Re: Flame on!

[Drsolly <drsollyp () drsolly com>]

I actually read the Telegraph, and I'm pretty sure that the article I read 
said that it was 20 gigabytes. And I thought, hmmmm. And I thought of 
Whale, which at 9kb was the biggest (and most ineffective) virus as of 
25-odd years ago. Ineffective, because the first thing that happened when 
you tried to run Whale, was the computer crashed after a few seconds. 

The conclusion that you should draw from this article, is that the writer
was completely devoid of clue, and you shouldn't get information about
viruses from articles in the Daily Telegraph

A generalisation that you can make, is that you can't get information 
on any subject from articles in the media.

On Wed, 30 May 2012, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:

> I have been reading about the new Flame (aka Flamer, aka sKyWIper) "supervirus."
>
> [AAaaaarrrrrrggggghhhh!!!!!!!!  Sorry.  I will try and keep the screaming, in my 
> "outside voice," to a minimum.]
>
> > From http://www.telegraph.co.uk/news/worldnews/middleeast/iran/9295938/Flame-
> worlds-most-complex-computer-virus-exposed.html
>
> This "virus" [1] is "20 times more powerful" than any other!  [Why?  Because it 
> has 20 times more code?  Because it is running on 20 times more computers?  (It 
> isn't.  If you aren't a sysadmin in the Middle East you basically don't have to 
> worry.)  Because the computers it is running on are 20 times more powerful?  This 
> claim is pointless and ridiculous.]
>
> [I had it right the first time.  The file that is being examined is 20 megabytes.  
> Sorry, I'm from the old days.  Anybody who needs 20 megs to build a piece of 
> malware isn't a genius.  Tight code is *much* more impressive.  This is just 
> sloppy.]
>
> It "could only have been created by a state."  [What have you got against those of 
> us who live in provinces?]
>
> "Flame can gather data files, remotely change settings on computers, turn on 
> computer microphones to record conversations, take screen shots and copy 
> instant messaging chats."  [So?  We had RATs that could do that at least a decade 
> ago.]
>
> "... a Russian security firm that specialises in targeting malicious computer code ... 
> made the 20 megabyte virus available to other researchers yesterday claiming it 
> did not fully understand its scope and said its code was 100 times the size of the 
> most malicious software."  [I rather doubt they made the claim that they didn't 
> understand it.  It would take time to plow through 20 megs of code, so it makes 
> sense to send it around the AV community.  But I still say these "size of code" and 
> "most malicious" statements are useless, to say the least.]
>
> It was "released five years ago and had infected machines in Iran, Israel, Sudan, 
> Syria, Lebanon, Saudi Arabia and Egypt."  [Five years?  Good grief!  This thing is a 
> pretty wimpy virus!  (Or self-limiting in some way.)  Even in the days of BSIs and 
> sneakernet you could spread something around the world in half a year at most.]
>
> "If Flame went on undiscovered for five years, the only logical conclusion is that 
> there are other operations ongoing that we don't know about."  [Yeah.  Like "not 
> reproducing."]
>
> "The file, which infects Microsoft Windows computers, has five encryption 
> algorithms,"  [Gosh!  The best we could do before was a couple of dozen!]  "exotic 
> data storage formats"  [Like "not plain text."]  "and the ability to steal 
> documents, spy on computer users and more."  [Yawn.]
>
> "Components enable those behind it, who use a network of rapidly-shifting 
> "command and control" servers to direct the virus ..."  [Gee!  You mean like a 
> botnet or something?]
>
>
> Sorry.  Yes, I do know that this is supposed to be (and probably is) state-
> sponsored, and purposefully written to attack specific targets and evade detection.  
> I get it.  It will be (marginally) interesting to see what they pull out of the code 
> over the next few years.  It's even kind of impressive that someone built a RAT 
> that went undetected for that long, even though it was specifically built to hide 
> and move slowly.
>
> But all this "supervirus" nonsense is giving me pains.
>
>
> [1] First off, everybody is calling it a "virus."  But many reports say they don't 
> know how it got where it was found.  Duh!  If it's a virus, that's kind of the first 
> issue, isn't it?
>
> ======================  (quote inserted randomly by Pegasus Mailer)
> rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
> Any American was bred to want to take over things; your water
> supply, your mineral deposits, your entire country, your wife ...
> Something American had happened to his wife ... there was no
> other possible explantion.          - `The Whirlpool', Jane Urquhart
> victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
> http://blogs.securiteam.com/index.php/archives/author/p1/
> http://twitter.com/rslade
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.