Infiltrated dot Net

Flame - Cutting through media and SME hype
Written by J. Oquendo   

Often times in rush to generate attention to their business, which of course drives in revenue, antivirus vendors offer conflicting reports to what a particular strain of malware or a virus does. For the everyday reader of so called "intelligence" behind the actors and threats of these malware, the word of the AV analysts are taken as gospel.

Nary a thought of the politics and or financial motivations behind that lurk behind the malware. are taken into account by most AV SMEs. Why should they be taken into account, we are to trust that the experts will provide us with relevant evidence regarding what is being analyzed not global politics. No one really questions AV SMEs which leads to those writing on the subject of "malware security" to become masters of "crowd manipulation." Any shpiel the AV companies spew becomes fact. To be fair, their role is not to delve into the politics. It is simply to report the findings based on their observations.

Most facts reported by the AV companies though must be viewed as "beyond" subjective. Especially when it comes to the data obtained during these investigations. I illustrate that this statement must be true, simply because the AV SMEs can never, and will never, truly know who put forth a sample. Why a sample was programmed the way it was, and whether or not the creator set forth in deploying a strain filled with false positive and false flag information. It is simple for an author of these malware to purposely point the finger elsewhere. For example, if I created a malware strain, entered a simple comment such as "/* 19890415 */" I can guarantee you that many SMEs would point to Tiananmen Square. My goal would be accomplished and the attribution would be heaped on someone else.

 

All hype

 

In all cases, SMEs are making best guesses based on their observations. In the cyber-arena though, one can put forth whatever one wished to make someone believe. Attribution is non-existent and one can mix and match (cherry pick) whatever information one wants to mix and match, in order to put forth a conforming view. Anyone on the outside becomes lost in the Abilene Paradox. Rather than question, many SMEs remain silent. All the while we have these grandiose cases of what the media perceives as an "upcoming cyberwar." Whether some SMEs remain silent out of fear of career suicide, politics, finance or other is irrelevant. There are too many who remain silent on the matter. This leaves the media culling information from about a half dozen of experts. Many if not all of the remaining experts will have an agenda.

So let's get into this subject a little deeper - Cyberwar. It is such a misrepresented term in its own right. You need not go further than common sense to see the failure in the term itself. In any war, there is a winner and a loser. You could argue there are no winners but you would be missing a greater picture here. There is always a winner and it is usually the one telling you "there are no winners" as he covertly counts what he gains via submission. In every war known to man, the loser is always made to pay. Whether it is via conceding material, land, power, there is always something gained by the "winning party." Cyberwar differs. Do you believe that someone, whether a government, criminal organization or other can make someone yield because of a computer?

During the Reagan administration, we had the Star Wars (SDIO) program. At the end of the day, we were not trying to build anything contrary to popular belief. It might have been a nice theory, but at the end of the day, we were trying to drive Russia bankrupt. Our goal then was to scare the enemy enough into thinking they needed to be able to meet any challenges we put forth. Spend, spend, spend. This may be the case with "cyberweaponry" as well (spend, spend, spend) however, the catch is, it is not the United States that is holding the winning hand. It is no country to be outright blunt about it. This is a scary thought for most countries: no one is in control.

Off of the history and politics lesson, let us move back into the technical arena. Let's look at what occurs from the ground up concerning "cyberweaponry" and how AV SMEs will fail. It has already been established that "unless an AV SME has first-hand knowledge of a specific individual" any answer the SME can puth forth is based on observation. These observations come from a few sources, usually all a horrible indicator of who wrote what piece of code. SMEs may speculate based on an IP address with any association to the strain of malware being analyzed, it may be based on portions of code which an analyst sees and so forth.

SMEs are seeing connections to certain destinations and labeling the strains as being authored by who they perceive is behind the destination. For example, if I owned or maintained the address block 1.2.3.0/24 it would be a no brainer to state: "The attack wound up at 1.2.3.10 so it is obvious that Company X is behind the attack." Forget the fact that a machine in my network may itself be compromised. Because that connection is made, the association goes up thousand-fold. Another technique is to follow so called bits and pieces of code: "It was used in this other sample, therefore since I see it now, it must be the same group." What happened to rational thinking? How many bits of codes are freely available to mix and match?

Let history speak for itself here: "How many authors of any financial malware frameworks have you seen or read about being perpwalked?" "How many authors of any virus or ransomware have you seen or read about being perpwalked?" Get the picture? Many of these groups share many bits of code. Many of these groups steal from one another and this includes entire command and control structures. These are the things that never make it to media. It is simply not newsworthy. Most SMEs do not know who was behind the original bits and pieces of code to begin with. It is all speculation.

Now let us have a look at media, inferences and interpretations of the current state of Flamer. Obviously I will use selective quotes based on what is "hot topic" at the moment. "The RapidSSL attack would have cost around US$20,000 if it had been performed on Amazon's EC2 cloud. The Flame attack would have cost between 10 and 100 times more, Sotirov said." [1]

Reality? Sotirov's $20,000.00 statement is based on the pricing of the amount of PS3 computing power needed in correlation to how much one would pay for the equivalent amount of power needed on EC2.  At least this is my perception of that comment. Reality shows otherwise, you can actually get free EC2 instances as long as each instance is under a specific quota [2]. Solution? Create thousand of free instances of EC2. Another solution would be to create something similar to a SETI based bot where infected machines would collectively share and distribute the load. It would not be that difficult for say the creators of Flashback - 600,000 capable machines - to rig the malware up to perform similar computation.

This is common knowledge and should be common sense however, it is being overlooked in that rush to make headline news. We have to remember that many of these reports place food on the table for individuals. Whether those individuals work at an AV company, news agency, government or other. The outcome is always the same: conformity.

As I sit and think about the entire situation (Flame) I wonder if government actually does have a hand in this. To which I often respond "no" and this could be confirmation bias of my own. But the rational does not add up. I know factually, had I created something similar in scale, I would have to borrow code. In borrowing code, I would also take the time to make sure I am pointing the finger far away from myself. I would not set out to build a grand scale program and overlook these little tidbits.

Now, the SMEs would come around stating something to the tune of: "We would see your command and control" And to that I state the fact that these structures can be deployed anywhere. By anywhere I mean just that. There is nothing stopping me from sitting at home drinking coffee in New England and registering for - while using prepaid credit cards - domains and or server space in any country. This deflects the attention elsewhere. Once up and running, I can move around freely using compromised machines to further deflect attention. I have the power of countries not collaborating with one another on my side. Does anyone honestly believe that if I purchased a pre-paid credit card, rented service in Korea, compromised a machine in Russia, leapfrogged over to China, erased my traces all along the way, something would come back to me in New England? I can assure you that SMEs would have a field day "proving" the attack was APT coming from China. Attackers know this, governments know this, there is no secret recipe involved.

Modular hell. "The malware uses five different encryption methods" Here we have peculiarities if I have ever seen them. I am to believe that a government spent an enormous amount of time, research and money to make this malware, yet couldn't get effective encryption and resorted to using FIVE different methods of encryption? This does not resonate well considering AES is available Microsoft by default. Translation? No data obtained by Flame would have been visible by using simple and available crypto calls based on what was already on the system. There would be no need for five different and convoluted methods. That introduces potential problems down the line and makes things more complex than they need to be. Irrelevant? Not really.

Flame is a very loud piece of malware. It is a horrendous 20Mb contraption which screams: "look at me." Many of the components in Flame are borrowed, re-hashed, re-written and re-deployed. AV companies are suggesting there is "no financial gain" being sought by Flame and to that I state: "How would you know?" For an AV SME to make that statement is absurd. They would have to know where data ended up, whi is accessing that data and what they are doing with the data. There is no mechanism for an AV expert to make this sort of commentary, yet media will run with whatever an SME states. Reality dictates otherwise on this matter as well.

"Gang allegedly made $25,000 a month ... Russian police are reportedly investigating a criminal gang that installed malicious "ransomware" programs on thousands of PCs and then forced victims to send SMS messages in order to unlock their PCs." [7] There goes the 20,000.00 notion Sotirov, Even if you said $50,000.00 the answer is a simple one of economic sense - it's all about the Benjamins. Would you spend $20,000.00 to make $25,000.00 per month? I am sure even $50,000.00 is a drop in the bucket to some of these gangs. I know this, AV SMEs know this, governments know this.

I have a hard time understanding why SMEs are overlooking the criminal organizations on this matter. Many tend to believe whatever conforms to what they are seeing but seeing is not believe on the Internet. Especially when there are far too many actors on the stage. We can believe whatever we choose in this instance of Flame but the writing just doesn't add up to "state sponsorship" no matter what posturing is coming out of any government. I state this because I would like to believe that any government, especially my own, would create something more covert and effective. Flame is not all everyone is making it out to be.


[1] http://www.pcworld.com/businesscenter/article/257494/flame_crypto_attack_was_very_hard_to_pull_off_security_researcher_says.html
[2] http://aws.amazon.com/free/
[3] http://blog.chron.com/techblog/2012/04/more-than-half-a-million-macs-infected-with-flashback-trojan-malware/
[4] http://www.crysys.hu/skywiper/skywiper.pdf
[5] http://social.msdn.microsoft.com/search/en-us?query=aes+encrypt&x=0&y=0
[6] http://www.fastcompany.com/1838779/flame-the-skype-sniffing-bluetooth-enabled-super-spy-tool-and-whats-next
[7] http://www.computerworlduk.com/news/security/3237574/police-target-million-dollar-ransomware-gang/