Antivirus Firms Out of Their League With Stuxnet, Flame

Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"

Helps when you have the OS companies helping

[trout007]

I mean seriously does anyone think the OS companies aren't in on this type of operation?

It reminds me of the CIA-Xerox story.

http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm [lunarpages.com]

Re:Helps when you have the OS companies helping

[Narcocide]

Well thats one good theory, but I suppose that if its possible to make a virus like Stuxnet primarily target only computers that control Iranian Uranium enriching centerfuges it would be also possible to write the same virus to *avoid* activating itself anywhere in sight of machines owned by anti-virus corporations.

There's still some level of plausible deniability here, the real question is what to do about the fact that installing anti-virus software in the first place is, while not effective enough, also the limit of most user's capabilty to secure their computers.

Maybe it's up to the OS

[Dan9999]

AV software is picking up the slack for badly designed operating systems. Kernels, drivers, the shell, the UI of software, management control and process control have all spiralled out of sync in their evolution in all OSes bar none which is a perfect breeding ground for this.

Come on OS's, raise that bar so that AV companies can do the same.

Re:Helps when you have the OS companies helping

[Anonymous Coward]

For that matter, an anti-virus expert would be a good person to ask how to get past anti-virus.

Re:It is very simple. Virus "protection" isn't

[RobbieThe1st]

To be fair, giving out your OS encryption keys to "friendly" nation-states for signed malware basically means that your OS, no matter how securely designed, will always have such malware.

Conspiracy theory

[seyfarth]

With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.

Re:It is very simple. Virus "protection" isn't

[localman57]

The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

I agree with the second part. The first part is probably wishful thinking with the exception of products that are small enough or well funded enough that you can do proofs of their security (such as a couple of the real-time operating systems out there).

I think it's interesting to look at the way that safe vault makers approach this problem. No safe maker ever guarantees their safe to be uncrackable. Rather, they have a standard which basically says "A well qualified attacker with knowledge of the safe's internal workings, but no knowledge of the combination or access to the keys can be expected to breach this safe in X amount of time." They know it's a matter of when, not if. Encryption software people seem to get this as well.

Re:First, antivirus authors used generic tools to.

[Toth]

Interesting article at the Internet Storm Center "Why Flame is Lame"
http://isc.sans.edu/diary.html?storyid=13342#comment [sans.edu]

Re:It is very simple. Virus "protection" isn't

[camperdave]

I've always wondered about "selfing" the software installed on a machine. In the body, cells that are part of the body are identified with a protein marker, and the immune system ignores cells with that marker. When a cell does not have that marker, it is considered a foreign invader and is destroyed. So, with software, you would have to add a marker code to it - branding it, as it were - for it to be acceptable to the antivirus software. Essentially, it would be a whitelisting system.

Re:It is very simple. Virus "protection" isn't

[Anonymous Coward]

You don't even need to "give" them out. Flame was "signed by Microsoft" by exploiting a vulnerability in Terminal Services Licensing Server.

"Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."

from Microsoft releases Security Advisory 2718704 [technet.com]

Re:First, antivirus authors used generic tools to.

[bughunter]

but it gets a bit kinky later where they're detecting themselves...

It's not kinky at all. They all do it, most of them nearly every day, but few of them admit it.

Kinky is two of them detecting each other...

What about the others? (Smart Fortress 2012)

[Anonymous Coward]

My Dad's work PC got infected with "Smart Fortress 2012" mid-May. My mistake, I wasn't taking care of Flash and Acrobat reader. But an otherwise up-to-date XP, with an up-to-date Norton antivirus installed, got infected through a webpage. And even though the account was not an administrator account, Smart Fortress 2012 not only disabled Norton antivirus but rendered it inoperable - it had to be reinstalled (through the Administrator account).

Lesson learned. Don't trust much Norton, don't trust much anything else and tighten up as much as possible.

Re:Helps when you have the OS companies helping

[PPH]

The tin foil hatters who worry about NSA-mandated back doors should be worrying about how many code signing keys the CIA/FBI/NSA/Pentagon have extracted from Microsoft. Or borrowed from gov't contractors (Boeing/Lockheed/etc).

And how many US based AV companies, have "found something" out there on the Internet and put it into their database. But then failed to act on it at the behest of one of these TLAs.

That may be one reason Kaspersky has blown the whistle on a few things recently. How is the NSA going to call a Russian company and ask them to sit on some information without that making its way into their intelligence services? And used as leverage in future political events?

Re:Nothing new here

[drinkypoo]

Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel.

ballocks [bulletproofme.com]

Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

Oddly enough, you can have all the same typical service issue ammo that the military uses.

The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry

...though neither do most military vehicles...

while any armored military vehicle would shrug off an attack using weapons available to civilians

Except for IEDs, for which we are having to redesign our entire fleet basically.

The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

Things have been going very, very badly for a long time. Companies like Coca-Cola and Nestle have their own military forces in third world countries. Corporatists have utterly taken over the majority of world governments. So while I agree with your premise, I don't agree with your conclusion. Civilians already have that capacity, and they always have, and things are already going that way.

Re:P.S.

[drinkypoo]

If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

Why not? Granted, they have access to all the same attacks the rest of us do, but Windows is the only operating system whose back doors they are in a position to be effectively the sole parties familiar with them. Remember when Microsoft was shown to be guilty of violating its monopoly status? Remember how nothing ever came of that? No, something came of that. Microsoft is now a part of the same group of assholes that controls politics in america. Bill Gates is in like Flynn; he does as he's told and controls vast sums.

You may have noted (here and elsewhere) that the US government told people to use Vista for security. That announcement was met with loud guffaws here on Slashdot, but I presumed then and presume now that it was because it's the operating system they're deepest into. But presumably they've been deep into Windows since NT.

Re:It is very simple. Virus "protection" isn't

[drinkypoo]

When Microsoft finally got around to making a new TCP stack for Vista they reintroduced all the old bugs that were in the old stack because they proceeded from the same assumptions, forgot everything they learned improving the old stack, and went boldly forth like complete assholes. As a result you could teardrop or LAND Vista RCs. How does this happen? Because they were not using good programming practices.

So it's true, you can't make NO vulnerabilities. But you CAN adopt not just good but proper practices that reduce the number of vulnerabilities you create. This is something Microsoft should try.

Consumer-grade

[mrex]

The most bothersome statement to me is right here:

>consumer-grade antivirus products

Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago. Why? Are the billions of dollars a year in claimed corporate losses to computer intrusions insufficient profit motive for someone to bring something better to market? Are we really expected to believe that billion dollar companies like Intel, Microsoft, Google, and Apple simply aren't up to the technical challenge, let alone government agencies like the NSA whose job it is supposed to be to protect the security of America's communications? I guess they're too busy violating that security to care, these days.

The pace of progress on the consumer internet used to be blinding. Now, with the network mostly taken over by large corporations and the governments they are symbiotic with, and the capture of the knowledge and creative spheres by government dollars and NDAs, the internet is becoming just as dysfunctional as the lumbering dinosaurs all-too-willing to ruin anything and hurt anyone necessary to ensure their continued place at the head of the table.