Most Read
    Image 01 Image 02 Image 03

    Flame commits (partial) suicide

    Flame commits (partial) suicide

    An update on Flame, from BBC:

    The creators of the Flame malware have sent a “suicide” command that removes it from some infected computers.

    Security firm Symantec caught the command using booby-trapped computers set up to watch Flame’s actions.

    More technical details at Symantec:

    Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.

    Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the “uninstaller”.

    Even more at Softpedia.


    Donations tax deductible
    to the full extent allowed by law.



    So barry gets credit for flame, then gets whacked for spiking the football and now flame is being drenched? Sounds like a Barry the Bitch moment to me. “You don’t like me? I’ll take my malware and go play golf while the Iranians get a nuke.”

    scooby509 | June 10, 2012 at 3:34 pm

    Okay, so, correcting some misconceptions:

    Flame is not “Java-based”, it’s written in C++ and Lua, and it’s Windows-based software. As far as I can tell, the exploits it uses have nothing to do with the Java virtual machine. In some cases it got in through social engineering, someone pretended to be the target’s colleague and asked them to look at some software. It spreads through Windows network vulnerabilities and the very pedestrian exploit of Windows’ autorun feature.

    As to AV software: either they have the detection signatures for it, or they don’t. Antivirus software is incredibly simple: it scans for a string that identifies the virus. (For various reasons, it’s impossible to engineer a piece of code that self-replicates without some identifying marker.) The core of an AV engine is simply a routine that scans lots of files, everything else is picking which files to scan when, managing the database of signatures, and window dressing.

    In fairness, being thorough and fast and compatible takes some doing, and it takes some work to keep up with all the threats, but AV software, like a lot of security stuff, is 99% smoke and mirrors.

    As to whether Norton was surprised, AV companies are, by nature, always a step behind new threats, especially targeted threats. That’s because it’s maintaining a black-list, which requires that someone discovers software is bad the hard way.

    White-listing is possible, in which you keep a list of all known good software and refuse to run anything bad. In fact Apple’s iOS uses it to good effect, including doing code reviews of submitted applications. The downside is the “walled garden” problem. (Android also uses code signing, but they don’t review all software, so it’s not a proper white-list. You get more variety, less security.)

      WarEagle82 in reply to scooby509. | June 10, 2012 at 6:29 pm

      Glad you are here to clear up misconceptions. But nobody here said Flame was Java-based. And AV software uses more than “signature based” technology to identify malware.

    imfine | June 10, 2012 at 7:40 pm

    Just buy a Mac. Seriously, life gets pretty uncomplicated after that.

    Leave a Comment

    Leave a Reply

    You must be logged in to post a comment.

    Notify me of followup comments via e-mail (or subscribe without commenting.)

    Font Resize
    Contrast Mode
    Send this to a friend