Forgot your password?
Security IT

Antivirus Firms Out of Their League With Stuxnet, Flame 233

Posted by timothy
from the doesn't-say-much-good-for-their-product dept.
Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"
This discussion has been archived. No new comments can be posted.

Antivirus Firms Out of Their League With Stuxnet, Flame

Comments Filter:
  • by ArsenneLupin (766289) on Monday June 04, 2012 @08:11AM (#40207391)
    ... write their warez. And they were easily disassembled, and recognized for the evil they were.

    Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.

    But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...

    So, now they went back to using generic tools and libraries. Full circle!

  • P.S. (Score:5, Insightful)

    by CajunArson (465943) on Monday June 04, 2012 @08:15AM (#40207403) Journal

    If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

  • by Anonymous Coward on Monday June 04, 2012 @08:15AM (#40207405)

    stop using windows bro

  • by Anonymous Coward on Monday June 04, 2012 @08:18AM (#40207427)

    You cannot solve the virus problem as it is an impossible situation.

    The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

    The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.

    Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.

  • by jythie (914043) on Monday June 04, 2012 @09:04AM (#40207729)
    Thing is, even with those proved systems, no amount of security is going to stop a good social engineering attack. At some point all systems will have some mechanism for changing their functionality unless the whole thing is ROM and has a hardware enforced switch for being able to change things... and even then all you need is one careless tech or a corrupt contractor and poof, you are infected.

    Technological solutions can improve the situation, but are not a panacea.
  • Nothing new here (Score:5, Insightful)

    by Shoten (260439) on Monday June 04, 2012 @09:46AM (#40208105)

    Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel. Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians. The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry, while any armored military vehicle would shrug off an attack using weapons available to civilians. There are many other analogues involving surveillance technologies, etc. that show the dichotomy that has always existed between the military/intelligence communities and the civilian world.

    But so what? Of course their tools are more sophisticated...they should be. The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

  • by Kjella (173770) on Monday June 04, 2012 @09:50AM (#40208153) Homepage

    Good computing habits preclude the need for AV software. Just my two cents.

    And how exactly would you know if has been compromised or if someone is running a MITM on you? Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised? Good computing habits are good enough for my single consumer desktop, but they're not exactly hardened servers with tripwires, traffic policies, alerts and intense traffic monitoring. If they send a "real" virus directed towards me, I wouldn't bet too much on my good habits. It's all relative to the threat level, just like my apartment is fairly safe against common burglars but it's not exactly a jeweler's shop with millions in value nor it is a military bunker.

    As for AV software, yes I run it as a second opinion. Personally I don't think I'm too smart to make a blunder, or the odd combination of a seeming trusted download and an old virus signature the AV will detect. Besides, how do you know your own opinion is correct? It's not like they announce themselves, it could be sending out your credit card into and be a proxy to everything without telling you. The silent ones are far more dangerous than the popup infestations and ransomware.

  • by SCHecklerX (229973) <> on Monday June 04, 2012 @10:12AM (#40208379) Homepage

    Once you are hit, it is already too late.

    What we as sysadmins and users should focus on instead is prevention.

    Unfortunately, prevention relies mostly on end user education. They will always download that cool image, or play that game, forward that e-card, etc. You can't cure user stupidity with technology. The car analogy would be, well, eliminate cars and make everyone take the train.

  • by sir-gold (949031) on Monday June 04, 2012 @10:37AM (#40208673)

    Of course they are out of their league with stuxnet and flame. The AV companies are used to fighting teenage hackers and Russian mobsters, they aren't prepared to fight the two of the highest funded militaries in the world (USA and Israel). It's hard to beat the enemy when they outnumber and "outgun" you by a factor of 100,000

  • by stephanruby (542433) on Monday June 04, 2012 @10:47AM (#40208793)

    Sure, the OS companies. Yes.

    But not the anti-virus companies, which is what we're talking about here. The anti-virus companies are just script kiddies. Their core competencies are public relations and cookie scaremongering, but that's all. They do not pay people to do original research, that would cut into their profit margins.

    If they can detect something, it's only because someone else did the research and posted it on their blog. Once someone has written some manual instructions for detecting the malware and removing it, the anti-virus companies are capable of writing a script that tries to do the same automatically, but even that sometimes stretches the limit of their capabilities since they can't even do that part correctly many of the times.

    The real research is done by people like Mark Russinovich [] (and yes, you don't have to trust anything he has written after his company was acquired by Microsoft, you can just take a look at his oldest blog posts first -- which pre-date the acquisition).

  • by mrex (25183) on Monday June 04, 2012 @10:55AM (#40208873)

    Right down to Microsoft's "mistake" in their Terminal Server certificate assignment process, that "accidentally" allowed those certificates to be used to sign code.

  • Re:Consumer-grade (Score:4, Insightful)

    by cyberfunkr (591238) on Monday June 04, 2012 @01:19PM (#40210627)

    The most bothersome statement to me is right here:

    >consumer-grade antivirus products

    Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago.


    One of my biggest issue most AV software nowadays is that they claim to be improving, but still use the same methodologies as always. What they are spending their money, time, and resources on is the f'n UI. In the end, I really don't need or want a pretty UI. Don't nag me about updates, just do it. I don't need a graph showing how many files were scanned per hour/day, just scan.I don't need a separate screen showing how well the mail scanner is working versus the web scanner. Just put a small icon in the system tray to say, "Your AV is running, Keep calm and carry on"

    If the software does find something, pop up a simple box saying, here is what was found, where it found it, why it thinks it's bad, and what should it do. Oh, and make sure that the name of virus is copy-able; so that I can paste it into a Google search and see details about what I'm up against.

No skis take rocks like rental skis!