About | ACP | Buy | Industry Watch | Learning Curve | Search | Test Drive
Home » Industry Watch » The Technological

The Flame Rage

You know what's coming.

Get It

Try It

MOSCOW (Rixstep) — The antivirus market players are in ecstasy. They've discovered the biggest malware monster ever. This might be like what astronomers feel when they discover a new planet. But the one thing they never tell you - can you guess what it is?

Formula for Success™

By way of an introduction, for those new to this shadow game, here's the formula for success in the antivirus industry. It takes the unwitting cooperation of several players.

  1. Produce and market a really crappy operating system. Design this system so that no precautions for security are built in at ground level. Force this system onto the market with whatever's at your disposal. (Bullying can be particularly effective.)
  2. Kick back and wait for the cottage industries to pop up like mushrooms in a forest, offering 'security' (ahem) after the fact on a subscription or 'heroin economics' basis.
  3. Observe the first rule of successful propaganda campaigns: the uneducated unwashed masses must be kept uneducated and unwashed. Hide the truth or at least keep it on the 'back pages'.
  4. Celebrate in champagne at every outbreak like they did in Canada when Code Red was first discovered.

Malware outbreak or malware scare == huge cash flows. Learn that.


The antivirus era is over, proclaims Tom Simonite of MIT's Technology Review 11 June 2012 in the understatement of the Common Era. Let's look a bit at and deconstruct what Tom has to say. His article starts with a clever graphic right out of Space Invaders. Mars is attacking.

Tom Simonite:

Two weeks ago today, computer security labs in Iran, Russia, and Hungary announced the discovery of Flame, 'the most complex malware ever found', according to Hungary's CrySyS Lab.

Note the spelling: it's 'CrySyS' and not 'CrYsYs' as reported earlier. Remember how SanDeE* objected to Harris Telemacher.

For at least two years, Flame has been copying documents and recording audio, keystrokes, network traffic, and Skype calls, and taking screenshots from infected computers.

Whoa! Keystrokes? Screenshots? What kind of 'infected computers' are these? Are they Unix machines? Apple's OS X or some flavour of BSD or Linux?

In all that time, no security software raised the alarm.

Raise your hand if you're surprised.

'Flame was a failure for the antivirus industry', Mikko Hypponen, the founder and chief research officer of antivirus firm F-Secure, wrote last week.

No comment needed. For a clue how clueless Hypponen and F-Secure are when it comes to Unix boxen, for clue how much they're prepared to hype and twist the truth, see here.

The programs that are the lynchpin of computer security for businesses, governments, and consumers alike operate like the antivirus software on consumer PCs.

Which consumer PCs are these? Linux PCs? Ubuntu PCs? OS X Macs? Why is no one telling? Could it simply be that these witnits are so obsessed with Windows that they don't even realise there are secure systems out there where things like this can't happen? Why don't they name the culprit? Why don't they say straight out that this is a problem with Microsoft products and only with Microsoft products?

Threats are detected by comparing the code of software programs and their activity against a database of 'signatures' for known malware.

Yes we know that. But has everyone forgot the Dark Avenger and his mutation engine? Or would one prefer not explaining to Joe Blogs that malware writers subscribe to all the major AV products and test their code against these products before putting them into the wild?

Security companies such as F-Secure and McAfee constantly research reports of new malware and update their lists of signatures accordingly.

Yes we know that. They're like librarians - obscenely overpaid librarians.

The result is supposed to be an impenetrable wall that keeps the bad guys out.

O RLY? Says who? What about an operating system built right from the get-go that keeps the bad guys out? A system like Unix, like Ubuntu, like FreeBSD, like OS X? You guys don't like that? You prefer pushing AV on defenceless users? Of course you do.

However, in recent years, high-profile attacks on not just the Iranian government but also the US government have taken place using software that, like Flame, was able to waltz straight past signature-based software. Many technically sophisticated US companies - including Google - have been targeted in similar ways.

And that, dear friends, is why Google completely abandoned Windows two years ago. But you'll find no mention of it at the MIT Technology Review with Tom Samsonite. (You can however find a writeup on it here.)

Some experts and companies now say it's time to demote antivirus-style protection.

Perhaps we can forgive Tom as he's majoring in Shakespearian tragedy. But Tom? It's the operating system, stupid. But of course if the operating system were secure, you'd be out of a job. This is like the military industrial complex screaming that despite having 48,783 US military bases surrounding them on all sides, those evil Iranians are building a peashooter.

We need to focus on the shooter, not the gun - the tactics, the human parts of the operation...

No you need to focus on the real problem - the fundamental lack of security design in Microsoft technology.

'Crime doesn't pay', says Sumit Agarwal, a cofounder of Shape Security, another startup in California that recently came out of stealth mode.

Oh the cool terms they use! Such as 'stealth mode': this used to describe a corporation. From tin soldier battlefields to the InterWebs! What fun these people must have! No one nag Bill Gates - this is the best of all possible worlds! Get a case of Veuve Cliquot! Fast!

Never have so many billions of dollars of defence technology flowed into the public domain', says Agarwal of Shape Security.

No shit Sherlock Agarwal.

Research by Christin and other academics has shown that chokepoints do exist that could allow relatively simple legal action to neutralise cybercrime operations.

So basically you want people to swallow the lie that they're defenceless so Bill Gates and his friends can make expensive first class excursions to foreign capitals to chat about police actions. Another win-win. For you - not for Joe Blogs.


Some people might remember the name Alex Sotirov. They should.

Alex Sotirov's come out with a white paper on Flame. A perusal of this impressive document makes clear what the antivirus people would rather you didn't understand. But the joke can be on them. For it doesn't take a degree in Rocket Science to see through their game.

Flame was discovered in 2012, asserts Sotirov, but it's now understood to have been active for at least two years. It's very complex, has a disk footprint of nearly 20 MB, and has several integrated components. It's used primarily for targeted attacks - all the rage today.

Sotirov includes a map from Kaspersky so you can see where Flame has spread. It's mostly the middle east - Egypt, the Sudan, Syria, Israel/Palestine, Saudi Arabia, and of course everyone's brothers in arms: Iran.

Sotirov now explains how Flame attacks. Watch closely.

  • Flame registers itself as a proxy server for update.microsoft.com and other domains.


  • It uses the so-called 'man in the middle' attack on Windows Update.

    Quick check: do Ubuntu users use Windows Update? Do Mac users use Windows Update? Check your systems to see if you do. Check this right now!

  • Serves a fake update signed with a Microsoft code-signing certificate.

    Uh-oh! So some supplier to Microsoft screwed up with the certs! Cos Microsoft'd never ever do something so stupid!

Sotirov now explains how this brilliant malware hijacks a root cert from Microsoft. Details aren't necessary - it's Microsoft and no one else. And here's a screen dump of the installed rogue cert. Again: this would appear to be an application from Microsoft Windows. Or what do you think, dear reader?

Sotirov now goes into a discussion of MD5 collisions which has nothing to do with the topic at hand. Cheers, Alex.


Jim Finkle and Joseph Menn from CNBC report on this catastrophe for Microsoft Windows the Milky Way the same day.

A leading computer security firm linked some of the software code in the powerful Flame virus to the Stuxnet cyber weapon, which was widely believed to have been used by the United States and Israel to attack Iran's nuclear program.

'Cyber weapon' - here we go again. Boys with toys. And yes - wouldn't that be the shizzle? The US government behind Flame too? Look again at the map above. And remember this is an election year over there in the wasteland.

Eugene Kaspersky, chief executive of Moscow-based Kaspersky Lab...

Good old Eugene never misses an opportunity...

Flame is the most complex computer spying program ever discovered and appeared to be aimed at government and other offices in Iran, Israel, the Palestinian territories, and Sudan.

Cute. Because Israelis were thought to be behind Stuxnet. So now they're turning their guns on their own people. Crafty!

Flame has 20 times as much code as Stuxnet and hijacked Microsoft's process for automatic updates in order to install itself.

Wow. First mention of the forbidden M-Word.

Flame is a highly sophisticated computer virus that disguises itself as common business software. It was deployed at least five years ago and can eavesdrop on conversations on the computers it infects and steal data.

Five years, is it now? We're up from 2? Anyone say 10? Seriously: any old type of malware's been able to do that on Windows for eons. No matter the 'antivirus' protection. BFD.

If the US is proven to be a force behind Flame, it would confirm the country that invented the Internet is involved in cyber espionage - something for which it has criticised China, Russia, and other nations.

The US didn't invent the Internet - Al Gore did. But the Emperor isn't speaking to the Gores so the misunderstanding's understandable.

'There's a Balkanisation of cyberspace that's occurring, and companies need to choose which side they're on', said Dmitri Alperovich, cofounder of US security firm CrowdStrike.

'Balkanisation': always a cool term to use. Most people don't understand it, and for those that do it acts like an aphrodisiac.

Kaspersky Lab said Flame was developed with a different set of tools than Stuxnet, though their analysis was just beginning and would take many months.

Hopefully they'll do a better job than their friends at F-Secure.

The Windows flaw...

And now the W-Word.

Stuxnet was discovered in 2010 and was closely scrutinised by the world's smartest cyber sleuths.

That's highly doubtful. The year is right but the 'world's smartest' is way wrong.

Flame remained hidden until last month, when a United Nations agency asked Kaspersky Lab to look for a virus that Iran said had sabotaged its computers, deleting valuable data.

So now we know through the back door that morons at the UN run Windows. Fire up Fyodor, see what you can find.

Analysts already widely regard Flame as one of the most sophisticated pieces of malware ever detected, along with Stuxnet and its data-stealing cousin Duqu.

Yes. But it's useless information. Real news would be that Bill Gates and his bullies finally scrapped Windows and used a system like FreeBSD to protect their users without the need for useless antivirus products.

About | ACP | Buy | Industry Watch | Learning Curve | Search | Test Drive
Copyright © Rixstep. All rights reserved.