Tag Archives: Flame

Discovery of new “zero-day” exploit links developers of Stuxnet, Flame

Quite interesting news:

An early version of Stuxnet dating back to 2009 contained executable code that targeted what was then an unknown security flaw in Microsoft Windows, a discovery that brings the number of zero-day vulnerabilities exploited by the malware to at least five, researchers from Kaspersky Lab said Monday morning. Even more significantly, they discovered that a 6MB chunk of code found in the Stuxnet.A (1.0) variant contained the guts of today’s Flame. In addition to unearthing previously overlooked data about how Stuxnet hijacked targeted networks, the discovery is important because it establishes the first positive connection between the developers of Stuxnet and those behind Flame, which came to light two weeks ago as a highly sophisticated espionage platform that targeted computers in Iran and other Middle Eastern countries.

The techie in me is boggled at the resources they poured into discovering zero-day exploits, applications to exploit them, and the entire malware package wrapped around it.

The citizen in me is just amazed that the U.S. government is comfortable committing so much sabotage, espionage, and military action against nations with which we are not at war.  It’s just another reminder that you cannot trust your government.

via Discovery of new “zero-day” exploit links developers of Stuxnet, Flame | Ars Technica.

When Antivirus Fails, All Is Not Lost

It’s at times like these that defense in depth really shines!

To detect targeted threats, companies must first be more aware of what is going on in their networks, Percoco says. By watching for events — and not just suspicious activity — a company can detect the existence of an infection. Known as indicators of compromise, or IOCs, these events can tip a company off that something unwanted is inside the firewall.

[…]

Finally, companies can take the “deny all” approach to applications, just like the recommended practice for firewall rules. Known as whitelisting, the defensive technology allows only known good programs to run on systems. With millions of variants of malware being generated every year, focusing on the 10,000 to 25,000 programs running on a typical system make more sense, Bit9’s Sverdlove says.

I expect whitelisting to become more popular, and hopefully, much easier.  The main problem I’ve seen with whitelisting is that the basic set of apps is easy to enumerate and whitelist, but then as patches get rolled out — nearly every other week for Java and Firefox — the app must be re-whitelisted.   It just doesn’t seem to scale well when you have lots of users roaming around with lots of applications, and lots of updates, and lots of broken, no-longer-whitelisted applications.

via When Antivirus Fails, All Is Not Lost – Dark Reading.

Iran-targeting Flame malware used huge network to steal blueprints

It is quite an impressive sample of software engineering and deployment:

Attackers behind the Flame espionage malware that targeted computers in Iran used more than 80 different domain names to siphon computer-generated designs, PDF files, and e-mail from its victims, according to a new analysis from researchers who helped discover the threat.

The unknown authors of Flame shut down the sprawling command-and-control (C&C) infrastructure immediately after last Monday’s disclosure that the highly sophisticated malware had remained undetected for at least two years on computers belonging to government-run organizations, private companies, and others. The 80 separate domain names were registered using a huge roster of fake identities, and some of the addresses were secured more than four years ago.

“The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008,” Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. “In general, each fake identity registered only 2-3 domains, but there are some rare cases when a fake identity registered up to 4 domains.”

Names used to obtain the domains included Adrien Leroy, Arthur Vangen, George Wirtz, Gerard Caraty, Ivan Blix, and at least 15 others. They claimed to reside in a host of cities in Europe and elsewhere, in some cases at addresses that turned out to belong to hotels such as the Appart’Hotel Residence Dizerens in Geneva or, with a slight modification, the Apple Inn in Amsterdam. Other fake identities used addresses of shops, organizations, or doctor’s offices. Because of the effectiveness and complexity of Flame and its targeting of Iran and other Middle Eastern computers, researchers have speculated it was sponsored by a wealthy nation-state.

via Iran-targeting Flame malware used huge network to steal blueprints | Ars Technica.