials with Symantec Corp and Intel Corp McAfee security division,
the top 2 makers of anti-virus software, said they were studying Flame.

"It seems to be more complex than Duqu but it's too early to tell its
place in history," said Dave Marcus, director of advanced research and
threat intelligence with McAfee.

Symantec Security Response manager Vikram Thakur said that his company's
experts believed there was a "high" probability that Flame was among the
most complex pieces of malicious software ever discovered.

At least one rival of Kaspersky expressed skepticism.

Privately held Webroot said its automatic virus-scanning engines
detected Flame in December 2007, but that it did not pay much attention
because the code was not particularly menacing.

That is partly because it was easy to discover and remove, said Webroot
Vice President Joe Jaroch. "There are many more dangerous threats out
there today," he said.

MAPPING IT OUT

Kaspersky's research shows the largest number of infected machines are
in Iran, followed by Israel and the Palestinian territories, then Sudan
and Syria.

The virus contains about 20 times as much code as Stuxnet, which caused
centrifuges to fail at the Iranian enrichment facility it attacked. It
has about 100 times as much code as a typical virus designed to steal
financial information, said Kaspersky Lab senior researcher Roel
Schouwenberg.

Flame can gather data files, remotely change settings on computers, turn
on PC microphones to record conversations, take screen shots and log
instant messaging chats.

Kaspersky Lab said Flame and Stuxnet appear to infect machines by
exploiting the same flaw in the Windows operating system and that both
viruses employ a similar way of spreading.

That means the teams that built Stuxnet and Duqu might have had access
to the same technology as the team that built Flame, Schouwenberg said.

He said that a nation state would have the capability to build such a
sophisticated tool, but declined to comment on which countries might do
so.

The question of who built flame is sure to become a hot topic in the
security community as well as the diplomatic world.

There is some controversy over who was behind Stuxnet and Duqu. Some
experts suspect the United States and Israel, a view that was laid out
in a January 2011 New York Times report that said it came from a joint
program begun around 2004 to undermine what they say are Iran's efforts
to build a bomb.

The U.S. Defense Department, CIA, State Department, National Security
Agency, and U.S. Cyber Command declined to comment.

Hungarian researcher Boldizsar Bencsath, whose Laboratory of
Cryptography and Systems Security first discovered Duqu, said his
analysis shows that Flame may have been active for at least five years
and perhaps eight years or more.

That implies it was active long before Stuxnet.

"It's huge and overly complex, which makes me think it's a
first-generation data gathering tool," said Neil Fisher, vice president
for global security solutions at Unisys Corp. "We are going to find more
of these things over time."

Others said cyber weapons technology has inevitably advanced since Flame
was built.

"The scary thing for me is: if this is what they were capable of five
years ago, I can only think what they are developing now," Mohan Koo,
managing director of British-based Dtex Systems cyber security company.

Some experts speculated that the discovery of the virus may have dealt a
psychological blow to its victims, on top of whatever damage Flame may
have already inflicted to their computers.

"If a government initiated the attack it might not care that the attack
was discovered," said Klimburg of the Austrian Institute for
International Affairs. "The psychological effect of the penetration
could be nearly as profitable as the intelligence gathered."
 
Reply With Quote
 
 
 
 
Shadow
Guest
Posts: n/a

 
      29-05-2012, 02:56 PM
On Mon, 28 May 2012 23:54:31 -0400, Virus Guy <(E-Mail Removed)> wrote:

>Powerful "Flame" cyber weapon found in Iran
>
>http://www.reuters.com/article/2012/...84R0E420120528



http://www.wired.com/threatlevel/2012/05/flame/

I might be a tiny bit biased, but isn't Flame just a watered
down version of Google ?


[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
 
Reply With Quote
 
 
 
 
FromTheRafters
Guest
Posts: n/a

 
      29-05-2012, 04:08 PM
Virus Guy wrote:

[...]
> Privately held Webroot said its automatic virus-scanning engines
> detected Flame in December 2007, but that it did not pay much attention
> because the code was not particularly menacing.
>

They may be right.
 
Reply With Quote
 
Virus Guy
Guest
Posts: n/a

 
      29-05-2012, 11:18 PM
https://www.securelist.com/en/blog?SSL=1#

Flame: Bunny, Frog, Munch and BeetleJuice…

Aleks
Kaspersky Lab Expert
Posted May 29, 20:30 GMT

As already mentioned in the previous blog post about Flame, the volume
of its code and functionality are so great that it will take several
months for a complete analysis. We’re planning on continually disclosing
in our publications the most important and interesting details of its
functionality as we reveal them.

At the moment we are receiving many inquiries about how to check systems
for a Flame infection. Of course the simplest answer, for us, is to
advise to use Kaspersky Lab Antivirus or Internet Security. We
successfully detect and delete all possible modifications of the main
module and extra components of Flame.

However, for those who want to carry out a detailed check themselves, at
the end of this article we will give the necessary recommendations and
advice.

MSSECMGR.OCX

The main module of Flame is a DLL file called mssecmgr.ocx. We’ve
discovered two modifications of this module. Most of the infected
machines contained its “big” version, 6 Mb in size, and carrying and
deploying additional modules. The smaller version’s size is only 900 Kb
and contains no additional modules. After installation, the small module
connects to one of the C&C servers and tries to download and install the
remaining components from there.

Mssecmgr may be called different names on actual infected machines,
depending on the method of infection and the current internal state of
the malware (installation, replication, upgrade), e.g., wavsup3.drv,
~zff042.ocx, msdclr64.ocx, etc.

Complete analysis of the mssecmgr module will follow in our upcoming
blog posts.

The first activation of this file is initiated by one of the external
features - either Windows WMI tools using a MOF file if the MS10-061
exploit is used, or using a BAT file:

s1 = new ActiveXObject("Wscript.Shell");
s1.Run("%SYSTEMROOT%\\system32\\rundll32.exe
msdclr64.ocx,DDEnumCallback");
(source code of MOF file, svchostevt.mof)

When activated, mssecmgr registers itself as a custom authentication
package in the Windows registry:

HKLM_SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages = mssecmgr.ocx [added to existing entries]

On the next system boot, the module is loaded automatically by the
operating system.

After updating the Windows registry, mssecmgr extracts any additional
modules that are present in its encrypted and compressed resource
section (resource “146”) and installs them. The resource is a dictionary
that contains configuration options for mssecmgr and other modules, the
modules themselves (DLL files), and parameters that need to be passed to
these modules to load them properly, i.e., decryption keys.

We are analyzing the additional modules and will provide more
information about their functionality in coming blog posts.

When installation is completed, mssecmgr loads available modules and
starts several execution threads that implement a channel to the C&C
servers and Lua interpreter host, and other features - depending on the
configuration. The functionality of the module is separated into
different “units” that have different namespaces in the configuration
resource and have distinct names in log messages, which are extensively
used throughout the code.

Here is a brief overview of the available units. The names were
extracted from the binary and the 146 resource.

(see table of unit names and functions, and more, at the above URL)
 
Reply With Quote
 
alnico-blue
Guest
Posts: n/a

 
      30-05-2012, 05:43 PM
In article <(E-Mail Removed)>, (E-Mail Removed) says...
>
> Powerful "Flame" cyber weapon found in Iran
>
> http://www.reuters.com/article/2012/...84R0E420120528
>
> BOSTON (Reuters) - Security experts said on Monday a highly
> sophisticated computer virus is infecting computers in Iran and other
> Middle East countries and may have been deployed at least five years ago
> to engage in state-sponsored cyber espionage.
>
> Evidence suggest that the virus, dubbed Flame, may have been built on
> behalf of the same nation or nations that commissioned the Stuxnet worm
> that attacked Iran's nuclear program in 2010, according to Kaspersky
> Lab, the Russian cyber security software maker that took credit for
> discovering the infections.
>
> Kaspersky researchers said they have yet to determine whether Flame had
> a specific mission like Stuxnet, and declined to say who they think
> built it.
>
> (of course it was either the US or Israel)
>
> Iran has accused the United States and Israel of deploying Stuxnet.
>
> Cyber security experts said the discovery publicly demonstrates what
> experts privy to classified information have long known: that nations
> have been using pieces of malicious computer code as weapons to promote
> their security interests for several years.
>
> "This is one of many, many campaigns that happen all the time and never
> make it into the public domain," said Alexander Klimburg, a cyber
> security expert at the Austrian Institute for International Affairs.
>
> A cyber security agency in Iran said on its English website that Flame
> bore a "close relation" to Stuxnet, the notorious computer worm that
> attacked that country's nuclear program in 2010 and is the first
> publicly known example of a cyber weapon.
>
> Iran's National Computer Emergency Response Team also said Flame might
> be linked to recent cyber attacks that officials in Tehran have said
> were responsible for massive data losses on some Iranian computer
> systems.
>
> Kaspersky Lab said it discovered Flame after a U.N. telecommunications
> agency asked it to analyze data on malicious software across the Middle
> East in search of the data-wiping virus reported by Iran.
>
> STUXNET CONNECTION
>
> Experts at Kaspersky Lab and Hungary's Laboratory of Cryptography and


More info here..
http://www.crysys.hu/skywiper/skywiper.pdf
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sophisticated Virus Infects Computers in Iran, Mideast Virus Guy Anti-Virus 0 30-05-2012 12:50 PM
Iran was prime target of Stuxnet SCADA worm Virus Guy Anti-Virus 5 18-09-2010 08:18 AM
Cyber Security or Cyber Protection Centre Hoges in WA Virus Information 2 31-10-2009 09:47 PM
The most powerful computer security tool 00000000000000 Virus Information 0 22-08-2006 03:22 PM
iran amirhossein Security Software 5 31-12-2003 03:38 AM


All times are GMT. The time now is 12:31 AM.