Skywiper, Flame, Flamer, AnotherName and so forth. Did it make you cringe yet? Did it make you want to run all types of testing inside your network to make sure that some uberly clever government of mass destruction does not have control a-la 1984 of your enterprise? Be afraid, be very afraid. In fact, be so afraid that you write me a check after reading this from all the fear I will instill in you! Seriously. Who else is laughing at this one? "A covert 20Mb ..." Did you just say 20Mb?
Alright, lets bite on the covert 20Mb weapon of mass destruction theory where it is hypothesized as being some clever form of "weaponry" from a government agency or military, or clandestine something-or-other. I will do what everyone else is doing, comparing apples, oranges and for kicks and giggles, I will throw in a watermelon.
Stuxnet - Kernel driven Rootkit
Sky/Flame(r) - not
Stuxnet - Validly signed drivers (obscure detection)
Sky/Flame(r) - none
Stuxnet - 0 day (whoopdeedo)
Sky/Flame(r) - none
I do not want to keep this going since the list is long. On the one hand, we saw the theory that "Stuxnet - it was the government." Indeed, I can see the government writing things so sloppy and outsourcing bits and pieces of coding. The coding had to be spliced so those programming wouldn't know what one another were doing. Sort of like the "Kernel's secret recipe" for KFC. Yup that's the ticket. A government covertly funded sloppy coding which wasn't even "that" covert. I'll buy it.
This time around, the rogue secretive government who devised this, put out all the stops. They decided to make a huge-o-mongous piece of malware capable of generating all sorts of traffic blips from the malware being downloaded. They did it to "hide in plain site." After all, no decent network engineer will see that blip of 2Gb worth of traffic on their SIEM systems when the Skywipe/Flame(r) malware gets uploaded and changed. Come on, you can trust what I am telling you, I know a lot of engineers and they would not care if Mbs or Gbs of traffic was being generated to obscure locations. They all ignore those kinds of things (huge traffic spikes).
So after this rogue secretive gov (from here on I will call them the Noisemakers) decided to go against the grain. Instead of using time test methods and tools that work, the Noisemakers decided to use five (count them five) different encryption methods, four of which are simply substitution ciphers. No need to "really" encrypt the data one wants to steal you know.
Enough of me being snarky and arrogant though. What is really at stake here and why are many companies rushing to connect the dots to a government? The bottom line here is money. These studies on malware which are being done by companies like Kaspersky, Symantec, McAfee and so forth are not being done for anything other than at one point being able to state: "We can defend you from MalwareX if you purchase Product Y." This is the reality of it all. What better mechanism to do so than to paint the boogeyman as a rogue country. After all, countries spend millions on security.
These security companies and their reports often mislead readers with their findings. For example, somewhere amongst the trove of stories was a comment that went something to the tune of: "It could not have been written by a band of hackers as it was too sophisticated and would have taken many people." The flip side of this statement is: "What drug was the person who said that, taking?" Looking around at other malware samples, particularly those involved in financial crimes (Zeus, Qakbot, etal), any analyst would tell you that the developers of these instances of malware are highly organized, sophisticated and likely work in groups. This is fact, not fiction.
Security companies cannot have it both ways: "It couldn't be a hacker group", yet: "Only a malicious group could have developed Zeus!" Ironic is it not? Yet media in their rush to "get to press" will release anything they can without double checking the scenario. They will often rely on the words from security shysters as gospel.
After all, these guys must know! They're McAfee, they're Symantec, they're... What they are, is out to make money, this is their underlying business.
Flamer, Skywipe, INSERT_ANOTHER_NAME_HERE is not impressive as a piece of malware. In fact, I consider it a Frankenstein piece of malware. Cobbled together by someone likely for the sake of blackmail. This is evident in the cases of "Ransomware" where a group steals what they can, when done, encrypt a drive rendering it useless unless a fee is paid. Do you think any government wouldn't pay a fee to keep things running smoothly. It would be in the best interest of a country like Iran, Syria or other country to pay the hush money than it would for them to lose countless amounts of time re-doing everything. Not to mention the fact of exposure of any misdeeds. This isn't Political Science 540, it is Economics and Common Sense 101.
Those individuals touting: "But they used USB as a deployment" fail to realize that many attackers do so. Even authorized penetration testers use USB based attacks to compromise companies. This isn't new, isn't sophisticated, is cost effective and ultimately it is almost a sure way into an organization. Those individuals touting the 0day angle, they too are fearmongers. The likelihood of the individual yelling "0day" ever coming across their own "0day" is low. I could count how many 0days I myself have that I have never disclosed and imagine how many others have either found the same thing, or perhaps have even more. The whole 0day theme used by companies, I view as being nothing more than "filler" for some underclued targeted reader. "They have 0days! They use targeted attack mechanisms like USB keys! They are highly effective! They are covert!" These statements are utter nonsense.
Fortunately for me, I was able to obtain a copy of Flame in which I hope to find some time to play with. You can be sure that I will skew the results to favor the outcome I want. That is, to sell you a product that could defend against it. You know, like the one I sold you last year, and the year before that, as well as the year before that, and the decade before that. Don't worry, there is a sucker born every minute and as long as that sucker is buying my security products, real world logic and security need not invade my space.