Great info on this Flame Malware!
"Privately held Webroot said its automatic virus-scanning engines detected Flame in December 2007, but that it did not pay much attention because the code was not particularly menacing.
That is partly because it was easy to discover and remove, said Webroot Vice President Joe Jaroch. "There are many more dangerous threats out there today," he said."
Full Article: http://www.reuters.com/article/2012/05/28/net-us-cyberwar-flame-idUSBRE84R0E420120528
Powerful "Flame" cyber weapon found in Iran
Userlevel 7
+56
Userlevel 3
Here is another interesting article regarding Flame.
Userlevel 7
+56
More info and Quotes from JoeJ in other articles!
"Yes, it is a highly modular piece of code with many components, but that doesn't equate to the conventional term of complexity with regard to threats," Webroot's Jaroch remarked. Server-side polymorphic malware, which has been around for several years, is "orders of magnitude more complicated."
Further, while Flame does use differing algorithms, "none of them are challenging," Jaroch said. They're "significantly outdated and easily broken automatically by current security technology."
Although Flame covers several areas that some threats don't, none of them are unique, Jaroch pointed out. "One of the frequently commented-on aspects of Flame is that it collects the name of every file on the system but even this is far from revolutionary. Most backdoor Trojans have significantly more functionality than this -- Rbot, SubSeven and Bifrost, to name a few."
"Whether sKyWIper is the most complex [malware] ever or not has no bearing on whether or not Iran's CERT can come up with a remediation tool to remove the infection," McAfee's Marcus pointed out. "A full detailed analysis of sKyWIper is of a level of analysis way deeper than is required to come up with remediation tools."
As for Flame's complexity, Webroot "automatically developed a solution in 2007 ... and it would not be difficult for Iran to develop a solution either in our opinion."
http://www.technewsworld.com/story/75239.html
"Joe Jaroch, a leading researcher at Webroot, is less impressed by Flamer. He's not convinced that a nation-state's resources would have been required for its creation. "This was definitely not developed by a single person," said Jaroch, "but assuming it is a nation behind the code would probably be underestimating the abilities of private malware authors. Threats like TDL4 provide a much stronger set of functionality and obfuscation."
Flamer's complexity, notes Jaroch, "doesn't equate to the conventional term of complexity with regard to threats. Server-side polymorphic malware which layers together multiple components dynamically protected by rootkits have been around for several years and are orders of magnitude more complicated," said Jaroch. He added, "Using 20 times more code than Stuxnet doesn't necessarily mean that it is 20 times stronger."
http://securitywatch.pcmag.com/security-spyware/298405-flame-malware-cybergeddon-or-old-news
"A Webroot spokesperson says the security vendor takes issue with the hyperbolic claims about ‘Flame’, and claims the underlying threat has been known since 2007. “In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it--essentially a 2007 era technology.
There is one element of ‘Flame’ that Webroot believes may be unique, though. Many antimalware tools use some form of reputation analysis to help determine if a given program is malware or not. Essentially, if the executable has been seen before, and hasn’t done any previous harm it gets a bit of a “free pass”--it has proven itself and earned some level of trust.
Webroot feels that the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.
Early analysis suggests that ‘Flame’ is a complex, sophisticated threat. In terms of the actual size of the programming code behind it, ‘Flame’ is massive. Depending on the source, though, ‘Flame’ is either the most dangerous, insidious malware threat ever discovered, or simply a solid cyber attack that caught much of the industry with its proverbial pants down."
http://www.pcworld.com/businesscenter/article/256376/flame_lethal_cyberweapon_or_media_hype.html
TH
"Yes, it is a highly modular piece of code with many components, but that doesn't equate to the conventional term of complexity with regard to threats," Webroot's Jaroch remarked. Server-side polymorphic malware, which has been around for several years, is "orders of magnitude more complicated."
Further, while Flame does use differing algorithms, "none of them are challenging," Jaroch said. They're "significantly outdated and easily broken automatically by current security technology."
Although Flame covers several areas that some threats don't, none of them are unique, Jaroch pointed out. "One of the frequently commented-on aspects of Flame is that it collects the name of every file on the system but even this is far from revolutionary. Most backdoor Trojans have significantly more functionality than this -- Rbot, SubSeven and Bifrost, to name a few."
"Whether sKyWIper is the most complex [malware] ever or not has no bearing on whether or not Iran's CERT can come up with a remediation tool to remove the infection," McAfee's Marcus pointed out. "A full detailed analysis of sKyWIper is of a level of analysis way deeper than is required to come up with remediation tools."
As for Flame's complexity, Webroot "automatically developed a solution in 2007 ... and it would not be difficult for Iran to develop a solution either in our opinion."
http://www.technewsworld.com/story/75239.html
"Joe Jaroch, a leading researcher at Webroot, is less impressed by Flamer. He's not convinced that a nation-state's resources would have been required for its creation. "This was definitely not developed by a single person," said Jaroch, "but assuming it is a nation behind the code would probably be underestimating the abilities of private malware authors. Threats like TDL4 provide a much stronger set of functionality and obfuscation."
Flamer's complexity, notes Jaroch, "doesn't equate to the conventional term of complexity with regard to threats. Server-side polymorphic malware which layers together multiple components dynamically protected by rootkits have been around for several years and are orders of magnitude more complicated," said Jaroch. He added, "Using 20 times more code than Stuxnet doesn't necessarily mean that it is 20 times stronger."
http://securitywatch.pcmag.com/security-spyware/298405-flame-malware-cybergeddon-or-old-news
"A Webroot spokesperson says the security vendor takes issue with the hyperbolic claims about ‘Flame’, and claims the underlying threat has been known since 2007. “In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it--essentially a 2007 era technology.
There is one element of ‘Flame’ that Webroot believes may be unique, though. Many antimalware tools use some form of reputation analysis to help determine if a given program is malware or not. Essentially, if the executable has been seen before, and hasn’t done any previous harm it gets a bit of a “free pass”--it has proven itself and earned some level of trust.
Webroot feels that the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.
Early analysis suggests that ‘Flame’ is a complex, sophisticated threat. In terms of the actual size of the programming code behind it, ‘Flame’ is massive. Depending on the source, though, ‘Flame’ is either the most dangerous, insidious malware threat ever discovered, or simply a solid cyber attack that caught much of the industry with its proverbial pants down."
http://www.pcworld.com/businesscenter/article/256376/flame_lethal_cyberweapon_or_media_hype.html
TH
Userlevel 7
+4
Thanks for the great posts, TH! We thought this line you pointed out was particularly interesting in the PC World article.
Webroot feels that the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.
We'll try to keep you posted as we hear more on this story, but you've got a pretty good news radar too!
Webroot feels that the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.
We'll try to keep you posted as we hear more on this story, but you've got a pretty good news radar too!
Userlevel 7
+56
Computer Security Companies Debate Flame's Origins?
A discussion with a few Anti-Malware companies including JoeJ of Webroot! Also if you want you can click on the Radio Button to Listen to the Story at the top left of the page in the Article!
http://www.npr.org/2012/05/30/153970997/computer-security-companies-debate-flames-origins
TH
A discussion with a few Anti-Malware companies including JoeJ of Webroot! Also if you want you can click on the Radio Button to Listen to the Story at the top left of the page in the Article!
http://www.npr.org/2012/05/30/153970997/computer-security-companies-debate-flames-origins
TH
Userlevel 7
+56
Some more Articles of this Malware and the other security vendors make it so funny when (Prevx) Webroot knew about it in 2007!
Thanks HowardR for these links! ;)
http://securitywatch.pcmag.com/security-spyware/298425-flamer-isn-t-a-stuxnet-spinoff
http://www.euronews.com/newswires/1532850-powerful-flame-cyber-weapon-found-in-iran/
TH
Thanks HowardR for these links! ;)
http://securitywatch.pcmag.com/security-spyware/298425-flamer-isn-t-a-stuxnet-spinoff
http://www.euronews.com/newswires/1532850-powerful-flame-cyber-weapon-found-in-iran/
TH
Userlevel 7
+56
Here are 3 Videos from CNN!
http://www.cnn.com/video/#/video/tech/2012/05/29/flame-malware.cnn
http://www.cnn.com/video/#/video/bestoftv/2012/05/30/exp-eb-proxy-war-with-iran.cnn
And this one is after the Italy Tragedy I hope our friends are safe there Marco Giuliani and other Webroot team members?
http://www.cnn.com/video/#/video/bestoftv/2012/05/30/exp-eb-outer-circle-cyber-attacks.cnn
TH
http://www.cnn.com/video/#/video/tech/2012/05/29/flame-malware.cnn
http://www.cnn.com/video/#/video/bestoftv/2012/05/30/exp-eb-proxy-war-with-iran.cnn
And this one is after the Italy Tragedy I hope our friends are safe there Marco Giuliani and other Webroot team members?
http://www.cnn.com/video/#/video/bestoftv/2012/05/30/exp-eb-outer-circle-cyber-attacks.cnn
TH
Hi Daniel,
thank you :)
Yes, thankfully I'm fine and the other italian guys are fine as well. Nobody of us is actually living where the earthquake happened. Anyway people there is having very bad time 😞 Last night there have been more than 30 smaller earthquakes
I'm used to "big" earthquakes though, the one in Italy in 1997 happened exactly where I'm living (http://news.bbc.co.uk/onthisday/hi/dates/stories/september/26/newsid_2538000/2538651.stm). After months, the final statement about it was that the two main earthquakes measured respectively 5.8M and 6.1M Richter.
Cheers,
Marco
thank you :)
Yes, thankfully I'm fine and the other italian guys are fine as well. Nobody of us is actually living where the earthquake happened. Anyway people there is having very bad time 😞 Last night there have been more than 30 smaller earthquakes
I'm used to "big" earthquakes though, the one in Italy in 1997 happened exactly where I'm living (http://news.bbc.co.uk/onthisday/hi/dates/stories/september/26/newsid_2538000/2538651.stm). After months, the final statement about it was that the two main earthquakes measured respectively 5.8M and 6.1M Richter.
Cheers,
Marco
Userlevel 2
I'm glad to hear that you're ok Marco! Where would we be without you? 🙂
Userlevel 7
+56
Good to hear that you and the the other team members are well!@ wrote:
Hi Daniel,
thank you :)
Yes, thankfully I'm fine and the other italian guys are fine as well. Nobody of us is actually living where the earthquake happened. Anyway people there is having very bad time 😞 Last night there have been more than 30 smaller earthquakes
I'm used to "big" earthquakes though, the one in Italy in 1997 happened exactly where I'm living (http://news.bbc.co.uk/onthisday/hi/dates/stories/september/26/newsid_2538000/2538651.stm). After months, the final statement about it was that the two main earthquakes measured respectively 5.8M and 6.1M Richter.
Cheers,
Marco
Cheers,
Daniel 😉
Userlevel 7
+56
Somemore new info from the New York Times!
"Joe Jaroch, a vice president at Webroot, an antivirus maker, says he first encountered a sample of Flame in 2007. He says he did not publicize the discovery because he did not consider the code sophisticated. “There are many more dangerous viruses out there,” he said. “I would be shocked if this was the work of a nation state.”
http://www.nytimes.com/2012/06/04/technology/cyberweapon-warning-from-kaspersky-a-computer-security-expert.html?_r=1
TH
"Joe Jaroch, a vice president at Webroot, an antivirus maker, says he first encountered a sample of Flame in 2007. He says he did not publicize the discovery because he did not consider the code sophisticated. “There are many more dangerous viruses out there,” he said. “I would be shocked if this was the work of a nation state.”
http://www.nytimes.com/2012/06/04/technology/cyberweapon-warning-from-kaspersky-a-computer-security-expert.html?_r=1
TH
Userlevel 7
+37
Hello ,
iran Cert detect this virus with Prev xor webroot software ,
then they understand other Security AV does not detect it .
Then temself or kaspersky analys their , ( i think themself ) .
Also issue news about it . and sent sample for kaspersky .
iranian cert issue news about it , but kaspersky leak news and told they detect virus .
i think USA or israyil does not meake this virus .
Thank you
Best Regards ,
iran Cert detect this virus with Prev xor webroot software ,
then they understand other Security AV does not detect it .
Then temself or kaspersky analys their , ( i think themself ) .
Also issue news about it . and sent sample for kaspersky .
iranian cert issue news about it , but kaspersky leak news and told they detect virus .
i think USA or israyil does not meake this virus .
Thank you
Best Regards ,
Userlevel 7
@ wrote:
Hello ,
iran Cert detect this virus with Prev xor webroot software ,
then they understand other Security AV does not detect it .
Then temself or kaspersky analys their , ( i think themself ) .
Also issue news about it . and sent sample for kaspersky .
iranian cert issue news about it , but kaspersky leak news and told they detect virus .
i think USA or israyil does not meake this virus .
Thank you
Best Regards ,
If I understand correctly, you say that the Iranian Computer Emergency Response Team (CERT) detected this virus using Prevx or Webroot SecureAnywhere.
Is this something you think happened or something you know happened? I'm curious. 🙂
Userlevel 7
+37
Yes ,
This is a same Puzzle , must you find and come step by step .
We know Iranian Cert have special relationship with kaspersky and their partners .
but about flamer when i search and find Puzzle Parts get result it :
"
iran Cert detect this virus with Prev xor webroot software ,
then they understand other Security AV does not detect it .
Then temself or kaspersky analys their , ( i think themself ) .
Also issue news about it . and sent sample first for kaspersky .
iranian cert issue news about it , but kaspersky leak news and told they detect virus .
"
Then Ir-Cert iranian manager very nervous told Ir-Cert detected flamer , no kaspersky . :D
Although i must tell : Dispute IR-Cert and kaspersky is same Husband and wife fight . 😃 not really .
Also any person can understand this Puzzle must have Experience AV market and Know Some relation at this Region .
Have a Best Time .
This is a same Puzzle , must you find and come step by step .
We know Iranian Cert have special relationship with kaspersky and their partners .
but about flamer when i search and find Puzzle Parts get result it :
"
iran Cert detect this virus with Prev xor webroot software ,
then they understand other Security AV does not detect it .
Then temself or kaspersky analys their , ( i think themself ) .
Also issue news about it . and sent sample first for kaspersky .
iranian cert issue news about it , but kaspersky leak news and told they detect virus .
"
Then Ir-Cert iranian manager very nervous told Ir-Cert detected flamer , no kaspersky . :D
Although i must tell : Dispute IR-Cert and kaspersky is same Husband and wife fight . 😃 not really .
Also any person can understand this Puzzle must have Experience AV market and Know Some relation at this Region .
Have a Best Time .
Userlevel 7
I couldn't say myself.
I know that the exact (like, MD5-Exact, not "An old version") Flame malware was in the Prevx database back years ago, and nobody bothered to investigate it because it was soooooo very boring and unimpressive. Modular? Yeah, with a lot of bloat. That's like calling a bag for lunch impressive because there's not only a wrapped sandwich in it, but also a piece of fruit and a napkin and a spork and cookie. The bag is still just a bag. If Iran had been running Prevx or WSA on their systems consistently, they would not have gotten the Flame infection at all.
The one thing that anybody can say about any industry is that it's industry. It's powere by income and convincing people to give one money. The AV industry is no different, so anything to get one's name out there in a big way is effectively free advertising. McAfee made SecurityScan and pays Adobe to give it out automatically with Flash and Reader, for example. Sadly, the whole industry has almost entirely been built on scare tactics ("Get US or you're not secure!"), without admitting that they are not 100% secure, and then brushing customers who get infected off. At the very least, we admit that we know nothing is 100%, and we help people who get infected for free.
I don't know what to say about the Iran and Kaspersky aspect of the situation. I don't know whether there is corporate stuff or political stuff or whatever going on. But it was sad to see everybody running around yelling about it when it's nothing new or interesting.
I know that the exact (like, MD5-Exact, not "An old version") Flame malware was in the Prevx database back years ago, and nobody bothered to investigate it because it was soooooo very boring and unimpressive. Modular? Yeah, with a lot of bloat. That's like calling a bag for lunch impressive because there's not only a wrapped sandwich in it, but also a piece of fruit and a napkin and a spork and cookie. The bag is still just a bag. If Iran had been running Prevx or WSA on their systems consistently, they would not have gotten the Flame infection at all.
The one thing that anybody can say about any industry is that it's industry. It's powere by income and convincing people to give one money. The AV industry is no different, so anything to get one's name out there in a big way is effectively free advertising. McAfee made SecurityScan and pays Adobe to give it out automatically with Flash and Reader, for example. Sadly, the whole industry has almost entirely been built on scare tactics ("Get US or you're not secure!"), without admitting that they are not 100% secure, and then brushing customers who get infected off. At the very least, we admit that we know nothing is 100%, and we help people who get infected for free.
I don't know what to say about the Iran and Kaspersky aspect of the situation. I don't know whether there is corporate stuff or political stuff or whatever going on. But it was sad to see everybody running around yelling about it when it's nothing new or interesting.
Userlevel 7
Kit wrote:This statement is so true. Just look at some of the antivirus / anti malware security forums. Very good point Kit.
Sadly, the whole industry has almost entirely been built on scare tactics ("Get US or you're not secure!"), without admitting that they are not 100% secure, and then brushing customers who get infected off. At the very least, we admit that we know nothing is 100%, and we help people who get infected for free.
"Webroot Employees help people who get infected". The people who know the guts to their security software. This is another point why I like running Webroot. :D Also remember, the help is FREE ! 😃
Userlevel 7
+37
Hi Kit ,
yes , i understand you .
You told " If Iran had been running Prevx or WSA on their systems consistently, they would not have gotten the Flame infection at all . "
Because Some reasons Many iranian users do not use Webroot or prevx .
these reasons are marketing and policies reasons and i think forum not good place for talk about it .
Although We try for use webroot at this region event webroot rank at alexa amount old 4-5 months 4000 iran ( ir ) and i am sure Some users install webroot Secure Anywhere .
i Know Webroot is Big Security Company but i must Admission after more 4-5 months use Webroot New Products can trust to it .
i know Webroot managers Same me understand it and know webroot do some policies for solve this problem . 😃 i think better do not talk about it at forum .
http://www.csoonline.com/article/712764/webroot-s-big-cloud-gamble
Relations at this Region and specially in iran is very Complex .
Thanks ,
Durantash
yes , i understand you .
You told " If Iran had been running Prevx or WSA on their systems consistently, they would not have gotten the Flame infection at all . "
Because Some reasons Many iranian users do not use Webroot or prevx .
these reasons are marketing and policies reasons and i think forum not good place for talk about it .
Although We try for use webroot at this region event webroot rank at alexa amount old 4-5 months 4000 iran ( ir ) and i am sure Some users install webroot Secure Anywhere .
i Know Webroot is Big Security Company but i must Admission after more 4-5 months use Webroot New Products can trust to it .
i know Webroot managers Same me understand it and know webroot do some policies for solve this problem . 😃 i think better do not talk about it at forum .
http://www.csoonline.com/article/712764/webroot-s-big-cloud-gamble
Relations at this Region and specially in iran is very Complex .
Thanks ,
Durantash
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.