Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Flame: New maleware discovered. Who do you think is behind it?

JayBirdzJayBirdz Member Posts: 1,017

http://www.bbc.com/news/technology-18238326

Short summery and quote for those not going to read it.

  • They believe that it has been around since 2010. Maybe longer.
  • They believe that it is state sponsered but not sure from who.
  • It's 20MB in size.
  • Kaspersky found it.
  • Quote : "Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on," he said.

 

My guess would be China. They've pretty much hacked everything.

Comments

  • CalmOceansCalmOceans Member UncommonPosts: 2,437

    Hm, how do you accidentally download something 20MB in size though, and run it too.

  • TheutusTheutus Member UncommonPosts: 636

    porn

  • PrecusorPrecusor Member UncommonPosts: 3,589

    Why would China spy on Iran.. Saudi Arabia.. Syria..  Egypt and the West bank/Gaza Palestians?

     

     

    an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years....
    its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame...The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
    .... The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
    ....
    Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran, and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.
     
  • BrenelaelBrenelael Member UncommonPosts: 3,821
    Originally posted by Precusor

    Why would China spy on Iran.. Saudi Arabia.. Syria..  Egypt and the West bank/Gaza Palestians?

     

     

    an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years....
    its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame...The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
    .... The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
    ....
    Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran, and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.
     

    From the countries this thing is targeting I would suspect the good ol' CIA or Israel before I would suspect China.

     

    Bren

    while(horse==dead)
    {
    beat();
    }

  • PrecusorPrecusor Member UncommonPosts: 3,589

    Anonymous attacked israeli commercial sites once ...and the Mossad responds with this open letter.

    Now notice what the Mossad says and read up on what the Flame malware can do.

     

    Date: FEB 12TH, 2012

    http://pastebin.com/pVmAZqWY

     

     
  • JayBirdzJayBirdz Member Posts: 1,017
    Originally posted by Precusor

    Anonymous attacked israeli commercial sites once ...and the Mossad responds with this open letter.

    Now notice what the Mossad says and read up on what the Flame malware can do.

     

    Date: FEB 12TH, 2012

    http://pastebin.com/pVmAZqWY

     

     

    It was a tough choice between the two.  The BBC article didn't get into who all it attacked other than main countries. Just that it was in countries all over that region. China does have a vested interest as much as the U.S.   Thinking resources.  Their country does consume a lot  and they hate political unrest. 

    Jake Davis which that pastebin talks about.
     
    As far as the pastebin. It is what it is. It just doesn't seem to pass the sniff test.   To be honest there has been white hat hacktivists outing Anonymous, LuLzsec members in this case.  These white hats played some sort of role in helping to take down black hats.  Web Ninja's (whoever they were) , Th3J35t3r [[[The only hacker to have successfully taken down wikileaks which didn't make him popular with Anonymous.]]]  were going after Lulzsec, which Jake Davis was a member.  Ignoring the fact that Sabu was quietly flipped by the feds for months.  A VPN service had a part in giving up Jake Davis.  He was out in the middle of no where and white hats were just as shocked as everyone else. They weren't sure the right guy was picked up.
     
    White hat hackers, The Web Ninja's had an incredible blog site. While Th3j35t3r gave out incorrect names of Sabu along with the correct.  Web Ninja's correctly identified him. It didn't matter because at this point in time Sabu had already been flipped.  Wish they left the website up so that I could link references.
     
     Of the very small portions that they did show was an old registered domain they linked to Sabu.  Then linking that to social websites. Again: That's of the information that they made public. They said the rest of the information was given to law enforcement.  Which may have or may not have already been flipped by the feds.
     
    [[[The funny thing is at this time I kept asking myself how the hell they didn't have Sabu when they slowly kept picking up other members of the group.  Yet nothing about Sabu. After taking a break, read: unknowingly being flipped,he was still plugging away on irc and his twitter.]]
     
    Web Ninjas and Jake "@topiary"; Davis:  They identified him incorrectly. Jake Davis had stolen and used another persons online identity to add to the confusion.  I forget exactly what information the Web Ninjas gave.  I do think it was as simple as that though if I remember correctly.   They indentified an Anonymous member who used the name Topiary which had been in the spotlight several times. So they linked the real Topiary as Lulzsec Topiary.  Their updates were coming out pretty slow after awhile and they seemed just as confused as everyone else when Jake Davis got picked up. They weren't even convinced that Jake Davis was the only person behind Lulz @Topiary account. Not sure if this is them trying to come to terms with being so far off the mark or if they really believed more people was behind the Lulzsec Topiary.
     
    So given how Jake was reportedly outed by a VPN under legal threats, which angered a lot of Anonymous. Given how over the top the pastebin is written I believe it's just writing.  If a government agency had flame installed on key members of Anonymous machines they would of already picked those people.  Yet a lot of the vans seem to be almost a joint effort.
     
    I am no expert and I am not claiming to be. I did follow, out of pure interest, the happenings and back and forth conversations during this time from the sources or as close to the sources as anyone could get. Their official sites ect.   The articles claims seem way off when talking about Jake.  

    If Flame or anything like it was on their machines why would the feds of made a deal with Sabu and used him to bag other members such as Jake Davis.
     

     

    Edited to add just for clarity:  That pastebin seems to imply that they knew who Jake Davis was all along.  Which does not fit with how everything unfolded.

     

  • BrenelaelBrenelael Member UncommonPosts: 3,821

    I wouldn't sell that Mossad letter too short JayBirdz. Everything that letter claims the author was doing was more than possible with the Flame malware installed on a targets computer. I have to agree with Precusor on this one. That letter seems very similar to what Flame was designed to do and the targeted regions are all of high priority interest to the Mossad. Besides the Mossad have not always been very forthcoming with intel in the past. The answer to your questions about why the FBI and law enforcement didn't know these things is probably because Mossad was the only agency that knew Flame existed. They simply didn't have access to it or even know of it's existance.

     

    Bren

    while(horse==dead)
    {
    beat();
    }

  • JayBirdzJayBirdz Member Posts: 1,017
    Originally posted by Brenelael

    I wouldn't sell that Mossad letter too short JayBirdz. Everything that letter claims the author was doing was more than possible with the Flame malware installed on a targets computer. I have to agree with Precusor on this one. That letter seems very similar to what Falme was designed to do and the targeted regions are all of high priority interest to the Mossad. Besides the Mossad have not always been very forthcoming with intel in the past. The answer to your questions about why the FBI and law enforcement didn't know these things is probably because Mossad was the only agency that knew Flame existed. They simply didn't have access to it or even know of it's existance.

     

    Bren

    It doesn't match with how Jake Davis was taken down. It really doesn't.. Ok so I might of been off on the China mark. I based it off of the BBC article.

    The fact that he was number 2 on the totem pole. He was almost last to have been picked up.

    The feds had help from a VPN provider to nab Jake. 

    The feds cut a deal with Sabu. Flipped him to a rat.

    Why would they have had to of done this if Flame was on these machines.

     

    Maybe.. I dunno..

  • BrenelaelBrenelael Member UncommonPosts: 3,821
    Originally posted by JayBirdz
    Originally posted by Brenelael

    I wouldn't sell that Mossad letter too short JayBirdz. Everything that letter claims the author was doing was more than possible with the Flame malware installed on a targets computer. I have to agree with Precusor on this one. That letter seems very similar to what Falme was designed to do and the targeted regions are all of high priority interest to the Mossad. Besides the Mossad have not always been very forthcoming with intel in the past. The answer to your questions about why the FBI and law enforcement didn't know these things is probably because Mossad was the only agency that knew Flame existed. They simply didn't have access to it or even know of it's existance.

     

    Bren

    It doesn't match with how Jake Davis was taken down. It really doesn't.. Ok so I might of been off on the China mark. I based it off of the BBC article.

    The fact that he was number 2 on the totem pole. He was almost last to have been picked up.

    The feds had help from a VPN provider to nab Jake. 

    The feds cut a deal with Sabu. Flipped him to a rat.

    Why would they have had to of done this if Flame was on these machines.

     

    Maybe.. I dunno..

    Just becuase the Mossad knew who Topiary was doesn't mean they told any other agency. Like I said the Israelis and Mossad in particular have never been known to share Intel unless they deemed it absolutely necessary. If they had this wonderful espionage tool they would definitely try to keep it as secret as possible. Would you give up your hotline to hundreds or possibly thousands of enemy operatives across the whole Middle East just to nab a few kids with too much time on their hands? You need to look at the bigger picture here.

     

    Bren

    while(horse==dead)
    {
    beat();
    }

  • JayBirdzJayBirdz Member Posts: 1,017
    Originally posted by Brenelael
    Originally posted by JayBirdz
    Originally posted by Brenelael

    I wouldn't sell that Mossad letter too short JayBirdz. Everything that letter claims the author was doing was more than possible with the Flame malware installed on a targets computer. I have to agree with Precusor on this one. That letter seems very similar to what Falme was designed to do and the targeted regions are all of high priority interest to the Mossad. Besides the Mossad have not always been very forthcoming with intel in the past. The answer to your questions about why the FBI and law enforcement didn't know these things is probably because Mossad was the only agency that knew Flame existed. They simply didn't have access to it or even know of it's existance.

     

    Bren

    It doesn't match with how Jake Davis was taken down. It really doesn't.. Ok so I might of been off on the China mark. I based it off of the BBC article.

    The fact that he was number 2 on the totem pole. He was almost last to have been picked up.

    The feds had help from a VPN provider to nab Jake. 

    The feds cut a deal with Sabu. Flipped him to a rat.

    Why would they have had to of done this if Flame was on these machines.

     

    Maybe.. I dunno..

    Just becuase the Mossad knew who Topiary was doesn't mean they told any other agency. Like I said the Israelis and Mossad in particular have never been known to share Intel unless they deemed it absolutely necessary. If they had this wonderful espionage tool they would definitely try to keep it as secret as possible. Would you give up your hotline to hundreds or possibly thousands of enemy operatives across the whole Middle East just to nab a few kids with too much time on their hands? You need to look at the bigger picture here.

     

    Bren

    Yeah that's fair enough.  That's why I edited to say maybe. I dunno...  After thinking about it for a second.   I was a bit to quick to post that.

  • DOGMA1138DOGMA1138 Member UncommonPosts: 476
    Originally posted by Precusor

    Anonymous attacked israeli commercial sites once ...and the Mossad responds with this open letter.

    Now notice what the Mossad says and read up on what the Flame malware can do.

     

    Date: FEB 12TH, 2012

    http://pastebin.com/pVmAZqWY

     

     

    Very fake, horrid english.

    The Mossad does not care about annonymous or other hacktivists, or hackers. They got a bit more important things on their plate, like reducing the traffic problem in Iran one car at the time, or playing "Tennis" with hammas affiliated arms dealers in Dubai.

    No one would invest so much effort in tracking down kids that launch DoS and defacement attacks against commercial sites, heck even if they stole every bank account detail of ever Israeli citizen it would still not be enough to put those kids from annoymous on Mossad's target list.

    Flame was used for a single purpase and it is to gather intelligence mainly to provide a platform for cross referencing intel. Even with out screen shots, keylogging, and tapping into the built-in microphone the Bluetooth, and Wifi data alone is priceless. BluTooth allows you to identify cell phones which are being used by the targets and by people they know, every bluetooth device has a device address(BD_ADDR) which can easily be resolved to an IMEI of a cellphone, or a service tag/serial number of another BT device. This information alone can give you cellphone numbers, or even some sort of money/credit card trace if you are able to trace the sales of some of the devices back to their users or to whom ever gave it to them. Wifi alows you to pinpoint the targets very accurately, and also provides you with crude ways to track their paths, and rutines. If 4 of your targets meet every tuesday in a place where there is an AP called "Ahmed and Salim Coffee Shop" that makes them quite easy to track. And since most AP's in the world even in shitholes in the ME were geotagged by some one some where you don't even have to go out of your way to find that place.

    The Bluetooth can also be used to track targets in a crowed, or heck even to dentonate an explosive deivce plug a BT device to a detonator and configure it to pair with a specific BD_ADDR, and when that device gets in range - boom :) Heck with BT sniping you can grab a BT signal and atleast do the first part of the hand shake upto about 2KM in a clear day so if you really upfor it you can even use it to deliver precision munitions such a guided missile or a kamikazee drone.

    In any case there is nothing "revolutionary" or "intresting" about flame just as it was with duqu, or stuxnet other than the fact that malware is used as a tool in traditional clandestine operations which if it was not possible even a decade ago, both due to techonological caps, and operational doctrines.

    At the end of the day a gun to some one's head works just aswell as a keylogger when you need to get a password, and it's much more reliable. It took quite a while for agencies like the CIA, NSA, Mossad, or who ever you think or actually might be behind these attacks to be willing to accept the new methodologies, and to develope new doctrines - and now finally we see the fruits of that labor.

    Honestly i cant wait to see the first area-denial malware a true "city killer" which will be designed to take down metro infrastrucutre from traffic lights, to sewer control, and celltowers, i would say it would be much more civilzied than nuke :)

    PS WTF is Israeli Occupied Territories? Its either Judiah and Summeria/West bank, or the Palestinian Occupied Territories, last time some one tried to occupy Israel it didn't ended up well for those folks.

     

     

  • BrenelaelBrenelael Member UncommonPosts: 3,821
    Originally posted by DOGMA1138

    PS WTF is Israeli Occupied Territories? Its either Judiah and Summeria/West bank, or the Palestinian Occupied Territories, last time some one tried to occupy Israel it didn't ended up well for those folks.

    The Gaza Strip and the West Bank. Israel took these territories during the "Six Day War" in 1967 when they kicked a good majority of the rest of the Middle East's ass and sent them packing.

     

    Bren

    while(horse==dead)
    {
    beat();
    }

  • DOGMA1138DOGMA1138 Member UncommonPosts: 476

    I know :) but its either called Palestinian Occupied Territories or WB/Gaza :P not Israeli Occupied Territories ;)

     

  • spizzspizz Member UncommonPosts: 1,971

    Origin of STUXNET revealed 

    The famous computer worm and first discovered spy malware software on industrial systems, first seen in 2010, is back in the news.

    In 2010 several factories from SIEMENS were infected aswell customer in multiple countries like Europe, USA and Asia. Power stations, chemical factories and industrial manufactoring plants were effected.In the same year STUXNET infested iranian nuclear plants to sabotage them and the same software was found in China infecting millions of computers. 

     

    Now the USA confirms that they ordered the cyberware attacks....unbelieveable.

    http://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html

     

    Who is behind FLAME ?....... the obvious suspicions like always, but since FLAME did attack the middle east again, the Oil industry from Iran, you can bet about it.

This discussion has been closed.