Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Flame Malware Authors Hit Self-Destruct

samzenpus posted more than 2 years ago | from the without-a-trace dept.

Security 260

angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."

cancel ×

260 comments

Sorry! There are no comments related to the filter you selected.

SUICIDE not good enough... (5, Funny)

reve_etrange (2377702) | more than 2 years ago | (#40252539)

The article implies that the new module overwrites with random data instead of just deleting files. I guess the original authors didn't think of that one...government inefficiency in action I suppose.

Re:SUICIDE not good enough... (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40252571)

No need to wipe the files if no one knows they're there.

Re:SUICIDE not good enough... (5, Informative)

cheater512 (783349) | more than 2 years ago | (#40252751)

It overwrites with random data THEN deletes.

Makes it impossible to tell it was ever installed.
Otherwise you could scan the disk for remnants to tell if a computer was infected in the past.

Delete doesn't actually remove any data, just the filename and allocates it as free space.

Re:SUICIDE not good enough... (0)

Anonymous Coward | more than 2 years ago | (#40252875)

I doubt it removes them from the journal.

Re:SUICIDE not good enough... (5, Interesting)

blueg3 (192743) | more than 2 years ago | (#40252991)

Journals are only so deep and, more importantly, only contain file metadata. You might, sometimes, be able to use them to determine that a file used to exist on a computer, but not what its contents were.

Re:SUICIDE not good enough... (4, Informative)

mysidia (191772) | more than 2 years ago | (#40253115)

Journals are only so deep and, more importantly, only contain file metadata.

True, but Volume shadow copy can retain past revisions of files for a considerable length of time. So can backup applications which store copies of files offline

Re:SUICIDE not good enough... (1)

blueg3 (192743) | more than 2 years ago | (#40253153)

Sure, so can copy-on-write filesystems and lots of other mechanisms.

Re:SUICIDE not good enough... (3, Insightful)

Gr8Apes (679165) | more than 2 years ago | (#40253195)

all true, which is why you keep multiple backups dating back months, right?

Re:SUICIDE not good enough... (5, Informative)

Anonymous Coward | more than 2 years ago | (#40253187)

Journals are only so deep and, more importantly, only contain file metadata.

This is true for most installations, but not in general. Some journaling filesystems (including ext3 and ext4) let you write all data through the journal as well -- it guarantees data integrity as well as filesystem consistency.

Obviously, if the journal is on the filesystem device (internal journal, or external journal on another partition of the same disk (but WTF would you do that)), it costs you half your write bandwidth, which is why it's rarely used (though it can boost performance on fsync-heavy workloads, because it reduces seeking), but it can be effective with an external journal, or if the data integrity is worth the performance loss.

Re:SUICIDE not good enough... (5, Insightful)

Billly Gates (198444) | more than 2 years ago | (#40252897)

The more I learn about Flame the more it amazes me.

Arstechnica.com has more stories on it and how it worked through collision detection and much more. I am amazed yet worried as I am sure malware mobfia folks are using the source code with real NATO grade malware complete with forging certificates, turning zombies into proxy servers, and using the Md5 collision detection done by professional mathematicians.

Worse Ubuntu and other operating systems can be hit by this as they use the same algorithms for the certificates. This piece of malware was just done through conventional 0 day exploits but rather a very sophisticated means of forging certificates and might have done the cyberworld much more harm.

Re:SUICIDE not good enough... (5, Informative)

cheater512 (783349) | more than 2 years ago | (#40252985)

Most certificates these days use SHA1 at the very least.

This is not a issue for Linux anyway because Linux does not use certificates for code.
Some do sign repositories, however those certificates are somewhat stronger.

Remember, MD5 has been broken and deprecated for many years.

Re:SUICIDE not good enough... (5, Interesting)

catmistake (814204) | more than 2 years ago | (#40253205)

The more I learn about Flame the more it amazes me.

The more I learn about the whole cyberwar program [nytimes.com] the more I am impressed.

Re:SUICIDE not good enough... (1)

Darinbob (1142669) | more than 2 years ago | (#40253081)

Many file systems will allocate new blocks when overwriting data. Not sure what Windows does. There is also the problem of scrubbing old versions of the files whenever updates are recieved.

Re:SUICIDE not good enough... (3, Informative)

viperidaenz (2515578) | more than 2 years ago | (#40253253)

Many SSD's will write to empty blocks without erasing the original as the erase block size is much larger than the write block size. You don't want to have to read 15x more data and write it back just because you changed 16th of the erase block.

Re:SUICIDE not good enough... (4, Interesting)

hairyfeet (841228) | more than 2 years ago | (#40253657)

Which brings up something I've been wondering about...is it even POSSIBLE to overwrite a file if its on an SSD? Sure its easy enough to do on a HDD without having to wipe the whole drive, but since the SSD basically "lies" to the OS about where the data is actually at so it can perform wear leveling is it even possible to overwrite just a few files on an SSD with random data, or would one have to format the whole thing?

As for TFA just more proof it was written by a government and NOT a criminal, because a criminal would have been more likely just to wipe the whole drive just to be pricks. Lets face it when it comes to malware we have a lot more cases of the writers being pricks than we do of them being nice, so it just makes me think even more these new bugs are just government works for hire.

Release the Source! (1)

Anonymous Coward | more than 2 years ago | (#40252821)

If the binary is un-distributed by the authors, does that mean that they no longer have to comply with the terms of the GPL and release the source code?

http://yro.slashdot.org/story/12/06/06/1256217/stuxnetflameduqu-uses-gpl-code

Better get on that GPLv4 Richard!

Re:SUICIDE not good enough... (0)

Anonymous Coward | more than 2 years ago | (#40253235)

Luckily I still have an intact copy,several actually, in my Windows Restore Points.

Interesting (5, Interesting)

Anonymous Coward | more than 2 years ago | (#40252545)

Something tells me that this wasn't designed by a teenager.

Re:Interesting (1, Insightful)

bmo (77928) | more than 2 years ago | (#40252849)

The teenage hacker in a basement was never as much of a risk compared to what started happening about 15 years ago with organized crime getting involved.

This "new" kind of malware has been dubbed (I think more accurately than most) crimeware.

And whether governments do it, or the RBN, it's still crimeware.

--
BMO

Re:Interesting (2)

Taco Cowboy (5327) | more than 2 years ago | (#40253665)

This "new" kind of malware has been dubbed (I think more accurately than most) crimeware

I think Mobware is a more accurate description

"Crime" can be mere petty crime

But "Mob" is a total different animal altogether

Re:Interesting (5, Insightful)

flyingsquid (813711) | more than 2 years ago | (#40253045)

Something tells me that this wasn't designed by a teenager.

There are a limited number of possible suspects. First off, not many parties have the means to create this. The consensus is that Flame is one of the largest and most advanced pieces of malware ever created- it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability. That list is pretty short, and would include countries like the United States, China, Russia, Israel, and North Korea.

Second, let's look at the targets. The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order. Roughly half of the infections are in Iran. So whoever created Flame is worried about the Middle East, but really, really worried about Iran. More worried about Iran than any other country. The Iran fixation suggests two possible suspects- Israel and the United States.

The focus on Iran is consistent with Flame coming from the U.S., but Flame also targets several U.S. allies, including Egypt and Saudi Arabia. The other thing is, Flame doesn't target anything outside of the Middle East. If it was produced by the U.S., you'd expect Flame to be found in other countries- North Korea and Pakistan, for example- where the U.S. has security interests. But whoever created Flame doesn't really care what happens in North Korea or Pakistan. Whoever created Flame is primarily concerned with countries that are either enemies or potential enemies of Israel- Iran, Palestine, Syria, Lebanon. That strongly suggests Israel as the culprit.

Re:Interesting (0)

Gr8Apes (679165) | more than 2 years ago | (#40253221)

N Korea being able to create this? Sorry, that one doesn't wash. There's a laundry list of countries ahead of N Korea in the capability list.

Second, since when is Pakistan not in the Middle East?

Re:Interesting (2, Informative)

Anonymous Coward | more than 2 years ago | (#40253353)

Second, since when is Pakistan not in the Middle East?

Pakistan is in South Asia. Consider, for example, their membership in the SAARC.

https://en.wikipedia.org/wiki/South_Asian_Association_for_Regional_Cooperation#Current_members

They _want_ to be considered as a Middle East, or more accurately, an Arab country. There are "scholars" in Pakistan producing academic papers "proving" that Pakistanis are descended from Arabs. Not only does this ignore the complex interplay of ethnicities present in the Indian sub-continent, it is pure political revisionism to disown their shared ancestry with Indians, so that the creation of Pakistan on religious grounds gains justification.

BTW, "Indian" subcontinent is also not a term preferred in Pakistani discourse. South Asia is more acceptable.

Re:Interesting (3, Funny)

Anonymous Coward | more than 2 years ago | (#40253517)

Second, since when is Pakistan not in the Middle East?

Pakistan has never been in the Middle East.

Re:Interesting (1)

Anonymous Coward | more than 2 years ago | (#40253551)

Since continental drift started happening.

Seriously, only from the Americas is the rest of the world in the east.

Re:In that order (1)

TaoPhoenix (980487) | more than 2 years ago | (#40253267)

"The Flame malware hit Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, in that order."

Why would Israel create malware that hits themselves second? So they can play innocent?

Re:In that order (1)

InsaneMosquito (1067380) | more than 2 years ago | (#40253345)

Maybe it was unintentional? Stuxnet wasn't supposed to be released, maybe a code change was made and deployed in Israel and it escaped at that point.

Re:In that order (4, Insightful)

Bevilr (1258638) | more than 2 years ago | (#40253609)

Have you bothered to read other articles on Flame? It's ability to record and gather information and transmit it back to C&C servers means that it's an excellent tool not just to do large government espionage, but also to listen in on individual conversations. As a tool in a fight against domestic terrorism, and counter espionage. I imagine it would be very effective, it's like a wiretap, without having to ask a judge for a wiretap. Infections in Israel/Palestine aren't broken down by Israel vs Palestine anywhere I've seen, which may mean that the vast majority are in Palestine. If that's true, it is another pretty large piece of evidence in favor of Israeli authorship.

Re:Interesting (0)

Anonymous Coward | more than 2 years ago | (#40253341)

North Korea?!? Why, because they are a boogie man?

They do not have the capabilities of the other nations you listed, they do not have the vast pool of people experienced with programming, etc. to ever be able to do something as sophisticated as the US, China, Russia, Israel, France, Germany, etc.

Just because they are a big bad boogie man in the media doesn't mean they have these sort of technical abilities. Sure, anybody can learn these techniques, but they just do not have the threat level as the others. Not enough critical mass. They would have to purposely develop those skills, whereas the others simply have a huge pool of latent talent to draw upon.

As you stated, Flame most likely is from the US or Israel.

Re:Interesting (4, Insightful)

viperidaenz (2515578) | more than 2 years ago | (#40253371)

... because small groups of smart people can't create something complex? It's software, you don't need massive amounts of funding, all you need is a few smart people and some time.

Re:Interesting (0)

Anonymous Coward | more than 2 years ago | (#40253547)

You need SEVERAL smart people and A LOT OF time. If they only work weekends for free, on something this massive and complex, your project will be finished in 15 years and be already obsolete. So you need to employ those people full time, giving them a decent salary. I don't know if it would take Government-size funding, but it certainly is expensive.

Re:Interesting (2)

Taco Cowboy (5327) | more than 2 years ago | (#40253701)

You need SEVERAL smart people and A LOT OF time. If they only work weekends for free, on something this massive and complex, your project will be finished in 15 years and be already obsolete.

You have seriously underestimate the productivity of really really smart programmers

It has been estimated that a very talented programmer is more effective than the output of 300 garden variety code monkeys combined

And in my time I've in several occasions the privilege to work with some of the top brains of the programming field, and I can tell you that it has been such a blessing

Re:Interesting (-1)

Anonymous Coward | more than 2 years ago | (#40253379)

Most likely Israel. This is a shot across the bow to remind the U.S. who our masters our and that we better get on board with the war against Iran, now. With and "ally" like Israel, who needs ememies?

Re:Interesting (0)

Anonymous Coward | more than 2 years ago | (#40253419)

What's in NK to target? This is a country where they think that deleting a file through the interface of a digital camera is a permanent operation.

Re:Interesting (0)

Anonymous Coward | more than 2 years ago | (#40253599)

Multiple countries may be involved as well; for example, perhaps the U.S. developed it, but Israeli deployed it in Iran. This would mean Israelis had access and then deployed against their own targets. This is, of course, pure speculation and not backed by any facts...

Re:Interesting (0)

Anonymous Coward | more than 2 years ago | (#40253651)

"The Iran fixation suggests two possible suspects- Israel and the United States."

Saudi Arabia is suggested also, though perhaps not fixated on.

Re:Interesting (-1, Flamebait)

BenJCarter (902199) | more than 2 years ago | (#40253077)

Something tells me that this wasn't designed by a teenager.

Arguably, yes it was. According to the NYT, it was designed under George Bush. [nytimes.com]

Re:Interesting (2)

catmistake (814204) | more than 2 years ago | (#40253237)

Something tells me that this wasn't designed by a teenager.

Arguably, yes it was. According to the NYT, it was designed under George Bush. [nytimes.com]

That's not what the article says. It says Olympic Games began under George Bush's administration. The article doesn't say who developed Flame, only that forensic analysis is underway.

That explains it. (5, Funny)

Anonymous Coward | more than 2 years ago | (#40252557)

My mother was wondering why her computer suddenly was working so much better.

Thanks dudes!

Re:That explains it. (1)

macraig (621737) | more than 2 years ago | (#40252729)

Of course the performance bump had nothing at all to do with you removing all your TrueCrypted porn and finally freeing up more than 1% of the drive....

Re:That explains it. (0)

Anonymous Coward | more than 2 years ago | (#40253681)

We don't all live in our parent's basement.

Nice try (-1)

Smiddi (1241326) | more than 2 years ago | (#40252583)

So we trust a malware author and follow their instructions to remove all traces of the malware that they wrote? Riiiigghhttt. Sounds exactly what scammers do. Your unaffected PC will soon be infected once you follow their instructions.

Re:Nice try (4, Informative)

Dunbal (464142) | more than 2 years ago | (#40252617)

Er no, this is infected machines being remotely instructed to clean themselves up by the person controlling the "virus". It has nothing to do with you doing anything to your machine. They sent the virus an instruction, and the virus is removing all traces of itself from a machine.

Re:Nice try (1)

Dancindan84 (1056246) | more than 2 years ago | (#40252653)

He wasn't implying it had anything to do with someone doing anything to their own machine. He was implying that Flame is a government intelligence tool and someone came up with a better way of making sure that's never proven.

Re:Nice try (1)

Dancindan84 (1056246) | more than 2 years ago | (#40252663)

Bleh, sorry. The way the thread was set up it looked like your reply was to someone else.

Re:Nice try (1)

sdnoob (917382) | more than 2 years ago | (#40252689)

it will be, but the TLAs will deny deny deny.

Re:Nice try (4, Interesting)

griffjon (14945) | more than 2 years ago | (#40252971)

Does it close the doors on the way out and patch the various exploits it used to get in to the system in the first place, or does it just leave the system ripe for future re-exploitation by the same or similar tools?

In other news, over in Oz - the man who was behind the curtain is not only unimportant, but not there now, so please stop looking.

debugging (0)

Anonymous Coward | more than 2 years ago | (#40252609)

I wonder how many man hours of confusion this will cause with people falsely believing their bugs are flame.

No AutoDestruct (5, Interesting)

bengoerz (581218) | more than 2 years ago | (#40252627)

In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained. As it stands, there's still evidence of Flame sitting on disconnected machines.

Re:No AutoDestruct (4, Insightful)

nanoflower (1077145) | more than 2 years ago | (#40252669)

All too true. I'm sure the authors will be taking that into account for their next version. Hopefully everyone will be on the lookout and catch it quicker than they did this one.

Re:No AutoDestruct (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40252677)

That doesn't sound like a very effective worm. If they did it that way you could fix the infection with a pf rule.

Re:No AutoDestruct (1)

Anonymous Coward | more than 2 years ago | (#40252831)

Once it's somewhat understood, sure (at least enough to know all control channels). Of course, the only reason you'd code a suicide feature at all is because you plan to activate it after it's become useless and before it's understood well enough for everybody to block control channels (thus rendering it useless, risking mass destruction of the entire infection by antivirus updates, and (perhaps) risking detection of your uber-evil centrifuge-destroying payload).

It doesn't seem like a bad idea at all, if the worm is dependent on remote control to acheive the desired result. Of course, if (as for stuxnet) the payload is meant to work on off-line systems, then it might be bad -- depends on the relative cost of a failed mission (did not infect the target, try again later) vs. an exposed mission (target finds out who they are, becomes more careful, and maybe even causes an international incident if the source can be deduced).

Re:No AutoDestruct (1)

Nutria (679911) | more than 2 years ago | (#40253027)

This is why most organizations should treat the Internet the same way they treat firewalls: block everything then whitelist only what's actually needed for employees to do their work.

Re:No AutoDestruct (1)

Dancindan84 (1056246) | more than 2 years ago | (#40252681)

Heh. A virus dead man's switch.

Re:No AutoDestruct (0)

Anonymous Coward | more than 2 years ago | (#40252711)

I don't suppose any of it would much matter.

A virus that isn't running can't destroy itself and can still be analyzed. If you want to watch it operating, you just use an infected image in a vm, in containment, and start over when it has deleted itself.

Either way, seems like a largely unimportant feature. What was the point?

Re:No AutoDestruct (5, Interesting)

gman003 (1693318) | more than 2 years ago | (#40252765)

Imagine if everything had gone according to plan. They've gotten all the data they need, and have not been detected. They issue a self-destruct order, and bam. Nobody will ever know they were even there.

Now, as for why they're doing it now, there's another reason. I imagine the target has figured out they're infected. But maybe they don't know every computer that was infected. And if the virus has self-destructed, they may never know for sure which machines were hit. Even if they actually *did* ID every machine, the fact that the creators did this may make them think they missed some.

Re:No AutoDestruct (2)

Will.Woodhull (1038600) | more than 2 years ago | (#40253567)

If the blackhats can wipe all active instances of Flame in such a way that no one can tell it was ever there, AND they can do so before Flame is fully analyzed, then they only need to wait until some critical computers have to be restored from backups, where some backups are assuredly dirty with Flame. This way Flame has a better chance of coming back as undead malware.

I rather suspect that whoever constructed Flame is also capable of arranging things so that certain computers will need to be restored from back ups.

Cleansing backups is going to be costly. There will be fewer resources available to the teams that are developing the missile guidance systems and the nuclear detonation simulators.

Re:No AutoDestruct (1)

Anonymous Coward | more than 2 years ago | (#40252767)

Good job dude. Got any other great ideas to give the authors?

Re:No AutoDestruct (5, Interesting)

Billly Gates (198444) | more than 2 years ago | (#40252913)

If this is a real professional job I would not be surprised if it leaves some backdoors opened for another different piece of malware. It wouldn't surprise me if Cisco router rootkits exist. After all evidence points in China they are doing just this, as they did with Nortel routers with a backdoor.

Re:No AutoDestruct (5, Interesting)

Baloroth (2370816) | more than 2 years ago | (#40252947)

The implication here, since the creators had to know security researchers already had the virus code, is that there is some module the researchers don't know about (which is actually highly probable, anyways, given the fact they wouldn't have unrestricted access to the targeted computers) and the creators wanted to eliminated the evidence. Most likely, that was the module that fulfilled Flame's main purpose, since researchers still aren't sure exactly what it does, which means now they might never know. It also helps that the targeted computers are (most likely) not infected anymore, so people can't even identify if they were ever hit.

A secondary implication is that Flame has fulfilled it's purpose. Again, what that is, no one is exactly sure (espionage, certainly, but you don't create something this advanced without some specific target in mind) and wasn't worth maintaining anymore.

Re:No AutoDestruct (2)

an unsound mind (1419599) | more than 2 years ago | (#40253677)

Alternatively, the fact that it was discovered may mean the current deployment was aborted and there will be (or already is) a new version of Flame to replace the old one.

Re:No AutoDestruct (1)

CodeBuster (516420) | more than 2 years ago | (#40252979)

In hindsite, perhaps the developers should have triggered suicide (at least of all non-critical components) whenever contact with the control servers could not be maintained.

Well, there's always version 2.0 after all. Maybe we'll see that feature, among many others I'm sure, in the next version. Somehow I doubt that we've seen the last of Flame or the people who created it [wikia.com] .

Re:No AutoDestruct (1)

Sir_Sri (199544) | more than 2 years ago | (#40253063)

If it's intended to run on not networked control systems (say the ones being used in hardened bunkers to make nuclear weapons components) that wouldn't help you a lot.

Those computers probably start network connected to get setup, and are then disconnected for work, precisely the time you want your malware to do its thing. They circumvent the hooks into windows update knowing that they'll all have windows updates run on them before the get pulled off.

Re:No AutoDestruct (1)

Chuck Chunder (21021) | more than 2 years ago | (#40253287)

If we accept that this is software used by a state for espionage then networks that aren't routinely connected to the internet in a fashion that allows direct contact with the control servers may be of more interest than ones that are and such automatic removal might not be desired.

Perhaps a military private network is compromised when someone attaches a compromised laptop to it. Perhaps information is then snuck out or instructions fed in on subsequent occasions that such a laptop is connected, sneaker-net style.

Re:No AutoDestruct (1)

Will.Woodhull (1038600) | more than 2 years ago | (#40253523)

There are also images of Flame components on a lot of the backups of every significant system that was infected. An unrelated malware that simply crashed computers in a way that forced reloads from backups would not be difficult to construct, and could possibly assure that Flame components would again be in active residence on the networks.

Flame may very well be capable of becoming undead. To assure that this could not happen, it may be necessary to destroy all backups since the days before Flame.

A related question: how often have networks been re-infected by backups or accessing archived files? IIRC, this used to be an issue with some Word macro viruses, back in the days of the woodburning computers.

The bigger question. (4, Interesting)

multicoregeneral (2618207) | more than 2 years ago | (#40252679)

Sure, all this business with Flame is absolutely fascinating. But even more fascinating: why are European and American software companies doing business with Iran in the first place?

Re:The bigger question. (4, Interesting)

Hamsterdan (815291) | more than 2 years ago | (#40252715)

I have a hunch money's involved...

Re:The bigger question. (1)

Anonymous Coward | more than 2 years ago | (#40252719)

so we can infect them with malware apparently.

Re:The bigger question. (0)

Anonymous Coward | more than 2 years ago | (#40252725)

Because companies need to make money, that's their main purpose (or the only one, depending on who you ask).

Re:The bigger question. (3, Insightful)

TheEyes (1686556) | more than 2 years ago | (#40252825)

Why do companies outsource their factories to China? Why did AIG and several other companies leverage themselves to several times what they were worth?

Birds gotta fly. Fish gotta swim. Pointy-haired bosses gotta sacrifice the future for a monetary bonus today.

Re:The bigger question. (1)

artor3 (1344997) | more than 2 years ago | (#40252929)

It's a lot more understandable when you remember that it's someone else's future being sacrificed.

Re:The bigger question. (5, Insightful)

gman003 (1693318) | more than 2 years ago | (#40252851)

You know what's more interesting?

Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran. Iranian factories are cranking out G3s, MP5s, MG3s, all legally and for export. Not to mention the various Chinese/Russian small arms they manufacture (couldn't find out whether those were licensed or not).

I think that, before they ban software companies from doing business in Iran, they should maybe think about banning the firearm companies. Just a thought.

Re:The bigger question. (1)

multicoregeneral (2618207) | more than 2 years ago | (#40252891)

A very literate answer. Thank you.

I'm not criticizing anyone. Just thought it was odd, considering all the blanket sanctions that actually do ban software companies, and anyone else for that matter from working in the country.

Re:The bigger question. (2)

kermidge (2221646) | more than 2 years ago | (#40253049)

Nice catch.

I recall reading some thirty years back that the last parties to lose money in a depression are cosmetics and booze; by examination and extrapolation they seem to do pretty well in good times as well.

Arms merchants transcend that - there's always people wanting to mess over others, and other people wanting to defend themselves. I expect that given net and scope of profit and the realpolitik of weaponry, it's a no-lose proposition. Guns and bullets have no morals, nor, essentially, do their makers. True capitalism, true free markets. Funny, doesn't bring the prices down to stick an MP5 in the closet.

Re:The bigger question. (1)

viperidaenz (2515578) | more than 2 years ago | (#40253399)

Guns and bullets are not a free market, the governments regulate the industry so it is split between a regulated market and a black market. Both of which inflate prices.

Re:The bigger question. (1)

Tastecicles (1153671) | more than 2 years ago | (#40253211)

Nobody ever went broke selling weapons. My cousin went into weapons, now he owns his own moon. Me? I opened a bar in the back end of Space.

  - Quark

Or something like that.

Also:

Rule of Acquisition #34: war is good for business.

Why does nobody go to war with Switzerland?
Because Switzerland is the home of the largest banks in the world, and the largest weapons manufacturers in the world. They supply money and arms to everybody. One man's money is as good as another's, be he Western despot or Eastern hero <g>.

Re:The bigger question. (2, Informative)

Anonymous Coward | more than 2 years ago | (#40253575)

Heckler und Koch GmbH and Rheinmetal AG have licensed factories in Iran.

Not quite correct: there were factories in Iran producing those weapons under license, since the early 1970s. Not H&K factories. The Iranians originally paid a royalty on each item produced.

Are you also going to be indignant that Bell provided critical assistance in establishing the helicopter repair and production facility at Isfahan in the same period?

Re:The bigger question. (1)

AHuxley (892839) | more than 2 years ago | (#40252989)

Iran pays on time and very well. Gold, local currencies... Iran is good like that.

Re:The bigger question. (5, Insightful)

fullback (968784) | more than 2 years ago | (#40253009)

Because there is no legitimate reason to not do business. The relentless war mongering against fictional bogeymen is fascinating, too.

Re:The bigger question. (3, Insightful)

Sir_Sri (199544) | more than 2 years ago | (#40253093)

1. Because iran has money.
2. Because there are 70 million people in Iran, the vast majority of whom are not engaged in trying to kill americans or europeans.
3. Because lots of people, especially in europe, believe that US sanctions are counter productive, and so don't have such sanctions.

Also keep in mind there are lots of things that aren't barred from export to Iran, and lots of things are sold legally to other countries and then illegally re-exported to Iran. Most notably to qatar and bahrain, but other places as well.

Re:The bigger question. (2)

shutdown -p now (807394) | more than 2 years ago | (#40253191)

why are European and American software companies doing business with Iran in the first place?

Why not? How is it significantly different from Russia, or China, or Vietnam, or Saudi Arabia?

Flame just gets more and more interesting (5, Insightful)

tick-tock-atona (1145909) | more than 2 years ago | (#40252699)

Not only does Flame use a previously unknown MD5 chosen prefix attack [arstechnica.com] , but now they are removing all traces of the software from machines under their control.

Now, since security researchers already have copies of the software this isn't going stop anyone further deconstructing and analysing it. The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive. I wonder who the lucky person or nation-state is?

Yes, "Lucky" (4, Insightful)

SuperKendall (25149) | more than 2 years ago | (#40252737)

The only possible reason for doing this is to avoid discovery of infection somewhere particularly sensitive.

Or, to make everyone else stop looking.

You know all of the installations received the same self-destruct command how again?

Re:Yes, "Lucky" (1)

Billly Gates (198444) | more than 2 years ago | (#40252931)

It is so big it is possible any VM with network access could have received the command to self destruct or maybe it self destructs when it can't find a LAN connection? I would not be surprised.

The Other (5, Funny)

SuperKendall (25149) | more than 2 years ago | (#40252955)

maybe it self destructs when it can't find a LAN connection?

Works for Diablo 3...

Re:Flame just gets more and more interesting (1)

kaiser423 (828989) | more than 2 years ago | (#40253025)

Given that Flame was highly sophisticated, modular and individually targetable there is the potential that some machines had modules that had not yet been discovered and that could also be a reason to destruct - to prevent anyone from discovering more.

That's it, I'm officially convinced (4, Funny)

Voyager529 (1363959) | more than 2 years ago | (#40252829)

The people who wrote Flame are the same fine ladies and gentlemen who have brought us CleanMyPC.com. Apparently their accountant is on vacation or something, because removing malware is generally a service that they charge for.

Re:That's it, I'm officially convinced (3, Interesting)

Billly Gates (198444) | more than 2 years ago | (#40252935)

Dude the more you spam for it the higher the Google page ranking it gets. Out of curiosity I did a google search for malware and cleanPC was 4 out of the 5 links listed. Good god talk about SEO to the extreme

Re:That's it, I'm officially convinced (0)

Anonymous Coward | more than 2 years ago | (#40253117)

Milk just spontaneously shot out my noise and i wasn't even drinking it.

Good one.

Red Mercury next? (1)

ka9dgx (72702) | more than 2 years ago | (#40252923)

Oh oh..... can I name the next one? Let's call it "Red Mercury", and it should be taking out a reactor in 5, 4, 3, 2

Re:Red Mercury next? (0)

Anonymous Coward | more than 2 years ago | (#40253029)

Skynet

Re:Red Mercury next? (1)

catmistake (814204) | more than 2 years ago | (#40253309)

Joshua

Re:Red Mercury next? (1)

shentino (1139071) | more than 2 years ago | (#40253401)

Material Defender.

Descent.

Good thing, I guess... (1)

Anonymous Coward | more than 2 years ago | (#40253043)

It could have been worse, the instruction could have been to wipe the computer's hard drive, or worse, load garbage into the EEPROM, overwrite the BIOS, and THEN wipe the computer's boot sectors, then hard drives... would be tough to recover from that. Even if you have backups and a boot disk... if your BIOS is destroyed, your computer is going to require professional help even to get to the point where it starts looking for a bootloader...

It seems almost pointless though, since the virus is known, I'm sure there's at least one known, infected machine that was NOT on, (and therefore not connected to the internet,) that can be analyzed forensically, since the operator(s) will know not to connect it to the internet again until they're done analyzing it, so that it cannot receive the (virus) self-destruct instructions...

Re:Good thing, I guess... (0)

Anonymous Coward | more than 2 years ago | (#40253133)

DualBIOS FTW.

Re:Good thing, I guess... (2)

shentino (1139071) | more than 2 years ago | (#40253405)

Which is why it's sound engineering for a computer to have a bios loader burned into a rom chip that can reflash the bios.

When your covert operation has made the news... (4, Insightful)

Arancaytar (966377) | more than 2 years ago | (#40253255)

... it is way too late to get rid of the evidence. I mean, really? Every malware researcher ever must now have a copy of the code.

Best reason to hide this is 'Intelligence'. (5, Interesting)

arthurh3535 (447288) | more than 2 years ago | (#40253283)

As in those who were infected that lost important data can no longer know (for a surety) that their important data kept on their computer/server was compromised or not.

"So our top-sekret 'eyes-only' data may or may not be compromised and they may know everything. But we don't know if they actually know anything about everything. So we can't trust anything that we've stored on a computer in the last year."

Talk about your security nightmare situation for an Intelligence Agency of some acronym.

Re:Best reason to hide this is 'Intelligence'. (1)

Anonymous Coward | more than 2 years ago | (#40253445)

They're foolish if they don't have some form of periodic differential mirroring backup that prevents overwrites.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>