Can nation-states really produce scarier malware than unaffiliated geeks?  While the Iranian nuclear program continues to struggle with the setbacks imposed by Stuxnet, a new and even more imposing program has been discovered infiltrating the Middle East.  "Flame" has a number of modules, including this impressive function:
Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.
I feel we're in a period much like the dawn of the antibiotic age, with doctors stumbling around trying out brand-new strategies to fight naive pathogens. H/t, again, Rocket Science.


Grim said...

Stuxnet featured four zero-day exploits for Windows. That's some pretty high-test stuff. My guess is that they're vulnerabilities that Microsoft figured out internally, and then handed to the government; but maybe our boys really are that good.

Texan99 said...

There are apparently some zero-day exploits in Flame, as well.

bthun said...

Way back when, prior to DARPA birthing the intertubes, it was understood that the only airtight way to insure a secure system was to keep it in a vault with limited access and no external connections.

Having spent a bit of time in the field, working with debuggers, while comparing to the source code... Having used home-grown tools that would mirror executing code/data and render that execution stream to a 'sandbox' such that you would have an instantiation or representation of the code/data stream as it had executed, thereby a map for the malicious to guide them in their exploitation designs. Not to mention being able to purchase access to source code from vendors or use the Open Access Initiative for OSF software...
I'm still of the mind that a secure system, in a vault with limited access and no external connections is the only secure system.

DISCLAIMER: My knowledge and beliefs are pretty dated so YMMV.

Anonymous said...

I'm partly curious how we went from "too incompetent to protect our own systems from amateur black-hats" to "super-genius programmers and hackers" in what . . . six months? If that?

Bthun is right on true system security, as best I've seen.


MikeD said...

Currently it's an environment that favors offense. Much easier to destroy a system than protect it. Will that change? Possibly. I recall serious military analysts predicting the day of the tank to be over in the 70s due to the ATGM. And times, they do change.

But I think the difficulty in malicious computer attacks is twofold:
1) Like terrorist attacks, the defense MUST catch them all, if one gets through, irreparable harm can be done.
2) Unlike terrorist attacks, it costs almost nothing to keep trying, potentially thousands of times a minute, to find a vulnerability. Every single attempt to penetrate our defenses here in meatspace costs them money and personnel. Online, it's just electrons.