I have been reading about the new Flame (aka Flamer, aka sKyWIper) "supervirus."
[AAaaaarrrrrrggggghhhh!!!!!!!! Sorry. I will try and keep the screaming, in my "outside voice," to a minimum.] >From http://www.telegraph.co.uk/news/worldnews/middleeast/iran/9295938/Flame- worlds-most-complex-computer-virus-exposed.html This "virus" [1] is "20 times more powerful" than any other! [Why? Because it has 20 times more code? Because it is running on 20 times more computers? (It isn't. If you aren't a sysadmin in the Middle East you basically don't have to worry.) Because the computers it is running on are 20 times more powerful? This claim is pointless and ridiculous.] [I had it right the first time. The file that is being examined is 20 megabytes. Sorry, I'm from the old days. Anybody who needs 20 megs to build a piece of malware isn't a genius. Tight code is *much* more impressive. This is just sloppy.] It "could only have been created by a state." [What have you got against those of us who live in provinces?] "Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats." [So? We had RATs that could do that at least a decade ago.] "... a Russian security firm that specialises in targeting malicious computer code ... made the 20 megabyte virus available to other researchers yesterday claiming it did not fully understand its scope and said its code was 100 times the size of the most malicious software." [I rather doubt they made the claim that they didn't understand it. It would take time to plow through 20 megs of code, so it makes sense to send it around the AV community. But I still say these "size of code" and "most malicious" statements are useless, to say the least.] It was "released five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt." [Five years? Good grief! This thing is a pretty wimpy virus! (Or self-limiting in some way.) Even in the days of BSIs and sneakernet you could spread something around the world in half a year at most.] "If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don't know about." [Yeah. Like "not reproducing."] "The file, which infects Microsoft Windows computers, has five encryption algorithms," [Gosh! The best we could do before was a couple of dozen!] "exotic data storage formats" [Like "not plain text."] "and the ability to steal documents, spy on computer users and more." [Yawn.] "Components enable those behind it, who use a network of rapidly-shifting "command and control" servers to direct the virus ..." [Gee! You mean like a botnet or something?] Sorry. Yes, I do know that this is supposed to be (and probably is) state- sponsored, and purposefully written to attack specific targets and evade detection. I get it. It will be (marginally) interesting to see what they pull out of the code over the next few years. It's even kind of impressive that someone built a RAT that went undetected for that long, even though it was specifically built to hide and move slowly. But all this "supervirus" nonsense is giving me pains. [1] First off, everybody is calling it a "virus." But many reports say they don't know how it got where it was found. Duh! If it's a virus, that's kind of the first issue, isn't it? ====================== (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Any American was bred to want to take over things; your water supply, your mineral deposits, your entire country, your wife ... Something American had happened to his wife ... there was no other possible explantion. - `The Whirlpool', Jane Urquhart victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
