[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold
From: Martijn Grooten <sweetwatergeek@xxxxxxxxx>
Date: Wed, 30 May 2012 09:56:31 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=fjK/TqvuD0G6TbEJdOjXlIXPN9Ql0nlumT28P+l3onY=; b=Xm8/1KoSv84Sx+bSiZPT+qeP+MD4q8CeVK6w8+S2pNbqQbfCugZyzkhBKUVhw49G4B XvddIBc7oTzM2wCW2a52Zd+Mqci/QmZ0d6vshYiH+BbPY/Hyo2Jnsg0P+URnmS+aU1Rf bipe1tm8Jdz6+9XFb2CS0X+/9LrTOo7nJiaW3Lqx5nnBILCvLfNtmBHuSWYC+WZmWdNf +Ir6V2utlSTF7EpfsQA6cTuWhd+O1c53kSmN8OdUmVUeihmSsmbXGmPKYVu4aMqPY8n9 eGl6x/R3t5e5MhT/smNZoUcrYZ+ZaUCiq92m0ItMLqdjZSb2SF33leluYtn4EflatKqa fGRQ==

On Wed, May 30, 2012 at 6:11 AM, Simon Waters wrote:
> Not saying it isn't well engineered, just that there isn't enough
> evidence in the reports.

I doubt there will ever be. Every expert 'knows' Stuxnet was written
by the American and/or the Israeli government. No one can prove that
though. I think Flame will be a similar story.

> Mostly it tells you that current anti-malware practice isn't terribly
> good, in that it went undetected for so long.

That's a good point and one I've seen people from within the
anti-malware industry make, but it's not an entirely fair criticism:
it only shows that if you've got enough resources you can defeat/evade
security software. 100% security doesn't exist so it's a matter of
putting the threshold so high that it's not worth the attackers'
effort. If the army of a major country have a reason to attack you,
it's damn hard to put the threshold that high.

> Nothing I've seen discusses how it gets the data it steals back,
> presumably this to is a pluggable module (would make sense), so possibly
> it varies with installation. Nor how it is so targeted if it spreads in
> virus like fashion. I suspect those two are rather sensitive bits of
> information for those infected.

People expect full analysis of what Flame is capable of doing may take
months, perhaps even years. I've seen reports that mention a command
and control server so I presume that's how data is stolen.

It is a worm rather than a virus in that it spreads itself but doesn't
infect existing files. Targeted worms aren't new. A worm could be
targeted at a specific organisation and then spread itself inside the
organisation's network.

> Plenty of well funded organisations are interested in the Iranian oil
> ministry and middle Eastern politics, they are call oil companies or
> investment companies that trade in the oil markets. Indeed these days a
> lot of them have more money than many national governments, or at least
> less debt.

I doubt many, if any, companies have the resources that the US army
has. They are also pretty good at keeping things secret.

Martijn.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold
- From: Roland Tarver
Follow-up: Re: [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold
- From: Simon Waters

References:
- [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold
  - From: Roland Tarver
- Re: [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold
  - From: Simon Waters

Prev by Date: Re: [LUG] New Member
Next by Date: Re: [LUG] New Member
Previous by thread: Re: [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold
Next by thread: Re: [LUG] OT: Spy malware infecting Iranian networks is engineering marvel to behold
Index(es):
- Date
- Thread