Printable View
http://www.securelist.com/en/blog/20...ns_and_AnswersQuote:
First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze.
Why big size makes harder detect?
The size doesn't make it hard to detect it is hard to "analyze" because it has lots of modules included, which inturn means it's complex and has more code to analyse/sift through, rather than more efficiently written smaller compact programs.
That's not what it says. It says it makes it harder to analyze, meaning find out what the virus is doing. Because it is so big it takes a lot of time to check all the code and see what it does.Quote:
Originally Posted by abalfazl
Edit:
^^ what he said ;)
Do you agree with that?Quote:
Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?
The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.
http://www.mcafee.com/us/about/skywiper.aspx
I don't understand it. What is windows APC and its relationship to code injection? What about Winlogon.exe and injecting to explorer.exe ?Quote:
Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services
Does it mean it holds attack modules in database?Quote:
Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
Thanks in advance!
Does it mean attackers spread of virus one by one?How attackers choose the next computer in order to attack?How they can understand this right choice? How can they limit?Quote:
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability and spreads only when instructed to do so by the attackers.
What does "signature files" mean here?Quote:
They test
them against all popular antivirus engines to make sure they cannot be detected by signature files
or any other protection systems (behavioral and heuristic scanning, etc.)
May someone answer my questions please?
In this case, I would assume that it is a file with a hash code created to verify the legitimility of a document.Quote:
Originally Posted by abalfazl
I would say it's about tell tale files here; when a file with a certain name is found somewhere the virus scanner knows there's a virus.Quote:
Originally Posted by abalfazl
A signature file is used by an anti-virus checker. The file contains strings of code that are uniquely associated with known viruses.
Thank you very much! May you answer other questions?
No. I am not familiar with the Flame virus, so I cannot answer other questions.Quote:
Originally Posted by abalfazl