It points to the utility of flame as solely a penetration testing tool. The aim is to discover vulnerabilities and report on the configuration of any network it enters. Once that's complete it has served its purpose. This then paves the way for more targeted attacks in the future. Flame is too bulky to do this itself. Flame is bulky so that it can be configured to test for weaknesses,

Usually or at least up to now worms/viruses had a fixed payload, that is a pre-determined job to do. If you caught one then you could figure out what it did and devise a counter. Then apply that fix on any infected network and the problem was removed.

The 'super' here denotes this worm is configurable or programmable after being deployed in the field. Though this is only possible so long as the worm has a means to communicate with the outside world to allow programming of further instructions.

These worms can all be reverse engineered provided a valid copy is caught to determine their purpose. The main factor is time or how long it takes to do. The bigger the size the longer it takes to figure out what it does. If n copies are caught each with different payloads then it increases the work further.

Ain't it easier to send a virus that copies autoexec.bat file with format c: command in it

Well I have to say that for once I find your explanation quite convincing. I curtsy in your general direction.

Virii that kill their hosts quickly do not spread. Think Ebola.

It would seem that all of Iran's computers are being targeted as opposed to just the defence sector. These cyber attacks are becoming broader in scope.

I am aware it won't spread at all if formatting comes first. I was thinking that instead of auto-delete, format could be better option. Plus it would have saved some work on the "end user" side ;)

Seriously, how does a virus enters a military network? They browse porn, too?

The stuxnet virus entered via mobile phone, or 'wireless'. If a system is 'remotely accessable' it's an easy entry point.

It used windows to spread and thumb drives.

Now a windows system may be connected to the internet via mobile phone, wi-fi or wire and then appears on the network. This way a remote call in could infect the destination network and spread from there.

This is still quite an involved method as counter-measures are simple, just restrict what the remote caller can do. Thumb drives are better as they bypass safeguards and immediately place the user inside the network.

If it kills the machine it creates a stink and alerts are raised sooner.

Depends what they use to watch their porn. They won't be streaming it through the internet and using a web browser.

If its on a thumb drive then that's how it got onto the network.

Stop annoying me again just after I curtsied in your direction. That is what I just said without your do-it-yourself guide. Nvm.

BUT I looked into this 'flame' virus and it seems it has done some damage - mostly to oil related systems in the Middle East. It was also spread or gained entry via windows as you correctly say in what appeared as an update for users; Flame virus spread through rogue Microsoft security certificates | Microsoft - CNET News

It seems that the computer boffins themselves can't seem to work out what it's done - the damage in real terms is rather small for such sophistication and now it's auto suiciding itself on command in case people find out how far it has got and presumably what it has gained access to. Appears to have limited impact and yet 'weapons grade virus' and the FIRST that has an autodestruct, plus the size... Could it not be an 'opener'? What I mean is that having come and observed for a bit as per normal spyware it adjusts matters such a entry point is available in future?

Flame employed a collision attack on MD5 hash functions. We know MD5 was shown to be vulnerable to collision attacks before 2008, and by 2008 it was totally discredited as a means of securely signing files. That would suggest that Flame infected computers were still using the old certificate protocol.

I don't understand these things well, but it seems to me, that either Flame's spread predates 2008 or if later, it's maker anticipated that the intended targets were still using older computers. Is it valid to ask who would use older equipment? The Iranians? Surely not the Israelis.

A very good point.

Not quite

You did not explain the mechanism employed or HOW to 'enter' via mobile phone or 'wireless'. You just stated WHAT happened.

'Via' itself is ambigious, did it 'jump' from a cellphone to the PC or did it spread from the PC using the cell to connect to the net. A cellphone can double up for a thumb drive, did it spread that way.

There are many theoretical possibilities given the resources available to the attackers.

So one of the vectors Flame uses is targeting those using remote desktop to get into work. This follows from my penultimate post.

Flame uses fake certs to enter the RDP server and discover whats on the destination network and presumably reports back the configuration details. The job here was to spy. This hole has just been patched.

The Cnet article does explicitly state this so i've had to fill in the gaps..

Damage is small because I suspect that isn't its intended purpose.

Stuxnet supposedly has an auto self-destuct for Jun 24 this year.

When you say 'opener' that implies installing some sort of backdoor in the compromised system to enter at a later date. That would depend on how sophisticated the backdoor was. Whether it was just OS level or deeper ie firmware or even hiding in attached peripherals.

An old trick was for the worm to hide in the printer, after everything was re-installed it promptly re-infected them. Thing is this requires a very small worm to pull off and depends on vulnerabilities on the host systems remaining unpatched.

If only at the OS level a re-install from scratch will remove it. This depends on flames presence being detected. The mentioned auto self-destruct could serve to mask its presence. But SOP would dictate an audit of systems where it was reported to be in the vicininty and that would entail wiping them and starting over.

A firmware hack means a re-install won't fix it but that is an altogether different level of expertise requiring very detailed knowledge of the systems in place, unlikely for flame to have this if its job is to spy but plausible in successive waves in selected sensitive areas.

XP dates back to 2002. Not all systems may have the latest patches.

In the cnet article, there is a link to a M$ advisory. The Terminal server fix applies to systems from XP & newer.

Certainly, XP can do a lot. Its the base configuration for a lot of software.

I am aware of that. I do not care to post do-it-yourself guides on stuff that might one day hurt me you strange person you!

I agree.

Exactly! But if, as you say, Flame has self destruct for Jun 24 this year A. why are some destructing earlier? and B. then only the original entry point needs securing. But that of course would be wrong if it's a gateway. Fact is that it's going to take some time to work out what Flame does and by then we shall almost certainly see another attack.

MS automatically updated my computer on 6/3 per the advisory you linked.

lol, I have not posted any do-it-yourself guide.

The way to ensure you don't get hurt is to understand how these things propagate in the first place. what these worms are using to propagate isn't new, the modes they employ to spread are well known. The new thing here and every time some worm is discovered is the holes they exploit to spread.

Block the modes of infection and you are pretty much immune. Easy when its just the individual much harder when there is a network.

Your post was too general to be of any use. It did not help in understanding how this thing could have worked which is crucial in seperating hype from plausible fact and there is loads of hype in these stories.

This is also why i linked to technical sources earlier. They're not spilling any secrets either, they're telling those interested how to defend themselves. This thing has spread to more countries than just Iran. M$ looks bad because their systems have been compromised which has larger implications beyond Iran. So they're scrambling to fix any holes ASAP before they become public. Notice how M$ already had a fix when your cnet article broke the news.

To have released that info before m$ had a fix would be spilling secrets.

Stuxnet has self-destruct for this year.

A. we don't know which are self-destructing (all or some) just that Symantec noticed it in their lab. It makes this thing harder to diagnose as you cannot study it in the wild anymore.
B. Securing entry points will do little. If it has spread then the race is on to contain it.

You see the effect this creates isn't it. You have to contain it somehow and that gums up work and makes it slower. Introduced FUD & confusion. The second order effects to me is the main effect rather than any puported damage these worms may or may not cause.