F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago

from the cat-and-mouse dept

With all the attention on the Flame malware, there’s a great post over at Wired by F-Secure’s Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time — despite samples having been sent all the way back to 2010. What’s refreshing (even as it’s surprising) is to see someone so forthright about this being a failure on his part:

What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.

It’s so rare to see someone admit to a mistake — especially one that seems so big (even if it doesn’t really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.

He later concludes: “We were out of our league, in our own game.”

Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there’s a bit of a cat and mouse game going on here, and no one’s going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.

Filed Under: , , , , , ,
Companies: f-secure

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago”

Subscribe: RSS Leave a comment
SAG says:

He's right...

But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.

The main problem with the industry as a whole has been its myopic focus on detections rather than time to removal OF said malware; especially when it goes totally undetected.

Rustock C and Induc A (more mainstream malware) were similar in regards to not being detected for a very long time. With the new TDL trojans and targeted nasties like Stux and Flame, the evidence for traditional approaches failing at all levels is glaringly, painfully obvious.

Some alternate types of protection that Mikko did not include:

1. Boot-to-restore (also called Instant System Recovery)
2. Imaging/backups

In the first, you have a means to recover immediately to a clean state or simply at the shutdown/restart of the computer which results in less time exposed. In the second, you have a means to simply wipe the system to a known clean image that might be older than the boot-to-restore, but in a pinch will get things back up and running in a clean state.

This is not perfect as content can operate before the reboot/reimage so you still need to layer it with some form of detection and blocking as Mikko suggests…

Anonymous Coward says:


The certificate system is supposed to make operating systems more secure but it was the very certificate system charged with ensuring our security that enabled this problem to go unnoticed. The false sense of security delivered by the security system is what stifled suspicion here. No one suspected that the security system itself was compromised. What’s often worse than poor security is a false sense of security and that’s exactly what the certificate system caused here.

Kinda reminds me of the TSA 😉

Anonymous Coward says:

He's right...

While your comments are on point for an experienced user, most average Joe’s I know really don’t understand what you wrote.

I’m happy to say that most people I know understand that they need a modern AV product and a few know what a firewall is for. Only a couple understand what IPS is for.

What I tell my friends and family to do is, run a couple different AV products (Every one has their fav AV products so I wont recommend any.) and a decent firewall product.

I remind most about when to update their Windows OS and others as I know of them. I tell them about updating their other apps (FLASH and the like.).

Ultimately, most people I know (That are not Geeks too.) need assistance on what security to have and to be told about best practices. Most people get the idea that security is important and that they can be compromised.

So, telling one of my family to restore is a useless suggestion. They simply don’t know what that is or are afraid to screw it up.

Decent AV saves me a lot of time recovering their systems too. 😉

Anonymous Coward says:


security problem *

Everyone looks at these files and says “oh, they’re digitally signed, I have nothing to worry about here, they’re not compromised”. Everyone simply trusts Microsoft to ensure that there is nothing wrong with these files and so no one ever digs any deeper.

Had it not been for a false sense of security chances are this would have been noticed a very long time ago because people will be more inclined to dig into their files and ensure they are safe.

I remember an SHS(?) exploit within the kernel of one of the Windows operating systems a while back (I believe it was a 9x operating system). It enabled unauthorized parties to run executable code on the operating system. Steve Gibson, from http://www.grc.com, looked at the kernel code and determined that this exploit was intentionally placed (it’s in one of his earlier podcasts). Many disagreed with him but who knows

mikey4001 says:


Or, maybe they could just devise a more appropriate strategy, based on an updated business model that recognizes that the current landscape is significantly different than what existed when company was founded, thus ensuring greater efficiency, greater success, and an overall healthier prospect for future growth and stability within their market space.

I swear, sometimes it’s like you guys aren’t even trying.

SAG says:


There’s also the possibility that US based AV devs have been served with injunctions that carry national security gag orders, forcing them to not identify US backed malware.

This would not surprise me in the least.

No, this would not happen as the Government is not going to confirm that the malware exists or that they had anything to do with it while it is still going undetected, you get to the same place…

Even with Stuxnet and Flame they said nothing until it became somewhat effective to say something to further a different agenda. Also note that there are probably more nasties in the closet ready to deploy as soon as the current tools begin to fail; whether through wide adoption of OS fixes to close the exploits the malware was using or general detection at both the frist and seconf tir levels for the AVs/AMs.

SAG says:

He's right...

Just as with the struggle to get most to the point where they are aware of the importance of security, there will be a further struggle to get them to recognize and then deploy EFFECTIVE security strategies.

It has taken over 20 years to get where we are now so there is no indication that it will not take as long to get to the new milestone…

SAG says:

He's right...

One thing to keep in mind and as noted in the article – there ain’t no such thing as a silver bullet. To achieve solid security, you are going to have to have a strategy and tools that will provide a specific strength that will cover the weaknesses in your other security tools, but also that the other tools work to cover the same in the specific tool you are considering.

Security is not a set and forget exercise. You need to evaluate and adpat your strategy to the risks you are likely to face and virtualization is only a part of the overall approach…

Anonymous Coward says:


Then someone needs to talk to the different software vendors and get them on board with the software running no matter WHAT OS you want to use.

Or maybe the OS needs to not care which OS the program was written for and just handle it.

Same goes for .tif/.tiff files. Can someone PLEASE make a software that opens EVERY FREAKING KIND of .tif/.tiff file?

It’s 2012, and we still have compatability issues. Hell, the fact that it’s 2012 and we can’t have one software that opens every single kind of file that has been created is a total fail on the IT industry’s part.


Ninja (profile) says:

So old and so up to date:


The problem would be nearly solved with a default deny strategy. Want to execute anything new in your machine? Check its behavior beforehand.

Anti-virus software should just include some way of whitelisting software and if you don’t really trust what you are running you just send them for analysis. Charge a monthly fee (or a one-time fee) for the analysis if you are the first to send the software. If the hash is already registered then just give the green light.

Obviously this might present some limitations but it’s food for thought.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...