Tuesday, June 12, 2012

  • Tuesday, June 12, 2012
  • Elder of Ziyon
From Kaspersky Lab:
  • Kaspersky Lab discovered that a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.
  • This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.
  • This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.
  • The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025.
  • Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.
  • Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new “zero-day” vulnerabilities.
In other Flame news, over the weekend all computers that were under its control destroyed (almost) all traces of the malware.
Earlier this week, Kaspersky Labs noted that in a matter of hours after researchers had announced the discovery of Flame, the command and control infrastructure behind Flame went dark. This infrastructure was important because Flame is initially configured to contact a number of these servers and then run the control scripts that they serve. However, by 28 May — the day that Flame's details began to emerge — requests for these scripts were met with 403/404 errors, hampering efforts to learn more about the servers behind the malware.

Kaspersky Lab, with the assistance of GoDaddy and OpenDNS, attempted to sinkhole the malware; however, Symantec noted that this effort was only partially successful — Flame's authors still had control of a few command and control servers — enough to communicate with some of the infected computers.

"[Flame's authors] had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider," Symantec wrote on its blog.

From here, infected machines received a new module from the remaining command and control servers — browse32.ocx — which has the purpose of covering Flame's tracks. It not only has a hit-list of all Flame-related files and folders to delete, but it subsequently rewrites random characters on the disk to ensure that the old data can't be retrieved.

There is one exception to the firing squad, and that is a temporary file: ~DEB93D.tmp. According to CrySyS' research (PDF), it is an encrypted file that contains a SQLite database of NetBIOS name look-ups. In theory, it would provide forensic teams with the ability to determine the names of all the computers it was able to see and possibly infect.

Researchers haven't come to an agreement as to whether sparing this file was an intended feature or an oversight by Flame's authors, but its existence is already being used as a temporary indicator for if a computer is, or was, infected by Flame.

CIO magazine gives backhanded praise to the (presumed) US programmers who made Stuxnet, and, presumably, Flame:
Even though many folks suspected Flame was made in the U.S.A., this is as close as anyone has come to saying so. As an American I feel a wee-bit of national pride. So what if our critical utilities infrastructure is less secure than my son’s piggy bank? And so what if the government’s defense and intelligence networks are more compromised than a herd of Kardashians? We made the coolest piece of malware since William Gibson invented Black Ice in Neuromancer.


EoZTV Podcast

Podcast URL

Subscribe in podnovaSubscribe with FeedlyAdd to netvibes
addtomyyahoo4Subscribe with SubToMe

follow me

search eoz

Loading...

Recent posts from other blogs

comments

Speaking

Follow by Email

Contact

elder -at- elderofziyon dot com

translate

E-Book

For $18 donation








Sample Text

EoZ's Most Popular Posts Ever

Hasbys!

Elder of Ziyon - حـكـيـم صـهـيـون

Elder of Ziyon - حـكـيـم صـهـيـون
This blog may be a labor of love for me, but it takes a lot of effort, time and money. For over 11 years and over 23,000 articles I have been providing accurate, original news that would have remained unnoticed. I've written hundreds of scoops and sometimes my reporting ends up making a real difference. I appreciate any donations you can give to keep this blog going.

Donate!

Monthly subscription:
Payment options

One time donation:

Tweets

Compliments

The Jerusalem Report:"A seemingly indefatigable one-man operation, armed only with a computer, chutzpa and stamina."

Algemeiner: "Fiercely intelligent and erudite"

Omri: "Elder is one of the best established and most respected members of the jblogosphere..."
Atheist Jew:"Elder of Ziyon probably had the greatest impression on me..."
Soccer Dad: "He undertakes the important task of making sure that his readers learn from history."
AbbaGav: "A truly exceptional blog..."
Judeopundit: "[A] venerable blog-pioneer and beloved patriarchal figure...his blog is indispensable."
Oleh Musings: "The most comprehensive Zionist blog I have seen."
Carl in Jerusalem: "...probably the most under-recognized blog in the JBlogsphere as far as I am concerned."
Aussie Dave: "King of the auto-translation."
The Israel Situation:The Elder manages to write so many great, investigative posts that I am often looking to him for important news on the PalArab (his term for Palestinian Arab) side of things."
Tikun Olam: "Either you are carelessly ignorant or a willful liar and distorter of the truth. Either way, it makes you one mean SOB."
Mondoweiss commenter: "For virulent pro-Zionism (and plain straightforward lies of course) there is nothing much to beat it."
Didi Remez: "Leading wingnut"

Interesting Blogs

Categories

Abbas liar Academic fraud administrivia al-Qaeda algeria American Jews Amnesty analysis anti-semitism apartheid arab refugees Arafat archaeology art ASHREI B'tselem bahrain bbc BDS BDSFail Bedouin Beitunia beoz book review breaking the silence Cardozo Chanukah Christians conspiracy theories Cyprus Daphne Anson Davis report DCI-P double standards Egypt Elder gets results ElderToons Electronic Intifada EoZNews eoztv Erekat EU Euro-Mid Observer Fake Civilians 2014 Fatah featured fisking flotilla free gaza freedom of press palestinian style future martyr gaza Gaza Platform George Galloway gideon levy gilad shalit gisha Goldstone Report Good news Grapel Guardian gunness hamas Hamas war crimes hasbara Hasby 2014 Hasby 2016 Hebron helen thomas hezbollah history Hizballah Holocaust denial honor killing HRW Human Rights Humanitarian crisis humor Hypocrisy ICRC Ilan Pappe impossible peace incitement international law intransigence iran Iraq Islamism Israel Loves America Israeli culture Israeli high-tech J Street jabalya jeremy bowen Jerusalem jewish fiction Jewish Voice for Peace jihad jimmy carter John Kerry jokes jonathan cook Jordan Juan Cole Judea-Samaria Kairos Karl Vick ken roth khalid amayreh Khaybar Lebanon leftists Linkdump lumish mahmoud zahar Malaysia max blumenthal McGraw-Hill media bias Methodist Miftah Mohammed Assaf Mondoweiss moonbats music Muslim Brotherhood Nakba Natural gas Nazi NGO NIF norpac NYT Occupation offbeat oxfam PA corruption PalArab lies Palestine Papers pallywood pchr PCUSA Peter Beinart poll Poster Preoccupied Prisoners propaganda Proud to be Zionist purimshpiel Qaradawi Qassam calendar Rafah Ray Hanania real liberals reference Richard Falk rogel alpher roger cohen roger waters Saudi Arabia saudi vice self-death self-death palestinians sex crimes SFSU shechita sheikh tamimi Shujaiyeh SodaStream South Africa Speech stamps Syria Tarabin Temple Mount Terrorism This is Zionism Thomas Friedman Tunisia Turkey UCI UK UN unesco unhrc United Arab Emirates Unity unrwa UNRWA hate unrwa reports UNRWA-USA Vic Rosenthal Washington wikileaks work accident X-washing Yemen zahran zionist attack zoo Zvi

Blog Archive

subscribe via email