There were a couple of interesting stories in ComputerWorld last week from the cyber guerrilla war front. According to this story, whoever is controlling the Flame virus has ordered it to self-destruct and erase all traces of itself to impede the forensic analysis of its code. ComputerWorld quotes the Symantec's security response team’s blog as saying a self-immolation or "suicide" module "locates every [Flame] file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection. …This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind."
It is obvious that the Flame authors are worried about not only possibly being found out (although the betting is that the virus is the work of the US and Israel) or that effective countermeasures to it will be found, but also that it might "escape into the wild" like Stuxnet did and become re-purposed. Of course, copies of Flame are in the hands of numerous IT security companies, researchers and national security organizations among others, so it is more than likely that it is only a matter of time before a new 'improved" version of Flame appears.
Speaking of the as yet unidentified authors of Flame, another story at ComputerWorld reports that Marc Stevens, a research cryptanalyst at Centrum Wiskunde & Informatica (CWI) in Amsterdam states that whoever created and distributed the virus needed access to world-class cryptanalysts. The reason behind that belief is that Flame's authors were able "to generate a rogue Microsoft digital code-signing certificate that allowed them to distribute the malware to Windows computers as an update from Microsoft." They accomplished this, ComputerWorld says, by using a previously unknown cryptographic collision attack on the MD5 encryption algorithm (Stevens and company demonstrated one method in 2008) which Microsoft security engineers explain in a blog post here.
The ComputerWorld story notes that, "Interestingly, the attack would have failed a long time ago if Microsoft had been more diligent." The reason is that back in 2008, the weakness in MD5 was so well known that Microsoft issued a security advisory recommending "that administrators and certificate authorities cease using MD5 as an algorithm to sign digital certificates because of collision attacks. However, the company failed to disable the use of MD5 in parts of its own operating system, which is what Flame exploited."
Microsoft urgently released a patch and took other actions to close the Flame (or flaming) security hole early last week.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.