[EP_X0FF]

He is right.

:? Right in what?...
Some large incidents in out of view of researchers, there are exclusive collaboration of large companies, that we are saw in case of Flame. Moreover they keep info about threat for organize larger PR-company. Any arguments in their defense?

He is right in this point.

Наша индустрия превратилась в сборище ретвиттеров-болтунов, неспособных складывать в уме дважды два и неспособных анализировать код.

Not talking about marketing etc I don't read this and this hype about "super cyber weapon" and "the end of the world" is out of my interest.

[EP_X0FF]

It takes people with no RE or engineering skills literally minutes to bypass KIS and NIS 2012 engines and their HIPS using nothing but MSIL and a exploit kit..

I'm sure that guy is very intelligent though

Somehow related to topic like weather in Zimbabwe today.

Also flamer could be mitigated and detected using fully documented usermode code and AV engineers have had samples for years and didn't know what they were..

This is not completely true. Detected - yes, removed - yes, having samples for years and don't know what they have? No. Flame is complex toolkit with very low number of special targets. Without having most important pieces it is hard to understand with what you are having deal. As for known component it was detected and described for about few years see Trojan:Win32/Tosy.A

If you travel to Iran these days with squad of virus analysts and complete access to all interested computers I'm pretty sure you will find more various spyware.

[rkhunter]

Decrypted/unpacked [with resource section]:

MD5: 2f4e30a497ae6183aabfe8ba23068c1b
SHA1: 1df6ae2a5594ab29a6e60b6d9296128b1f9fd980
File size: 1603072 bytes

A few days playing with dropper with calls 15&16 export ordinals, but without result, won't infect my vm :(

[rkhunter]

He's a lead researcher/developer for one of two of the mentioned products.

Hardly...
He malware researcher/analyst, especially as we know company specialize in incident response, he analyst in this group. Moreover, Kaspersky has a lot of developers, PM and AV-guys...this opinion only of one guy. For products response other guys and managers.

But I really didn't like how he spoke about independent researchers, bad, very bad... :(

[kareldjag/michk]

i doubt that wa can blame av campanies or the security industry.
There is no defense against targueted attacks.All systems have been already compromised, from us military IT to french gvt, in some case via trivial way by a simple pdf.
Of course no need to be an expert of RE to defeat any AV, as i ve shown it with real Man in the Middle and autorun attack vs kav 6
http://kavtest.over-blog.com/article-3591077.html
But it seems that NSA itself is agree that RE guys are needed http://www.reuters.com/article/2012/05/ ... 2T20120522
Even if looking for offensive cyber soldiers
https://www.nsa.gov/psc/applyonline/EMP ... 0&SiteId=1&
AVs are security for the mass, to prevent/detect script kiddies mail attachments...
The exploitation of flame by Kasperky is quite excessive ( http://www.infosecisland.com/blogview/2 ... lysis.html ) but DR WEB, the Russian gvt av, would not have done miracles too.
If we consider the attack scheme, the white list/certified file and the K-Ary malware typology ( https://docs.google.com/file/d/0B5j6gkO ... l=en&pli=1 ), the first and last responsability goes to the human factor/system administrators/Iran gvt.
rgds

[sadloud]

Has anybody extracted the lua scripts?
Specifically the files mentioned in CrySyS technical report:

ATTACKOP_FLAME.luac
ATTACKOP_FLAME_PRODS.luac
ATTACKOP_FLAME_STARTLEAK.luac
ATTACKOP_FLASK.luac
ATTACKOP_FLASK_PRODS.luac
ATTACKOP_JIMMY.luac
ATTACKOP_JIMMY_PRODS.luac
ATTACKOP_MOVEFILE.luac
ATTACKOP_RUNDLL.luac
CRUISE_CRED.luac
IMMED_ATTACK_ACTION.luac
MUNCH_ATTACKED_ACTION.luac
MUNCH_SHOULD_ATTACK.luac
NETVIEW_HANDLER.luac
NETVIEW_SPOTTER.luac
REG_SAFETY.luac
RESCH_EXEC.luac
SECLOG_HANDLER.luac
SECLOG_SPOTTER.luac
SNACK_BROWSER_HANDLER.luac
SNACK_ENTITY_ACTION.luac
SNACK_NBNS_HANDLER.luac
STD.luac
SUCCESS_FLAME.luac
SUCCESS_FLAME_STARTLEAK.luac
SUCCESS_GET_PRODS.luac
TRANSPORT_NUSYSTEM.luac
TRANSPORT_NU_DUSER.luac
USERPASS_CRED.luac
WMI_EXEC.luac
WMI_SAFETY.luac
attackop_base_prods.luac
attackop_base_sendfile.luac
basic_info_app.luac
casafety.luac
clan_entities.luac
clan_seclog.luac
euphoria_app.luac
event_writer.luac
fio.luac
flame_props.luac
get_cmd_app.luac
inline_script.luac (possibly multiple)
json.luac
leak_app.luac
libclanattack.luac
libclandb.luac
libcommon.luac
libdb.luac
libflamebackdoor.luac
liblog.luac
libmmio.luac
libmmstr.luac
libnetutils.luac
libplugins.luac
libwmi.luac
main_app.luac
payload_logger.luac
post_cmd_app.luac
rts_common.luac
storage_manager.luac
table_ext.luac
transport_nu_base.luac

[rkhunter]

According to http://www.kernelmode.info/forum/viewto ... =50#p13609
http://blog.ioactive.com/2012/06/inside ... i-say.html

[_69]

anyone got the 20mb flame file? Or it's hash?

[_69]

I would like to request win32.flame/skywiper/flamer virus. Don't know it's hash and don't have any report of it.

[Xylitol]

I would like to request win32.flame/skywiper/flamer virus. Don't know it's hash and don't have any report of it.

>> http://www.kernelmode.info/forum/viewto ... =16&t=1675