FAQ: Flame, the “super spy”

Copied from H-Online: Source

FAQ_flame_kickerThe spyware worm Flame is being billed as a “deadly cyber weapon”, but a calmer analysis reveals it to be a tool by professionals for professionals that doesn’t actually have that many new features compared to, say, the widespread online-banking trojan Zeus.

What is Flame?

Flame is the code name for a spyware program that is built to be very modular and which is also known as Flamer and sKyWIper. Flame was just recently discovered, and it will be some time before all of its components are analyzed. Anti-virus software companies estimate that Flame has infected about 1,000 computers, mostly in the Middle East.

What does Flame do?

The spyware specializes in getting hold of many different types of information. Not only can it steal files and emails from infected computers, but it can also turn them into bugging and surveillance devices using connected microphones and webcams. It is also able to record screenshots, keystrokes, and network traffic.

But all of that is already standard for a lot of malware. Does it have anything new?

One unusual feature is that Flame is able to connect with Bluetooth devices in the area. It’s not clear yet what exactly happens in this case, but it’s possible that headsets could be used for spying or that photos could be stolen from smartphones. Machines infected with Flame seem to also be able to broadcast as Bluetooth devices that offer services. More analysis is necessary to uncover further details.

Another unique feature is the LUA interpreter that is included, which can be used to easily extend the functionality of the spyware with scripts.

A modular concept, sophisticated spying features – we’ve already seen that with Zeus and SpyEye. How is Flame different from those online-banking trojan kits?

flame-infectionUnlike with banking trojans, the individuals behind this program are not interested in spreading it as far and fast as possible – quite the opposite, in fact. As far as we know at this time, the worm didn’t try to spread itself at all at first, and if an initial analysis did not come up with anything useful on a system, Flame would even be deleted. Only when it received orders to do so – if the information it found looked promising – did Flame try to infect other systems using local networks, USB sticks, or other methods. And this would typically only infect up to a dozen computers. The final total of about 1,000 infected systems over the course of several years is minimal compared to Zeus and SpyEye, which each worked their way into millions of machines.

And how did Flame get onto the infected computers in the first place?

We do not know that yet, but we assume that the typical method for targeted attacks was used. In these cases, the perpetrators identify a group of people who have access to interesting information or can at least provide such access. These targets are then infected with the spyware, via specially crafted emails or USB sticks that someone has purposefully “lost” – or even by breaking into the victim’s apartment, where the software is manually installed on the targeted computer.

Who’s responsible for Flame? Israeli intelligence?

We don’t know – and we doubt we ever will. We do know that the software was developed by professionals, most likely by a whole team. In addition, it seems to have been repeatedly used in certain situations, mostly in the Middle East, with a particular focus on Iran. Conclusions could be drawn about the responsible parties, but it is important to keep in mind that we often only see what we are supposed to see in these situations.

Flame is often mentioned in the same breath as Stuxnet. Is there a connection there?

Both programs were used in a way that tends to suggest intelligence involvement, but technically they have very little in common. Stuxnet was a sabotage program that was very targeted and minimal, despite its wide range of functions; Flame, on the other hand, is a spyware program that is very powerful, universal and, at 20MB, somewhat bloated. The virus experts who analyzed the spyware could not find any significant similarities in the code, and there are many potential explanations for why the two programs were spread in part using similar vulnerabilities.

Is Flame a prototype for a modern “cyber weapon”?

Flame’s assignment has more to do with spying than with destruction. The spyware should therefore be labeled a “cyber wiretap” rather than a weapon.

What is actually special about Flame?

The spyware program seems to have been used for many years without being discovered, and until that happened, not a single anti-virus program recognized the malware. This situation shows once again how unsuitable anti-virus software is for protecting systems against targeted attacks. Anti-virus software focuses on defending machines against widespread, indiscriminate malware and is, for the most part, powerless against specialized software like Flame.

Painting a Picture of W32.Flamer

Symantec Connect: The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into ‘apps’ and the attackers even appear to have something equivalent to an ‘app store’ from where they can retrieve new apps containing malicious functionality.

To get an idea of how all these components fit together, the best place to start is a file called mssecmgr.ocx. This is W32.Flamer’s main file and it is the first element of the threat executed by an infected computer. The file mssecmgr.ocx contains a large number of sub-components. A breakdown of the various components and how they are stored in this file are shown in Figure 1 below:

fig1

Continue Reading at Symantec Connect Blog: http://www.symantec.com/connect/blogs/painting-picture-w32flamer

Google’s reCAPTCHA briefly cracked

recaptchaH-Online: Hackers developed a script which was able to crack Google’s reCAPTCHA system with a success rate of better than 99 per cent. They presented the results of their research at the LayerOne security conference in Los Angeles last weekend; however, their demonstration was somewhat frustrated as, just an hour before the presentation, Google made improvements to its CAPTCHA system.

Of the various CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems, Google’s reCAPTCHA is considered to be one of the most reliable for differentiating man from machine. By requiring users to enter visually distorted alphanumeric sequences, web service providers can, for example, ensure that their registration forms are not flooded by spam bots. Rather than trying to analyze these distorted characters, the script, code-named “Stiltwalker”, analyzed the audio version of the CAPTCHAs, which Google provides for individuals who are visually impaired.

Stiltwalker makes use of various techniques, including machine learning, but it also exploits the fact that the computer voice has a very limited vocabulary. While text CAPTCHAs are highly complex, relying on a large pool of words in a variety of fonts, Google’s audio CAPTCHAs use just 58 different English words.

To make automated analysis more difficult, Google adds a background murmur which computers usually have a hard time filtering out. The hackers discovered that the background was composed of a limited number of recordings of radio programmes. The changes that Google made to reCAPTCHA shortly before the presentation render Stiltwalker impotent, but the three-man team of hackers did not let that affect the entertainment value of their presentation.

AVAST software blocked its services for embargoed countries

avastPetr Chocholous in response to Iranian users contacting avast saying they are unable to open website or update their antivirus said:

AVAST Software a.s. is currently blocking access to port 80 (that effectively means websites and updates of avast! software) of its servers from following countries: Iran, Sudan, Cuba, Syria, North Korea and Burma/Myanmar. AVAST Software a.s. [and its subsidiaries/sister companies] must not provide any services in these countries because of policies and regulations that are applicable to AVAST Software a.s.

Blog and forum are available, because we hope they are information source/personal communication service and because of this they have exclusion from these regulations.

We are sorry for any caused inconvenience.

http://forum.avast.com/index.php?topic=98853.msg789135#msg789135

Text message provider to pay out for Android malware

PPPH-Online: UK regulator PhonepayPlus (fomerly known ICSTIS) has imposed a fine of £50,000 on a payment provider used for an Android malware-based fraud and forced it to reimburse customers’ losses. Last December, unknown perpetrators posted fake versions of popular applications on Google’s Play store (formerly the Android Market) which sent out expensive premium rate text messages.

According to Android virus experts Lookout, the applications in question were based on the RuFraud malware and were customized to disguise themselves as 30-plus titles such as Angry Birds, Assassins Creed and Cut the Rope. These apps were downloaded an estimated 14,000 times, and sent out three premium rate text messages, costing £5 each, every time the user tried to open the app. Total losses to customers in the UK were estimated at £27,850.

PhonepayPlus was able to intervene before the money was transferred from payment services company A1 Agregator Limited to the perpetrators of the fraud. The UK registered limited company will now be required to return the money to affected smartphone users, including those who have not made a complaint, and pay a fine of £50,000.

Flame worm – Iran claims to discover new Stuxnet-like malware

Naked Security wrote:

iran-flames-170The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted malware attack attacking the country, which has been dubbed Flame (also known as Flamer or Skywiper).

In a statement, researchers say that they believe the malware is “a close relation” to Stuxnet, and claim that Flame is not detected by any of 43 anti-virus products it tested against, but that detection was issued to select Iranian organizations and companies at the beginning of May.

MAHER also says that it has produced a removal tool for the malware. Whether this is built into the recently announced “Iran’s self-built anti-virus” is unclear.

Continue Reading: http://nakedsecurity.sophos.com/2012/05/28/flamer-iran-malware/

Update:

Now there are more resource about this:

Update 2:

Read the newer posts in my blog about that:

Facebook and Opera: Facebook Browser Is Imminent

facebook(low)Mashable: Are you ready for a Facebook browser that integrates the social networking behemoth into your online life more than ever? That’s exactly what could be on the way soon, according to one report.

A Friday Pocket-lint report cites a “trusted source” that Facebook wants to buy Opera Software — manufacturers of the Opera web browser, which claims more than 200 million users worldwide. The Facebook browser would include default menu bar plugins, further permeating Facebook into users’ general web experience, according to the report.

A Facebook spokesperson declined Mashable‘s request for comment.

A custom browser would be a significant step toward Facebook becoming your web, as opposed to just an Internet site you visit and service you use. Opera’s mobile browser has received strong reviews online, meaning a functional Facebook browser using it could be even more powerful. Facebook has struggled to penetrate mobile use as deeply as many think it should be able to — and will need to in order to sustain long-term growth.

A Facebook browser would also bolster the newly public company’s competition with Google. Google Chrome recently became the web’s most-used browser, but Facebook’s gigantic user base of more than 900 million people would present a potential serious threat down the line. It would be interesting to see Facebook try to battle Google for browser dominance as Google+ struggles to play catchup in social networking.

We’ll see if the Opera rumors are true, but if Pocket-lint‘s “man in the know” is even remotely hooked in, it’s not hard to imagine the arrival of a Facebook browser being only a matter of time.

How could a Facebook browser help the company take over the web — or can it? Share your perspective in the comments.

Source: Mashable

A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability

Microsoft Malware Protection Center wrote:

Recently, we’ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you’re using vulnerable version, you need to update your Flash Player now to be protected against these attacks. We had a chance to analyze how the malware (sha1: e32d0545f85ef13ca0d8e24b76a447558614716c) works and here are the interesting details we found during the investigation.

ATechnicalA1

Continue Reading at: http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx

Yahoo released private certificate with new extension

axisscreenbigH-Online: Yahoo! introduced a new “browser”, Axis, last night, both as a standalone application for iPhone and iPad and as a browser extension on Chrome, Firefox, Internet Explorer and Safari. Axis is meant to offer faster, smarter searching using Yahoo’s services. Within hours of the launch, hacker and blogger Nik Cubrilovic posted on his blog that the Chrome extension came with a worrying extra, a Yahoo private certificate file which was used to sign the extension package and prove the package’s authenticity to the Google browser.

With the private key in the wild it would be possible to create and sign an extension which appeared to be from Yahoo!; Cubrilovic demonstrated this by creating “yahoo-spoof“, a lightly modified version of the extension, signed with the private certificate. According to Cubrilovic, there was no password associated with the certificate, which allowed this signing to take place, and the build script was also included in the extension.

It would have been possible, if DNS was appropriately compromised, to have updated a legitimate Axis extension with a correctly signed but malicious version. Given how new Axis is, this would have been unlikely, but leaving a private certificate in the distributed extension does raise questions over how through and secure Yahoo’s release process is. A member of the Axis team, Ethan Batraski, commented on various sites that Yahoo! had pulled down the Chrome extension and blacklisted the exposed certificate. The company has since released an updated version of the Chrome extension signed with a new private certificate.