The creators of the Flame malware have sent a “suicide” command that removes it from some infected computers.
Security firm Symantec caught the command using booby-trapped computers set up to watch Flame’s actions.
More technical details at Symantec:
Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.
Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the “uninstaller”.
Even more at Softpedia.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
Malware and cybercrime has moved out of the small-time and into the big-time. Governments and organized crime may now be wittingly and unwittingly cooperating at various levels and ways and may now be the largest single source of malware from this point forward.
The problem is that governments make inherently stupid decisions and may not control the beast they create and unleash for very long.
“The problem is that governments make inherently stupid decisions and may not control the beast they create and unleash for very long.”
Of course they can’t or won’t control it. Stupidity is their business model.
Maybe the Blabber in Chief can clear that up for the world.
I’m sure Obama will promise to fix it, and then when he cannot, it will be disseminated by the Fourth Estate Fifth Column that Dubya and Rove have taken to writing spyware and malware programs in their retirement.
I received an email from Norton about a week ago informing me my computers were protected against the Flame and they had been aware of it for some time. That surprised me, but it was reassuring.
I have seen PCs protected with the AV software of nearly every major vendor get creamed by JAVA-based “drive-by” hijackings that take hours if not days to clean up.
AV software is one layer of protection and that is all. Check your PC for installed programs. What is your current version of Adobe Reader? Has it been modified to prevent it from executing files hidden in Adobe PDF files? Have you applied ALL current Microsoft patches and updates? What is your current Java version? How many older versions do you have installed? Each one is a potential attack vector. Do you have a real firewall in-place or are you relying on Microsoft’s firewall?
How well do you trust Norton or any other vendor to admit they were blind-sided by this like everyone else?
I’ve got nothing against Norton and frequently recommend it as part of an effective defense against malware. But no single piece of software stops everything, especially something this sophisticated.
Don’t believe everything you see in a marketing announcement.
You obviously know more about this topic than I do. I have used Norton for over 6 years and have never had a problem with my computers. Not one. I have to consider that when I think of Trust. Norton has protected me well. When I worked for the DOE (the Energy one) they seemed to have security issues every couple of months. And they had top notch security gurus there.
Well, certain government agencies attract more attention than others at any given moment. And certain offices within those agencies attract more attention and from different sources. Everybody knows the DoE Alternative Fuels project is a major boondoggle. Hackers have nothing to gain there except a backdoor to other systems in DoE. And hackers don’t really care what the DoJ Office of Justice Programs is doing either. NSA, DISA, NRO, and CIA face a different problem.
Still, just cause Norton says they got you covered against Flame don’t make it so. And if they implied they had you covered for a while, then I got a bridge in Brooklyn I’d like to sell you.
And keep in mind, I have nothing against Norton.
I feel compelled to make one more comment regarding your link to the attack on Norton, and that’s what it is, an attack. It does not present a reasoned argument that Norton cannot protect against Flame, it basically says Norton is full of BS without saying why. Norton obviously feels they can protect their clients against the Flame or I don’t think they would make the claim. I may be naive, but why would they say that and risk lawsuits galore if the Flame could impact millions of their customers? I imagine a major attack they couldn’t stop, after claiming they could, would put them out of business.
I have seen numerous instances of malware infecting computers protected with current, updated AV software. That is the premise behind Zero Day Attacks.
There are vulnerabilities in Windows code that have existed since Windows NT. That is why Microsoft issues new patches on the 2nd Tuesday of every month. They find new vulnerabilities that have existed for decades that have never been fixed.
The second link I posted above discussed a vulnerability that was identified as early as 2004, again in 2007 and again in 2009. And Microsoft apparently did not address the matter as recently as 2010 when Flame appears to have exploited it. See: http://www.geekwire.com/2012/analysis-flame-virus-created-worldclass-hackers/.
I have NOTHING against Norton. I used it as recently as one year ago on some of my home computers. I have nothing against Sophos or McAfee or AVG or F-Prot or a host of other AV vendors. But I don’t find Norton’s claim credible in this case, though the email was terribly vague. Go back and read what the service notification actually said.
I won’t try to pretend I understood everything in the link you sent, but one thing that occurred to me was maybe MS worked with these virus creators, and perhaps left this pathway open intentionally. MS should have fixed the problem but decided(?) not to. Far-fetched maybe, but MS does wield a lot of influence and would certainly want to help out for any future considerations.
Ok, if Norton and McAfee are so hot and effective, WHY in the world do they let the “Windows Antivirus 2012” malware just *cruise* through their protection? And if they do that with a KNOWN chunk of malware that gets updated once every freaking year, its no bloody wonder something like Flame goes right through like it owns the place even though the darned thing was like 20meg of code.
Ok, I’m done venting. I’ll go back to punch cards and mag tape now. Not.
@WarEagle82
Concerning AV programs getting creamed by “JAVA-based “drive-by” hijackings that take hours if not days to clean up.”
Most major AV programs that are updated and have real-time scanning protection like Norton will detect and neutralize Java based malicious code and provide adequate protection even if “ALL your listed potential attack vector(s)” are not updated and secured.
The majority of threats from Java based malicious code are considered a low-level threat.
I run multiple layers and keep up on updates and generally build and maintain pretty much bullet proof systems.
I recently faced one of the very latest Java-based Trojans, it was detected and removed by Norton and my logs indicate Norton kicked its ass repeatedly for about 8 minutes straight on a front door attack… then the same Trojan came back a week later and attacked through a back door to the Norton scan engine itself which in turn elevated it from a low-level to a mid-level attack because it shut down virus scanning.
STILL, if anyone is NOT running, updating, checking the status and building confidence in your anti-virus program then they’re a high-level meathead
Your “potential attack vector(s)” are generally good and essential points and here is a free program that will scan and assess the security patch state of ALL software installed on your system .. there is an online version as well but it doesn’t scan all program for vulnerabilities.
http://secunia.com/vulnerability_scanning/personal/
HOWEVER, getting back to Java based malicious code attacks, I have found that updating java and deleting old versions doesn’t solve the problem.
Java update installing a new version DOES NOT delete application data cache directory of older versions of Java because the content of that folder is not associated with the Java program.
Even using the Java Control Panel to remove temp files and applets does not clear the old version contents of user application data cache directory.
The JavaRa program will permanently remove all old and vulnerable
versions of Java from your PC, including the user application data cache directory that acts as a backdoor for viruses and Trojans through Java based malicious code.
http://singularlabs.com/software/javara/
I say it “…elevated it from a low-level to a mid-level attack because it shut down virus scanning.”
Because the Trojan only shut down Norton Quick Scanning, the threat was easily removed with a full scan.
Also currently assessing whether I even need this Java junk any longer for any of my programs… the “jusched.exe” Java Auto Update is in startup and doesn’t even function properly.
I am not sure that I agree that “most major AV programs” offer sufficient protection Java-based “drive-by” infections. I have seen such infections happen too many times to accept that.
I have witnessed malware compromise updated AV software with real-time scanning enabled. And I have been able to replicate some Java-based hijacks on computers with updated AV programs with real-time scanners enabled as recently as 2011. I haven’t tried this year but I believe I could replicate the hijacking now if I wanted to spend the time.
Again, I have nothing against Norton. I am not attacking Norton. I have recently used Norton. But no single AV program protects against every threat. And I don’t think any of them were aware of “Flame/Flamer/Skywiper” until quite recently.
I find it interesting that gaspar believed Norton’s very vague claims on this specific malware but questioned whether Microsoft was complicit in the spreading of malware. Why believe Norton but not Microsoft in this matter?
Everyone should take a look at http://www.informationweek.com/news/security/management/240001763 and read through the links. “Flame/Flamer/Skywiper” is different.
I thought “Flame” was designed to do further damage to the Iranian’s nuclear efforts. Has this thing gone rogue?
And the Manhattan Project was designed to develop a bomb to be used on Germany. Things don’t always work out as government predicts. I trust that isn’t a surprise on this web site…
I have an Apple and I don’t have to worry aboutnaihoi eipqoek qputr[qp req’poeu poqrjtqpoportqpo q’pdiuapj q’p49q’ ‘gj4tq v”9rg fpj ‘poifap 09q’l t4p tu’g ‘q9u tgjq’-94g
I agree.
Ironically, Apple was hit with a major malware threat back in April.
See http://www.cbsnews.com/8301-501465_162-57411237-501465/mac-virus-what-you-need-to-know-how-to-remove-it/ for details.
The threat had been identified as long ago as September 2011.
Apple left the vulnerability unpatched for three months or more. See http://www.foxnews.com/scitech/2012/04/06/how-to-protect-your-mac-against-malware/.
Malware isn’t just about Microsoft any longer.
So barry gets credit for flame, then gets whacked for spiking the football and now flame is being drenched? Sounds like a Barry the Bitch moment to me. “You don’t like me? I’ll take my malware and go play golf while the Iranians get a nuke.”
Okay, so, correcting some misconceptions:
Flame is not “Java-based”, it’s written in C++ and Lua, and it’s Windows-based software. As far as I can tell, the exploits it uses have nothing to do with the Java virtual machine. In some cases it got in through social engineering, someone pretended to be the target’s colleague and asked them to look at some software. It spreads through Windows network vulnerabilities and the very pedestrian exploit of Windows’ autorun feature.
As to AV software: either they have the detection signatures for it, or they don’t. Antivirus software is incredibly simple: it scans for a string that identifies the virus. (For various reasons, it’s impossible to engineer a piece of code that self-replicates without some identifying marker.) The core of an AV engine is simply a routine that scans lots of files, everything else is picking which files to scan when, managing the database of signatures, and window dressing.
In fairness, being thorough and fast and compatible takes some doing, and it takes some work to keep up with all the threats, but AV software, like a lot of security stuff, is 99% smoke and mirrors.
As to whether Norton was surprised, AV companies are, by nature, always a step behind new threats, especially targeted threats. That’s because it’s maintaining a black-list, which requires that someone discovers software is bad the hard way.
White-listing is possible, in which you keep a list of all known good software and refuse to run anything bad. In fact Apple’s iOS uses it to good effect, including doing code reviews of submitted applications. The downside is the “walled garden” problem. (Android also uses code signing, but they don’t review all software, so it’s not a proper white-list. You get more variety, less security.)
Glad you are here to clear up misconceptions. But nobody here said Flame was Java-based. And AV software uses more than “signature based” technology to identify malware.
Just buy a Mac. Seriously, life gets pretty uncomplicated after that.
Macs are great computers. But they aren’t immune from malware and they will be targeted more and more in the future.