F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago

from the cat-and-mouse dept

With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:
What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.
It's so rare to see someone admit to a mistake -- especially one that seems so big (even if it doesn't really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.
He later concludes: "We were out of our league, in our own game."

Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there's a bit of a cat and mouse game going on here, and no one's going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    fogbugzd (profile), Jun 4th, 2012 @ 5:01pm

    The first step is probably avoiding the use of inherently insecure operating systems. Granted, no OS is 100% secure, and idiot users or network admins can overcome any security measures built into a system. But I am still amazed that organizations that care at all about security are overwhelmingly Windows based.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 4th, 2012 @ 5:05pm

      Re:

      Doesn't do much in this case. Still a nation budget used to backup a targeted attack. With time, they'll break even a Navajo-based, punch card system.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 4th, 2012 @ 5:08pm

      Re:

      The certificate system is supposed to make operating systems more secure but it was the very certificate system charged with ensuring our security that enabled this problem to go unnoticed. The false sense of security delivered by the security system is what stifled suspicion here. No one suspected that the security system itself was compromised. What's often worse than poor security is a false sense of security and that's exactly what the certificate system caused here.

      Kinda reminds me of the TSA ;)

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 4th, 2012 @ 5:10pm

        Re: Re:

        (it was this false sense of security caused by the security system that enabled this vulnerability to go unnoticed for so long).

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Jun 4th, 2012 @ 5:19pm

          Re: Re: Re:

          security problem *

          Everyone looks at these files and says "oh, they're digitally signed, I have nothing to worry about here, they're not compromised". Everyone simply trusts Microsoft to ensure that there is nothing wrong with these files and so no one ever digs any deeper.

          Had it not been for a false sense of security chances are this would have been noticed a very long time ago because people will be more inclined to dig into their files and ensure they are safe.

          I remember an SHS(?) exploit within the kernel of one of the Windows operating systems a while back (I believe it was a 9x operating system). It enabled unauthorized parties to run executable code on the operating system. Steve Gibson, from www.grc.com, looked at the kernel code and determined that this exploit was intentionally placed (it's in one of his earlier podcasts). Many disagreed with him but who knows

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 4th, 2012 @ 7:10pm

      Re:

      Indeed, anyone who cares security should build their system on a customized LiveCD with their data on SAN.

      Make such server reboot each day should ensure the servers clean from most virus.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 5th, 2012 @ 9:00am

      Re:

      Then someone needs to talk to the different software vendors and get them on board with the software running no matter WHAT OS you want to use.

      Or maybe the OS needs to not care which OS the program was written for and just handle it.

      Same goes for .tif/.tiff files. Can someone PLEASE make a software that opens EVERY FREAKING KIND of .tif/.tiff file?

      It's 2012, and we still have compatability issues. Hell, the fact that it's 2012 and we can't have one software that opens every single kind of file that has been created is a total fail on the IT industry's part.

      /endrant

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    SAG, Jun 4th, 2012 @ 5:06pm

    He's right...

    But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.
    The main problem with the industry as a whole has been its myopic focus on detections rather than time to removal OF said malware; especially when it goes totally undetected.

    Rustock C and Induc A (more mainstream malware) were similar in regards to not being detected for a very long time. With the new TDL trojans and targeted nasties like Stux and Flame, the evidence for traditional approaches failing at all levels is glaringly, painfully obvious.

    Some alternate types of protection that Mikko did not include:

    1. Boot-to-restore (also called Instant System Recovery)
    2. Imaging/backups

    In the first, you have a means to recover immediately to a clean state or simply at the shutdown/restart of the computer which results in less time exposed. In the second, you have a means to simply wipe the system to a known clean image that might be older than the boot-to-restore, but in a pinch will get things back up and running in a clean state.

    This is not perfect as content can operate before the reboot/reimage so you still need to layer it with some form of detection and blocking as Mikko suggests...

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 4th, 2012 @ 5:16pm

      Re: He's right...

      While your comments are on point for an experienced user, most average Joe's I know really don't understand what you wrote.

      I'm happy to say that most people I know understand that they need a modern AV product and a few know what a firewall is for. Only a couple understand what IPS is for.

      What I tell my friends and family to do is, run a couple different AV products (Every one has their fav AV products so I wont recommend any.) and a decent firewall product.

      I remind most about when to update their Windows OS and others as I know of them. I tell them about updating their other apps (FLASH and the like.).

      Ultimately, most people I know (That are not Geeks too.) need assistance on what security to have and to be told about best practices. Most people get the idea that security is important and that they can be compromised.

      So, telling one of my family to restore is a useless suggestion. They simply don't know what that is or are afraid to screw it up.

      Decent AV saves me a lot of time recovering their systems too. ;)

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        SAG, Jun 5th, 2012 @ 8:34am

        Re: Re: He's right...

        Just as with the struggle to get most to the point where they are aware of the importance of security, there will be a further struggle to get them to recognize and then deploy EFFECTIVE security strategies.

        It has taken over 20 years to get where we are now so there is no indication that it will not take as long to get to the new milestone...

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 4th, 2012 @ 7:13pm

      Re: He's right...

      I'm not sure... At least one worm that I know of make use of their knowledge on some leading "reborn" card to write themselve to the hidden partition reserved for restoring...
      It'd cased much trouble for me to clean that thing out.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        SAG, Jun 5th, 2012 @ 8:39am

        Re: Re: He's right...

        One thing to keep in mind and as noted in the article - there ain't no such thing as a silver bullet. To achieve solid security, you are going to have to have a strategy and tools that will provide a specific strength that will cover the weaknesses in your other security tools, but also that the other tools work to cover the same in the specific tool you are considering.

        Security is not a set and forget exercise. You need to evaluate and adpat your strategy to the risks you are likely to face and virtualization is only a part of the overall approach...

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 4th, 2012 @ 6:26pm

    Sounds like a fruitless game of whack-a-mole. Maybe they should just give up?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      mikey4001, Jun 5th, 2012 @ 6:52am

      Re:

      Or, maybe they could just devise a more appropriate strategy, based on an updated business model that recognizes that the current landscape is significantly different than what existed when company was founded, thus ensuring greater efficiency, greater success, and an overall healthier prospect for future growth and stability within their market space.

      I swear, sometimes it's like you guys aren't even trying.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        monkyyy, Jun 5th, 2012 @ 1:42pm

        Re: Re:

        they airnt trying

        i have the best idea in world for a av, DONT LET ANYTHING RUN UNTIL A USER CLICKS OK, then only have to focus on getting smart users

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 4th, 2012 @ 7:17pm

    There's also the possibility that US based AV devs have been served with injunctions that carry national security gag orders, forcing them to not identify US backed malware.

    This would not surprise me in the least.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 5th, 2012 @ 3:15am

      Re:

      Had the same thoughts

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      SAG, Jun 5th, 2012 @ 8:31am

      Re:

      There's also the possibility that US based AV devs have been served with injunctions that carry national security gag orders, forcing them to not identify US backed malware.

      This would not surprise me in the least.
      No, this would not happen as the Government is not going to confirm that the malware exists or that they had anything to do with it while it is still going undetected, you get to the same place...

      Even with Stuxnet and Flame they said nothing until it became somewhat effective to say something to further a different agenda. Also note that there are probably more nasties in the closet ready to deploy as soon as the current tools begin to fail; whether through wide adoption of OS fixes to close the exploits the malware was using or general detection at both the frist and seconf tir levels for the AVs/AMs.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Jun 6th, 2012 @ 4:07am

    So old and so up to date:

    http://www.ranum.com/security/computer_security/editorials/dumb/

    The problem would be nearly solved with a default deny strategy. Want to execute anything new in your machine? Check its behavior beforehand.

    Anti-virus software should just include some way of whitelisting software and if you don't really trust what you are running you just send them for analysis. Charge a monthly fee (or a one-time fee) for the analysis if you are the first to send the software. If the hash is already registered then just give the green light.

    Obviously this might present some limitations but it's food for thought.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This