F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago
from the cat-and-mouse dept
With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.It's so rare to see someone admit to a mistake -- especially one that seems so big (even if it doesn't really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.He later concludes: "We were out of our league, in our own game."
Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.
Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there's a bit of a cat and mouse game going on here, and no one's going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: antivirus, duqu, flame, malware, mikko hypponen, security, stuxnet
Companies: f-secure
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Kinda reminds me of the TSA ;)
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Everyone looks at these files and says "oh, they're digitally signed, I have nothing to worry about here, they're not compromised". Everyone simply trusts Microsoft to ensure that there is nothing wrong with these files and so no one ever digs any deeper.
Had it not been for a false sense of security chances are this would have been noticed a very long time ago because people will be more inclined to dig into their files and ensure they are safe.
I remember an SHS(?) exploit within the kernel of one of the Windows operating systems a while back (I believe it was a 9x operating system). It enabled unauthorized parties to run executable code on the operating system. Steve Gibson, from www.grc.com, looked at the kernel code and determined that this exploit was intentionally placed (it's in one of his earlier podcasts). Many disagreed with him but who knows
[ link to this | view in chronology ]
Re:
Make such server reboot each day should ensure the servers clean from most virus.
[ link to this | view in chronology ]
Re:
Or maybe the OS needs to not care which OS the program was written for and just handle it.
Same goes for .tif/.tiff files. Can someone PLEASE make a software that opens EVERY FREAKING KIND of .tif/.tiff file?
It's 2012, and we still have compatability issues. Hell, the fact that it's 2012 and we can't have one software that opens every single kind of file that has been created is a total fail on the IT industry's part.
/endrant
[ link to this | view in chronology ]
He's right...
Rustock C and Induc A (more mainstream malware) were similar in regards to not being detected for a very long time. With the new TDL trojans and targeted nasties like Stux and Flame, the evidence for traditional approaches failing at all levels is glaringly, painfully obvious.
Some alternate types of protection that Mikko did not include:
1. Boot-to-restore (also called Instant System Recovery)
2. Imaging/backups
In the first, you have a means to recover immediately to a clean state or simply at the shutdown/restart of the computer which results in less time exposed. In the second, you have a means to simply wipe the system to a known clean image that might be older than the boot-to-restore, but in a pinch will get things back up and running in a clean state.
This is not perfect as content can operate before the reboot/reimage so you still need to layer it with some form of detection and blocking as Mikko suggests...
[ link to this | view in chronology ]
Re: He's right...
I'm happy to say that most people I know understand that they need a modern AV product and a few know what a firewall is for. Only a couple understand what IPS is for.
What I tell my friends and family to do is, run a couple different AV products (Every one has their fav AV products so I wont recommend any.) and a decent firewall product.
I remind most about when to update their Windows OS and others as I know of them. I tell them about updating their other apps (FLASH and the like.).
Ultimately, most people I know (That are not Geeks too.) need assistance on what security to have and to be told about best practices. Most people get the idea that security is important and that they can be compromised.
So, telling one of my family to restore is a useless suggestion. They simply don't know what that is or are afraid to screw it up.
Decent AV saves me a lot of time recovering their systems too. ;)
[ link to this | view in chronology ]
Re: Re: He's right...
It has taken over 20 years to get where we are now so there is no indication that it will not take as long to get to the new milestone...
[ link to this | view in chronology ]
Re: He's right...
It'd cased much trouble for me to clean that thing out.
[ link to this | view in chronology ]
Re: Re: He's right...
Security is not a set and forget exercise. You need to evaluate and adpat your strategy to the risks you are likely to face and virtualization is only a part of the overall approach...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I swear, sometimes it's like you guys aren't even trying.
[ link to this | view in chronology ]
Re: Re:
i have the best idea in world for a av, DONT LET ANYTHING RUN UNTIL A USER CLICKS OK, then only have to focus on getting smart users
[ link to this | view in chronology ]
This would not surprise me in the least.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Even with Stuxnet and Flame they said nothing until it became somewhat effective to say something to further a different agenda. Also note that there are probably more nasties in the closet ready to deploy as soon as the current tools begin to fail; whether through wide adoption of OS fixes to close the exploits the malware was using or general detection at both the frist and seconf tir levels for the AVs/AMs.
[ link to this | view in chronology ]
http://www.ranum.com/security/computer_security/editorials/dumb/
The problem would be nearly solved with a default deny strategy. Want to execute anything new in your machine? Check its behavior beforehand.
Anti-virus software should just include some way of whitelisting software and if you don't really trust what you are running you just send them for analysis. Charge a monthly fee (or a one-time fee) for the analysis if you are the first to send the software. If the hash is already registered then just give the green light.
Obviously this might present some limitations but it's food for thought.
[ link to this | view in chronology ]