F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago

from the cat-and-mouse dept

With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:

What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.

It's so rare to see someone admit to a mistake -- especially one that seems so big (even if it doesn't really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.

He later concludes: "We were out of our league, in our own game."

Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there's a bit of a cat and mouse game going on here, and no one's going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.

Filed Under: antivirus, duqu, flame, malware, mikko hypponen, security, stuxnet
Companies: f-secure

Sony Caught In Yet Another Rootkit Mess?

from the don't-they-know-to-check-for-these-things? dept

Sony is a big company, and various parts and subsidiaries are pretty much totally disconnected from other areas of the company, but given the disastrous PR that Sony had to deal with following the original rootkit debacle (which really was more of a BMG issue than a Sony one) you would think that perhaps someone higher up at Sony corporate would have sent around a memo or something to all the rest of Sony, suggesting that they check around and make sure that none of their products had rootkit-like functionality. Either that didn't happen... or someone didn't get the memo. It appears that a line of USB flash drive sticks that Sony sold have been discovered to install rootkit-like functionality that hides a folder on users' computers. And, of course, just like the original Sony rootkit, this hidden folder is perfect for malware writers to use as hiding places for their malware. While this one probably isn't as big a deal as last time around, let's see if Sony figured out that brushing it off because no one knows what rootkits are isn't exactly the best response to such a discovery. In the meantime, this highlights (once again) how weak many security programs are that they don't automatically look for this type of action in order to prevent it from happening in the first place.

Filed Under: rootkits, security
Companies: f-secure, sony