flat assembler
Message board for the users of flat assembler.

Index > Heap > Another malware toolkit [20MB]

Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
I was amazed after reading this. A 20MB (rather unusual size) malware package infecting mostly Iranian computers has been seen.

Read more here:
http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

Some say the US is behind it.
Post 29 May 2012, 12:10
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
I was reading this article this morning and it's indeed pretty amazing stuff. Such a complex, all-encompassing, package is a dream come true for all the virus makers!!!

Cyber warfare is really escalating.
Post 29 May 2012, 16:15
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Yes and they estimated that it's been around for at least 2 years. That means is was never detected. The use of Lua scripting also made it hard for AV scanners to flag it as malware. Maybe 20MB Trojans are the way to go now instead of 7kB ones.

This is just amazing.
Post 29 May 2012, 19:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
Post 29 May 2012, 20:04
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
revolution wrote:
Or just do it in hardware.

http://www.schneier.com/blog/archives/2012/05/backdoor_found.html


Now this is like what the fuck? Oh, shit.

I hope they don't start sending us backdoored Apple devices with their cheap laborers. Because that's possible too.

Man! Well, perhaps soon people will start building their own communication devices just like computers and being built.

Quote:

Backdoors are a common problem in software. About 20% of home routers have a backdoor in them, and 50% of industrial control computers have a backdoor. The cause of these backdoors isn't malicious, but a byproduct of software complexity. Systems need to be debugged before being shipped to customers. Therefore, the software contains debuggers. Often, programmers forget to disable the debugger backdoors before shipping. This problem is notoriously bad for all embedded operating systems (VxWorks, QNX, WinCE, etc.).


I would like to hack my router just to find this but then the cost of tools.
Post 29 May 2012, 20:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
It still amazes me how some people can stand behind their particular favourite AV and state that they trust it implicitly since they have never had a problem. But in reality, their criteria for having a problem simply means they trust that the AV will correctly point out all such threats. And also in reality they have no idea whether they have malware or not in their system because the AV doesn't (and can't) detect all possible threats. Ignorance is bliss.

Allowing oneself to place unconditional trust in a flawed process (yes, the entire AV paradigm is flawed) leads to complacency and opens many avenues of attack.

So, this should be a wake up call to anyone that still trusts their AV: Always verify, never assume. Oh, and I almost forgot to add, delete your AV, it only leads you into a false sense of security.
Post 29 May 2012, 21:13
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
revolution wrote:
It still amazes me how some people can stand behind their particular favourite AV and state that they trust it implicitly since they have never had a problem. But in reality, their criteria for having a problem simply means they trust that the AV will correctly point out all such threats. And also in reality they have no idea whether they have malware or not in their system because the AV doesn't (and can't) detect all possible threats. Ignorance is bliss.
That also has the interesting implication that, by those criteria, an AV that willfully doesn't do anything will be perceived as the most effective.
Post 30 May 2012, 01:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
Tyler wrote:
That also has the interesting implication that, by those criteria, an AV that willfully doesn't do anything will be perceived as the most effective.
And here is my newest uber-ultra-super-AV. I have just completed now. Guaranteed to never give false positives or false negatives. Will never screw up your system. Doesn't require admin right to run. Just does its job with no hassle.
Code:
include 'win32ax.inc'
.code
start: invoke Sleep,-1
.end start    
Post 30 May 2012, 02:06
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
revolution wrote:
Allowing oneself to place unconditional trust in a flawed process (yes, the entire AV paradigm is flawed) leads to complacency and opens many avenues of attack.
[...]
delete your AV, it only leads you into a false sense of security.

I've been telling people exactly that for many years and they always think I must be mad or something and just try to "prove" that their AV of choice is The Shit, that what I propose is unnecessarily risky, that actually managing their system (and its security) is too much of a hassle for a "normal computer user" and that they should instead let the software (e.g. AV) be the sysadmin.

And then, from time to time, experts discover malicious code that has been in the wild for months (or years) without being detected... and the AV war continues... :/
Post 30 May 2012, 20:43
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Click here to see Miley Cyrus naked. pic0.jpg hehehehe
Post 30 May 2012, 21:03
View user's profile Send private message Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
typedef wrote:
Click here to see Miley Cyrus naked. pic0.jpg hehehehe


Not the side boob! Razz

EDIT: Nah, decided against snarky link to dopey pic, heh, too pointless. (The mass media will report anything, "side boob" is not news!!)
Post 01 Jun 2012, 16:19
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
> A 20MB (rather unusual size) malware package infecting mostly Iranian computers

Where can I download it ???

Ideas to make things even better:

- Attack USA + Israel instead of Iran

- Code it in FASM (will be <= 200 KiB instead of incredible 20 "MB")

- Develop something useful instead of viriiii
Post 15 Jun 2012, 04:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
Part of the reason it went undetected was because it was so large. If you rewrote it and shrunk it to 200kB then it might get detected by one of the pointless AVs.
Post 15 Jun 2012, 05:22
View user's profile Send private message Visit poster's website Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
Dex4u
Theres two sides to this story, some, so called experts say its very sophisticated and others say its crap bloat.
I am on the crap bloat.
See here:
http://www.dailymail.co.uk/news/article-2152757/Was-flame-virus-written-gamers-Code-similar-apps-Angry-Birds.html
Quote:

Part of the reason it went undetected was because it was so large. If you rewrote it and shrunk it to 200kB then it might get detected by one of the pointless AVs.

It when undetected, because it was signed by M$.

But i do agree size does mater, as adding a image to detected code, can make it fud.
Post 15 Jun 2012, 13:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
Dex4u wrote:
... it was signed by M$.
This is not quite correct. It did indeed have a valid certificate but it was a faked cert. And BTW, it is no easy matter to fake a cert. From what I have seen, just the cert alone required enormous computational time to find. So that alone means it had some serious support structure (i.e. a government) behind it.
Post 15 Jun 2012, 13:39
View user's profile Send private message Visit poster's website Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
Dex4u
revolution wrote:
Dex4u wrote:
... it was signed by M$.
This is not quite correct. It did indeed have a valid certificate but it was a faked cert. And BTW, it is no easy matter to fake a cert. From what I have seen, just the cert alone required enormous computational time to find. So that alone means it had some serious support structure (i.e. a government) behind it.


From my understanding, it was a real one that used a "licensed Terminal Server"
M$ made a mistake (as in, if you get caught, this is what we will say) Wink
"so what happened was some clever person, and we'll never know whom, discovered that certificates issued for Microsoft Terminal Server could be used to sign code."

You can read Steve Gibson pod cast transcript here:
http://www.grc.com/sn/sn-356.txt

PS: I am not saying it does not have a government behind it, i am saying governments and computer programs, do not go together well.

Also if it was Japanese, it would be very small and compact, and still have everything you need.
If it was American it would be the biggest virus ever or bloat ware.
Post 15 Jun 2012, 18:48
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
revolution wrote:
And BTW, it is no easy matter to fake a cert. From what I have seen, just the cert alone required enormous computational time to find. So that alone means it had some serious support structure (i.e. a government) behind it.


https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl
Post 16 Jun 2012, 04:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
DOS386 wrote:
https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl
That link is not relevant to the discussion here. That link is for browser based SSL. The malware discussed here is for signed code running in a Windows system.
Post 16 Jun 2012, 04:33
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Dex4u wrote:
If it was American it would be the biggest virus ever or bloat ware.


Hahaha. NET
Post 16 Jun 2012, 18:56
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.