本帖最后由 【乱】 于 2012-6-1 02:29 编辑
http://en.wikipedia.org/wiki/Flame_%28malware%29
如果英文差建议用下谷歌翻译
http://translate.google.com/?hl=zh-CN&tab=wT
=================================
Flame,[a] also known as Flamer, sKyWIper, and Skywiper,[2] is modular computer malware discovered in 2012[3][4] that attacks computers running the Microsoft Windows operating system.[5] The program is being used for targeted cyber espionage in Middle Eastern countries.[1][5][6] Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National Computer Emergency Response Team (CERT),[5] Kaspersky Lab[6] and CrySyS Lab. of the Budapest University of Technology and Economics.[1] The last of these stated in its report that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."[1]
Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic.[6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.[7] These data, along with locally stored documents, are sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.[6]
According to estimates by Kaspersky in May 2012, Flame had infected approximately 1,000 machines,[7] with victims including governmental organizations, educational institutions and private individuals.[6] At that time the countries most affected were Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.[3][6]
Flame is known to have been "in the wild" since February 2010, so it had evaded detection by security software for just over two years when it was discovered[8]; the main component file name had been observed by December 2007. Flame might have remained undetected for much longer, but researchers came across it while investigating the "Wiper" exploit[8].
Stephen Wolthusen of the information security group at Royal Holloway, University of London said that the attack would percolate down beyond the immediate targets[8]; businesses could not dismiss Flame as about nation states and nothing to do with them.
Contents
History
Flame was identified in May 2012 by Kaspersky Lab, MAHER Center of Iranian National CERT, and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.[7] As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program "Flame" after the name of one of its modules.[7]
According to Kaspersky, Flame has been operating in the wild since at least February 2010.[6] CrySyS reports that the file name of the main component had been observed as early as December 2007.[1] However, its creation date cannot be determined directly, as the creation dates for the malware's modules are falsely set to dates as early as 1994.[7]
Computer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet.[9] At the time the Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator.[10] However, Kaspersky Lab believes that Flame may be "a separate infection entirely" from the Wiper malware.[7] Due to the size and complexity of the program—described as "twenty times" more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years.[7]
On 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to "select organizations" for several weeks.[7]
Specifications
The malware is an uncharacteristically large program for malware at 20 megabytes, written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection.[6][11] The malware uses five different encryption methods and an SQLite database to store structured information.[1] The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications.[1] The internal code has few similarities with other malware, but exploits two of the same security vulnerabilties used previously by Stuxnet to infect systems.[1] The malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software.[1] Additional indicators of compromise include mutex and registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system.[11]
Usage
Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network traffic.[6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices.[7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.[6]
Unlike Stuxnet, which was designed to damage an industrial process, Flame appears to have been written purely for espionage purposes.[12] It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes".[13]
Flame contains no built-in end-of-life date when it will deactivate, but allows operators to send a "kill" module that eliminates all traces of its files from a system.[7]
Speculation about origin
According to Kaspersky's chief malware expert, "the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it."[3] Kaspersky has said that the malware bears no resemblance to Stuxnet, but it may have been a parallel project commissioned by the same attackers.[14]
Iran's CERT described the malware's encryption as having "a special pattern which you only see coming from Israel".[15] The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the West Bank—Israel became "many commentators' prime suspect". Other commentators named China and the U.S. as possible perpetrators.[14] Richard Silverstein, a commentator critical of Israeli policies, stated that he had confirmed with a "senior Israeli source" that the malware was created by Israeli computer experts.[16][14] The Jerusalem Post wrote that Israel's Vice Prime Minister Moshe Ya'alon appeared to have hinted that his government was responsible,[14] but an Israeli spokesperson later denied that this had been implied.[17] Israeli security officials pointed to the machines infected in Israel as evidence that the U.S. was behind the malware.[18]
A network of 80 servers across Asia, Europe and North America have been used to access the infected machines remotely.[19] |
[复制链接]
发表于 2012-6-1 02:24:33
所以今后大伙压根不需要口水任何杀软关于‘火焰’病毒的查杀能力 ;各家公告只是传播资讯+炒作
楼主
