F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago

from the cat-and-mouse dept

With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:
What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.
It's so rare to see someone admit to a mistake -- especially one that seems so big (even if it doesn't really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.
He later concludes: "We were out of our league, in our own game."

Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there's a bit of a cat and mouse game going on here, and no one's going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: antivirus, duqu, flame, malware, mikko hypponen, security, stuxnet
Companies: f-secure


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    fogbugzd (profile), 4 Jun 2012 @ 5:01pm

    The first step is probably avoiding the use of inherently insecure operating systems. Granted, no OS is 100% secure, and idiot users or network admins can overcome any security measures built into a system. But I am still amazed that organizations that care at all about security are overwhelmingly Windows based.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2012 @ 5:05pm

      Re:

      Doesn't do much in this case. Still a nation budget used to backup a targeted attack. With time, they'll break even a Navajo-based, punch card system.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2012 @ 5:08pm

      Re:

      The certificate system is supposed to make operating systems more secure but it was the very certificate system charged with ensuring our security that enabled this problem to go unnoticed. The false sense of security delivered by the security system is what stifled suspicion here. No one suspected that the security system itself was compromised. What's often worse than poor security is a false sense of security and that's exactly what the certificate system caused here.

      Kinda reminds me of the TSA ;)

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Jun 2012 @ 5:10pm

        Re: Re:

        (it was this false sense of security caused by the security system that enabled this vulnerability to go unnoticed for so long).

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Jun 2012 @ 5:19pm

          Re: Re: Re:

          security problem *

          Everyone looks at these files and says "oh, they're digitally signed, I have nothing to worry about here, they're not compromised". Everyone simply trusts Microsoft to ensure that there is nothing wrong with these files and so no one ever digs any deeper.

          Had it not been for a false sense of security chances are this would have been noticed a very long time ago because people will be more inclined to dig into their files and ensure they are safe.

          I remember an SHS(?) exploit within the kernel of one of the Windows operating systems a while back (I believe it was a 9x operating system). It enabled unauthorized parties to run executable code on the operating system. Steve Gibson, from www.grc.com, looked at the kernel code and determined that this exploit was intentionally placed (it's in one of his earlier podcasts). Many disagreed with him but who knows

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2012 @ 7:10pm

      Re:

      Indeed, anyone who cares security should build their system on a customized LiveCD with their data on SAN.

      Make such server reboot each day should ensure the servers clean from most virus.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2012 @ 9:00am

      Re:

      Then someone needs to talk to the different software vendors and get them on board with the software running no matter WHAT OS you want to use.

      Or maybe the OS needs to not care which OS the program was written for and just handle it.

      Same goes for .tif/.tiff files. Can someone PLEASE make a software that opens EVERY FREAKING KIND of .tif/.tiff file?

      It's 2012, and we still have compatability issues. Hell, the fact that it's 2012 and we can't have one software that opens every single kind of file that has been created is a total fail on the IT industry's part.

      /endrant

      link to this | view in chronology ]

  • identicon
    SAG, 4 Jun 2012 @ 5:06pm

    He's right...

    But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.
    The main problem with the industry as a whole has been its myopic focus on detections rather than time to removal OF said malware; especially when it goes totally undetected.

    Rustock C and Induc A (more mainstream malware) were similar in regards to not being detected for a very long time. With the new TDL trojans and targeted nasties like Stux and Flame, the evidence for traditional approaches failing at all levels is glaringly, painfully obvious.

    Some alternate types of protection that Mikko did not include:

    1. Boot-to-restore (also called Instant System Recovery)
    2. Imaging/backups

    In the first, you have a means to recover immediately to a clean state or simply at the shutdown/restart of the computer which results in less time exposed. In the second, you have a means to simply wipe the system to a known clean image that might be older than the boot-to-restore, but in a pinch will get things back up and running in a clean state.

    This is not perfect as content can operate before the reboot/reimage so you still need to layer it with some form of detection and blocking as Mikko suggests...

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2012 @ 5:16pm

      Re: He's right...

      While your comments are on point for an experienced user, most average Joe's I know really don't understand what you wrote.

      I'm happy to say that most people I know understand that they need a modern AV product and a few know what a firewall is for. Only a couple understand what IPS is for.

      What I tell my friends and family to do is, run a couple different AV products (Every one has their fav AV products so I wont recommend any.) and a decent firewall product.

      I remind most about when to update their Windows OS and others as I know of them. I tell them about updating their other apps (FLASH and the like.).

      Ultimately, most people I know (That are not Geeks too.) need assistance on what security to have and to be told about best practices. Most people get the idea that security is important and that they can be compromised.

      So, telling one of my family to restore is a useless suggestion. They simply don't know what that is or are afraid to screw it up.

      Decent AV saves me a lot of time recovering their systems too. ;)

      link to this | view in chronology ]

      • identicon
        SAG, 5 Jun 2012 @ 8:34am

        Re: Re: He's right...

        Just as with the struggle to get most to the point where they are aware of the importance of security, there will be a further struggle to get them to recognize and then deploy EFFECTIVE security strategies.

        It has taken over 20 years to get where we are now so there is no indication that it will not take as long to get to the new milestone...

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Jun 2012 @ 7:13pm

      Re: He's right...

      I'm not sure... At least one worm that I know of make use of their knowledge on some leading "reborn" card to write themselve to the hidden partition reserved for restoring...
      It'd cased much trouble for me to clean that thing out.

      link to this | view in chronology ]

      • identicon
        SAG, 5 Jun 2012 @ 8:39am

        Re: Re: He's right...

        One thing to keep in mind and as noted in the article - there ain't no such thing as a silver bullet. To achieve solid security, you are going to have to have a strategy and tools that will provide a specific strength that will cover the weaknesses in your other security tools, but also that the other tools work to cover the same in the specific tool you are considering.

        Security is not a set and forget exercise. You need to evaluate and adpat your strategy to the risks you are likely to face and virtualization is only a part of the overall approach...

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jun 2012 @ 6:26pm

    Sounds like a fruitless game of whack-a-mole. Maybe they should just give up?

    link to this | view in chronology ]

    • identicon
      mikey4001, 5 Jun 2012 @ 6:52am

      Re:

      Or, maybe they could just devise a more appropriate strategy, based on an updated business model that recognizes that the current landscape is significantly different than what existed when company was founded, thus ensuring greater efficiency, greater success, and an overall healthier prospect for future growth and stability within their market space.

      I swear, sometimes it's like you guys aren't even trying.

      link to this | view in chronology ]

      • identicon
        monkyyy, 5 Jun 2012 @ 1:42pm

        Re: Re:

        they airnt trying

        i have the best idea in world for a av, DONT LET ANYTHING RUN UNTIL A USER CLICKS OK, then only have to focus on getting smart users

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jun 2012 @ 7:17pm

    There's also the possibility that US based AV devs have been served with injunctions that carry national security gag orders, forcing them to not identify US backed malware.

    This would not surprise me in the least.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2012 @ 3:15am

      Re:

      Had the same thoughts

      link to this | view in chronology ]

    • identicon
      SAG, 5 Jun 2012 @ 8:31am

      Re:

      There's also the possibility that US based AV devs have been served with injunctions that carry national security gag orders, forcing them to not identify US backed malware.

      This would not surprise me in the least.
      No, this would not happen as the Government is not going to confirm that the malware exists or that they had anything to do with it while it is still going undetected, you get to the same place...

      Even with Stuxnet and Flame they said nothing until it became somewhat effective to say something to further a different agenda. Also note that there are probably more nasties in the closet ready to deploy as soon as the current tools begin to fail; whether through wide adoption of OS fixes to close the exploits the malware was using or general detection at both the frist and seconf tir levels for the AVs/AMs.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 6 Jun 2012 @ 4:07am

    So old and so up to date:

    http://www.ranum.com/security/computer_security/editorials/dumb/

    The problem would be nearly solved with a default deny strategy. Want to execute anything new in your machine? Check its behavior beforehand.

    Anti-virus software should just include some way of whitelisting software and if you don't really trust what you are running you just send them for analysis. Charge a monthly fee (or a one-time fee) for the analysis if you are the first to send the software. If the hash is already registered then just give the green light.

    Obviously this might present some limitations but it's food for thought.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.