Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Antivirus Firms Out of Their League With Stuxnet, Flame 233

Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"
This discussion has been archived. No new comments can be posted.

Antivirus Firms Out of Their League With Stuxnet, Flame

Comments Filter:
  • by trout007 ( 975317 ) on Monday June 04, 2012 @07:11AM (#40207385)

    I mean seriously does anyone think the OS companies aren't in on this type of operation?

    It reminds me of the CIA-Xerox story.

    http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm [lunarpages.com]

    • by Narcocide ( 102829 ) on Monday June 04, 2012 @07:18AM (#40207419) Homepage

      Well thats one good theory, but I suppose that if its possible to make a virus like Stuxnet primarily target only computers that control Iranian Uranium enriching centerfuges it would be also possible to write the same virus to *avoid* activating itself anywhere in sight of machines owned by anti-virus corporations.

      There's still some level of plausible deniability here, the real question is what to do about the fact that installing anti-virus software in the first place is, while not effective enough, also the limit of most user's capabilty to secure their computers.

      • It happened to do something to Iranian centrifuges. It probably did something different on journalist or senator PCs that caught the virus.

        What the system needs is more honeypots monitoring net activity and changes to the system image.

        It will be tough considering how big systems are and how difficult it is to simulate all user activity but it should be sufficient to find a lot of drive by trojans and viruses, if not user installed malware.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      For that matter, an anti-virus expert would be a good person to ask how to get past anti-virus.
    • Not the OS companies, the AV companies
      Ironic, no, that a virus with a definite source that isn't an AV company is also immune to those same AV companies?
      • by PPH ( 736903 ) on Monday June 04, 2012 @09:25AM (#40208541)

        The tin foil hatters who worry about NSA-mandated back doors should be worrying about how many code signing keys the CIA/FBI/NSA/Pentagon have extracted from Microsoft. Or borrowed from gov't contractors (Boeing/Lockheed/etc).

        And how many US based AV companies, have "found something" out there on the Internet and put it into their database. But then failed to act on it at the behest of one of these TLAs.

        That may be one reason Kaspersky has blown the whistle on a few things recently. How is the NSA going to call a Russian company and ask them to sit on some information without that making its way into their intelligence services? And used as leverage in future political events?

        • "The tin foil hatters who worry about NSA-mandated back doors" shouldn't be running Windows for anything but gaming....

      • by mrex ( 25183 )

        >Not the OS companies, the AV companies

        Not an either/or. All these big companies know who butters their bread, and jump at the chance to work with "007" anyway.

    • by stephanruby ( 542433 ) on Monday June 04, 2012 @09:47AM (#40208793)

      Sure, the OS companies. Yes.

      But not the anti-virus companies, which is what we're talking about here. The anti-virus companies are just script kiddies. Their core competencies are public relations and cookie scaremongering, but that's all. They do not pay people to do original research, that would cut into their profit margins.

      If they can detect something, it's only because someone else did the research and posted it on their blog. Once someone has written some manual instructions for detecting the malware and removing it, the anti-virus companies are capable of writing a script that tries to do the same automatically, but even that sometimes stretches the limit of their capabilities since they can't even do that part correctly many of the times.

      The real research is done by people like Mark Russinovich [microsoft.com] (and yes, you don't have to trust anything he has written after his company was acquired by Microsoft, you can just take a look at his oldest blog posts first -- which pre-date the acquisition).

    • by mrex ( 25183 ) on Monday June 04, 2012 @09:55AM (#40208873)

      Right down to Microsoft's "mistake" in their Terminal Server certificate assignment process, that "accidentally" allowed those certificates to be used to sign code.

    • Comment removed based on user account deletion
  • by ArsenneLupin ( 766289 ) on Monday June 04, 2012 @07:11AM (#40207391)
    ... write their warez. And they were easily disassembled, and recognized for the evil they were.

    Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.

    But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...

    So, now they went back to using generic tools and libraries. Full circle!

  • P.S. (Score:5, Insightful)

    by CajunArson ( 465943 ) on Monday June 04, 2012 @07:15AM (#40207403) Journal

    If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

    • Re:P.S. (Score:4, Funny)

      by Opportunist ( 166417 ) on Monday June 04, 2012 @08:11AM (#40207801)

      Not wanting to break NDAs but: You overestimate the intelligence in intelligence...

    • Re:P.S. (Score:4, Interesting)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday June 04, 2012 @09:53AM (#40208855) Homepage Journal

      If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

      Why not? Granted, they have access to all the same attacks the rest of us do, but Windows is the only operating system whose back doors they are in a position to be effectively the sole parties familiar with them. Remember when Microsoft was shown to be guilty of violating its monopoly status? Remember how nothing ever came of that? No, something came of that. Microsoft is now a part of the same group of assholes that controls politics in america. Bill Gates is in like Flynn; he does as he's told and controls vast sums.

      You may have noted (here and elsewhere) that the US government told people to use Vista for security. That announcement was met with loud guffaws here on Slashdot, but I presumed then and presume now that it was because it's the operating system they're deepest into. But presumably they've been deep into Windows since NT.

      • Or, put another way, "extraordinary claims require extraordinary evidence."

      • You obviously didn't both to RTFA did you? Did you notice the list of components that were found in Flame? Lessee here: OpenSSH, OpenSSL, Lua, Sqlite...

        Hrm.. now, what OS is most likely to have all of these components already installed by default so that an attacker doesn't even have to bother installing them AND so that it will be even harder to detect the malware since those tools are expected to be installed on the system anyway... I KNOW! That system *MUST* be Windows because Microsoft is known to bui

        • so that MUST be the reason that Linux is magically and completely invincible

          what? who said anything remotely resembling that?

          if you didn't like the post you replied to, try addressing it. instead of just spazzing and making a boo boo. geez.

      • Comment removed based on user account deletion
  • by TimHunter ( 174406 ) on Monday June 04, 2012 @07:15AM (#40207407)

    "Lua" (pronounced LOO-ah) means "Moon" in Portuguese. As such, it is neither an acronym nor an abbreviation, but a noun. More specifically, "Lua" is a name, the name of the Earth's moon and the name of the language. Like most names, it should be written in lower case with an initial capital, that is, "Lua". Please do not write it as "LUA", which is both ugly and confusing, because then it becomes an acronym with different meanings for different people. So, please, write "Lua" right!

    http://www.lua.org/about.html [lua.org]

  • by Anonymous Coward on Monday June 04, 2012 @07:18AM (#40207427)

    You cannot solve the virus problem as it is an impossible situation.

    The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

    The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.

    Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.

    • by RobbieThe1st ( 1977364 ) on Monday June 04, 2012 @07:26AM (#40207459)

      To be fair, giving out your OS encryption keys to "friendly" nation-states for signed malware basically means that your OS, no matter how securely designed, will always have such malware.

      • by Anonymous Coward on Monday June 04, 2012 @07:53AM (#40207609)

        You don't even need to "give" them out. Flame was "signed by Microsoft" by exploiting a vulnerability in Terminal Services Licensing Server.

        "Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."

        from Microsoft releases Security Advisory 2718704 [technet.com]

    • by localman57 ( 1340533 ) on Monday June 04, 2012 @07:30AM (#40207485)

      The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

      I agree with the second part. The first part is probably wishful thinking with the exception of products that are small enough or well funded enough that you can do proofs of their security (such as a couple of the real-time operating systems out there).

      I think it's interesting to look at the way that safe vault makers approach this problem. No safe maker ever guarantees their safe to be uncrackable. Rather, they have a standard which basically says "A well qualified attacker with knowledge of the safe's internal workings, but no knowledge of the combination or access to the keys can be expected to breach this safe in X amount of time." They know it's a matter of when, not if. Encryption software people seem to get this as well.

      • by jythie ( 914043 ) on Monday June 04, 2012 @08:04AM (#40207729)
        Thing is, even with those proved systems, no amount of security is going to stop a good social engineering attack. At some point all systems will have some mechanism for changing their functionality unless the whole thing is ROM and has a hardware enforced switch for being able to change things... and even then all you need is one careless tech or a corrupt contractor and poof, you are infected.

        Technological solutions can improve the situation, but are not a panacea.
      • When Microsoft finally got around to making a new TCP stack for Vista they reintroduced all the old bugs that were in the old stack because they proceeded from the same assumptions, forgot everything they learned improving the old stack, and went boldly forth like complete assholes. As a result you could teardrop or LAND Vista RCs. How does this happen? Because they were not using good programming practices.

        So it's true, you can't make NO vulnerabilities. But you CAN adopt not just good but proper practices that reduce the number of vulnerabilities you create. This is something Microsoft should try.

    • by camperdave ( 969942 ) on Monday June 04, 2012 @07:36AM (#40207527) Journal
      I've always wondered about "selfing" the software installed on a machine. In the body, cells that are part of the body are identified with a protein marker, and the immune system ignores cells with that marker. When a cell does not have that marker, it is considered a foreign invader and is destroyed. So, with software, you would have to add a marker code to it - branding it, as it were - for it to be acceptable to the antivirus software. Essentially, it would be a whitelisting system.
      • by roothog ( 635998 )

        You should look up Stephanie Forrest's research. She's been doing things like that for the past 20 years. To give you an idea, she has a mid-90's paper called "A Sense of Self for UNIX Processes".

    • by Kijori ( 897770 )

      I think maybe that blaming either company - either the OS designer or the AV company - is a little unreasonable. The AV companies were out of their depth, as the article says; the OS team are also out of their depth here. But is that really a surprise? Is this really something that it's reasonable to expect them to be able to cope with?

      Even if you hire the best locksmiths and builders around a government agency will still be able to get into your house. If you hire the best bodyguards in the world a nation

  • by Dan9999 ( 679463 ) on Monday June 04, 2012 @07:22AM (#40207439)
    AV software is picking up the slack for badly designed operating systems. Kernels, drivers, the shell, the UI of software, management control and process control have all spiralled out of sync in their evolution in all OSes bar none which is a perfect breeding ground for this.

    Come on OS's, raise that bar so that AV companies can do the same.

    • by mcgrew ( 92797 ) *

      AV software is picking up the slack for badly designed operating systems.

      I know of only one operating system that needs AV. Are you telling me that MacOS, iOS, BSD, OSX, and Linux need AV? because I 've never heard of a virus in the wild ever attacking any of those OSes.

      Call a spade a spade: AV software is picking up the slack for Microsoft's badly designed operating systems (and MS shills and fanbois with mod points be damned).

      Microsoft needs to get its act together. Microsoft is the culprit here, and is t

  • Wah... (Score:5, Funny)

    by Anonymous Coward on Monday June 04, 2012 @07:23AM (#40207445)

    Wha. We suck. But, what can you do?

    Your subscription has expired. Please upgrade to Our Steaming Pile 2013. Now with more steam. Also, we hid some options to make it more challenging/interesting for you!

  • Your products do have a tendency to delete system files though. Maybe antivirus software should be a bit more than writing definitions to known CVSs and some anomaly engine which thinks every file in a profile directory is suspicious. While antivirus software is another layer of security, it's a pretty shitty one.
  • Conspiracy theory (Score:3, Interesting)

    by seyfarth ( 323827 ) on Monday June 04, 2012 @07:29AM (#40207481) Homepage

    With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.

    • I just pushed out a root cert revocation update to help fight the untrusted Microsoft cert that was used for this. I wonder if this "flame" was meant to target the public, or another attack that got out of control?
  • Anti-virus software companies need to acquire, profile, and create removal code for new threats before they can do much to mitigate it. Now obviously, that's going to take genuine time and effort in cases where they didn't write the virus themselves.

  • Failed to detect? (Score:2, Redundant)

    by Scutter ( 18425 )

    By the author's own admission, they didn't "fail to detect". They HAD copies of the virus in their reporting database but ignored them. Why are customers reporting samples if the antivirus companies aren't paying any attention? I'd like to hear more on that explanation and not more excuses like "well, it works like a business database".

    • by AHuxley ( 892839 )
      Its Windows, a long list of new code efforts every day, in the wild and doing damage to end users systems.
      They get the worst first and work back.
  • by slack_justyb ( 862874 ) on Monday June 04, 2012 @07:39AM (#40207543)
    I've not held much faith for anti-virus companies. Never was I under the idea that AV software would stop a *real* virus. To me, anti-virus software is just a way to keep the script kiddies and adware ActiveX controls off a system. Good computing habits preclude the need for AV software. Just my two cents.
    • by upside ( 574799 ) on Monday June 04, 2012 @08:43AM (#40208075) Journal

      Pretty much what Mikko Hypponen is saying in the article:

      The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

    • by Kjella ( 173770 ) on Monday June 04, 2012 @08:50AM (#40208153) Homepage

      Good computing habits preclude the need for AV software. Just my two cents.

      And how exactly would you know if mozilla.com has been compromised or if someone is running a MITM on you? Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised? Good computing habits are good enough for my single consumer desktop, but they're not exactly hardened servers with tripwires, traffic policies, alerts and intense traffic monitoring. If they send a "real" virus directed towards me, I wouldn't bet too much on my good habits. It's all relative to the threat level, just like my apartment is fairly safe against common burglars but it's not exactly a jeweler's shop with millions in value nor it is a military bunker.

      As for AV software, yes I run it as a second opinion. Personally I don't think I'm too smart to make a blunder, or the odd combination of a seeming trusted download and an old virus signature the AV will detect. Besides, how do you know your own opinion is correct? It's not like they announce themselves, it could be sending out your credit card into and be a proxy to everything without telling you. The silent ones are far more dangerous than the popup infestations and ransomware.

      • it could be sending out your credit card into and be a proxy to everything without telling you

        Don't use your credit card for online purchases, or in my case, setup a secondary bank backed CC that has limited access to your primary funds. Move funding into the secondary as needed. Even if they get the CC number I use on the Internet, at best they are leaving with $11.38 at the current moment.

        or if someone is running a MITM on you

        Long story short, there are connections where I care about MITM and those that I don't care about them. The ones where I don't care are because even if there was a MITM attack, they've gain absolutely nothin

      • by 0123456 ( 636235 )

        Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised?

        Unlike Windows, there are only a tiny number of such keys. You can't exploit them the same way these guys apparently did by creating a random key signed by another random key which happened to be flagged as a CA key, because it wouldn't be accepted when installing the package.

        Yes, it's possible that someone has hacked into Red Hat and Ubuntu and stolen a signing key, but if that's the case then we have much bigger problems to worry about.

        • by Kjella ( 173770 )

          Unlike Windows, there are only a tiny number of such keys. You can't exploit them the same way these guys apparently did by creating a random key signed by another random key which happened to be flagged as a CA key, because it wouldn't be accepted when installing the package.

          The key that verifies that it comes from the $distro repository, yes. But there are many thousands of developers and packagers that could be compromised so you get a signed trojan horse, it's not like the distro does code review. Like for example OpenSSL that was badly broken for two years in all Debian based distros and that was pure ignorance, public and obvious. How hard to you think it would be to discover a malicious and covert custom exploit targeting only a few machines? It could have gone unnoticed

      • Running without an AV works ONLY if
        a) You are intelligent enough to avoid viruses
        AND
        b) Anyone you frequently communicate with have no viruses
        AND
        c) Any sites you frequent have not been compromised.

        That third one is what got me. A webcomic I read - quite a popular one, not at all a shady, untrustworthy site - got exploited, and was used to serve out malware. I happened to read it during the few hours it was compromised. The malware got past Adblock. Everything was fully up-to-date, from Firefox to Java to Win

      • by mcgrew ( 92797 ) *

        I stopped using AV software when it failed to protect me from XPC. Who would have thought that a large, well respected company like Sony would deliberately infect their paying customers' computers? The irony is, if my daughter had just downloaded the songs instead of buying it from the record store she worked at, I'd not have gotten infected.

        If mozilla.com got infected, your AV software isn't going to help any more than mine protected me against XCP.

    • Government agencies have little problem with antivirus software for consumer, and you say you don't have much faith in AV? Well, wouldn't it be far more disconcerting if $20 a year software COULD defeat the CIA's (or whoever) malware?

      I mean, a story about how the CIA can get past your deadbolt and home alarm system wouldn't be shocking, would it? News that the US army can outgun the security guard at your job... no shit.

      Of course, the problem is that it DOESN'T require a multi-billion budget to
  • by bmo ( 77928 ) on Monday June 04, 2012 @07:47AM (#40207573)

    Release armies of flying cats.

    Because if you're going to ignore what's in your database for two years, well, flying cats are better.

    https://www.youtube.com/watch?feature=player_embedded&v=-S4DZ_aWNuU# [youtube.com]!

    --
    BMO

  • by Anonymous Coward on Monday June 04, 2012 @08:09AM (#40207777)

    My Dad's work PC got infected with "Smart Fortress 2012" mid-May. My mistake, I wasn't taking care of Flash and Acrobat reader. But an otherwise up-to-date XP, with an up-to-date Norton antivirus installed, got infected through a webpage. And even though the account was not an administrator account, Smart Fortress 2012 not only disabled Norton antivirus but rendered it inoperable - it had to be reinstalled (through the Administrator account).

    Lesson learned. Don't trust much Norton, don't trust much anything else and tighten up as much as possible.

  • Well, DUH.

    AV kits can only protect against attacks that are known. They may be able to detect new variants of attacks, so once a certain botnet type is known they may well be able to find zero-day developments if their heuristics are good (not a trivial task, but some have mighty good detection rates against unknown variants), but how are they supposed to detect what is simply not known to be a threat?

    And likewise they cannot protect against attacks that target YOUR and only YOUR company. Where'd they get s

  • Nothing new here (Score:5, Insightful)

    by Shoten ( 260439 ) on Monday June 04, 2012 @08:46AM (#40208105)

    Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel. Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians. The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry, while any armored military vehicle would shrug off an attack using weapons available to civilians. There are many other analogues involving surveillance technologies, etc. that show the dichotomy that has always existed between the military/intelligence communities and the civilian world.

    But so what? Of course their tools are more sophisticated...they should be. The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

      You should c'mon down and visit us here in Texas.

    • Re:Nothing new here (Score:5, Interesting)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday June 04, 2012 @09:49AM (#40208805) Homepage Journal

      Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel.

      ballocks [bulletproofme.com]

      Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

      Oddly enough, you can have all the same typical service issue ammo that the military uses.

      The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry

      ...though neither do most military vehicles...

      while any armored military vehicle would shrug off an attack using weapons available to civilians

      Except for IEDs, for which we are having to redesign our entire fleet basically.

      The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

      Things have been going very, very badly for a long time. Companies like Coca-Cola and Nestle have their own military forces in third world countries. Corporatists have utterly taken over the majority of world governments. So while I agree with your premise, I don't agree with your conclusion. Civilians already have that capacity, and they always have, and things are already going that way.

      • by Threni ( 635302 )

        > Except for IEDs

        Exactly. Idiot goat farmers or whatever can take out the latest US vehicles again and again using cheap, readily available ingredients with innocous legal uses plus a digital watch or walkie talkie. Such a shame the whole miliary/industrial complex is based on attacking Russia or whatever.

        Remind me again, which month do I have to work until before I start earning money for me and not just the taxman?

        • by Shoten ( 260439 )

          Question: What are most IEDs made from?

          Answer: Artillery shells.

          Question: Can you buy artillery shells at Wal-mart? How about Home Depot? Radio Shack?

    • by hob42 ( 41735 )

      The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

      Right, because if they did, then civilians might rebel against an unjust, unpopular, non-representative government.

      Oh, wait. That's actually a founding principle of the USA: the government should be afraid of the people, not the other way around. The only way to ensure that is to make sure the people have the ability to overthrow the government and it's military forces, should the need arise.

    • by moeinvt ( 851793 )

      "...bullets fired from the primary weapons carried by military personnel..."

      There is no appreciable difference between the penetrating power of a projectile fired from a military rifle and one fired from the civilian equivalent of the same weapon. In fact, many of the civilian model AR-15s are "Mil-Spec" and a lot of the bulk ammo available is military surplus. The difference is only in rate of fire. Military versions can selectively fire in 3 round burst(or full auto on older versions).

      "military-grade b

  • by jiteo ( 964572 )

    The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets.

    You don't say.

  • by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Monday June 04, 2012 @09:12AM (#40208379) Homepage

    Once you are hit, it is already too late.

    What we as sysadmins and users should focus on instead is prevention.

    Unfortunately, prevention relies mostly on end user education. They will always download that cool image, or play that game, forward that e-card, etc. You can't cure user stupidity with technology. The car analogy would be, well, eliminate cars and make everyone take the train.

  • Who benefits from the success of Stuxnet, Flame, et.al.? The U.S. has a simple method, (publicly tested, and verified), of bringing down a countries entire electrical system, and that includes those systems that have backups. Anytime the U.S. wants to "turn off" the power to a country like Iran, it can. But the U.S. hasn't, so who else? I don't see complexity here, I see simple economic warfare. And I see where, Iran could easily handle a problem like a war with guns; but Iran is helpless against a war with
  • by sir-gold ( 949031 ) on Monday June 04, 2012 @09:37AM (#40208673)

    Of course they are out of their league with stuxnet and flame. The AV companies are used to fighting teenage hackers and Russian mobsters, they aren't prepared to fight the two of the highest funded militaries in the world (USA and Israel). It's hard to beat the enemy when they outnumber and "outgun" you by a factor of 100,000

    • by gweihir ( 88907 )

      Surprisingly though, Stuxnet was a good demonstration of how incompetent hackers will write their malware. There is quite a bit of mistakes, errors and incompetence in it. Of course, the Iranian defenders were even more incompetent, whit no independent safety systems on their centrifuges that would have prevented the damage. Really pathetic on both sides.

      This basically shows that you can get past current AV software with something that is not very good in any regard. It also shows that the AV approach is fu

  • by gweihir ( 88907 ) on Monday June 04, 2012 @10:23AM (#40209197)

    From a certain attacker competence and resource level upwards, a leaky bucket like Windows cannot be fixed anymore. It takes competent system administration on a solid platform and a minimal attack surface. It also takes quality engineering with security in mind on everything that is reachable over the network. Most current software is so pathetically insecure (and yes, that includes quite a bit of FOSS software), that no amount of add-ons will ever make it secure.

    On the other hand, software that was done with sound secure software engineering practices, competent personnel and adequate resources is very hard to attack and will quite often be impossible to attack. The saying that everything can be attacked is just a lame excuse for insecure software. It has no relation to what can actually be done.

    What the article also shows is that the reactive, try-to-patch-thousands-of-tiny-holes-on-insecure-platforms-by-external-software that the AV companies are selling is fundamentally limited. This is not a surprise to any real security expert.

  • by Corson ( 746347 ) on Monday June 04, 2012 @10:45AM (#40209411)
    Flamer has been out in the wild since cca. 2007, with a MS signed certificate, and the first IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Right, because all of these antivirus companies [wikipedia.org] are so dumb they cannot detect a 20 MB spyware pack on Windows machines for four years.
  • Consumer-grade (Score:5, Interesting)

    by mrex ( 25183 ) on Monday June 04, 2012 @10:52AM (#40209477)

    The most bothersome statement to me is right here:

    >consumer-grade antivirus products

    Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago. Why? Are the billions of dollars a year in claimed corporate losses to computer intrusions insufficient profit motive for someone to bring something better to market? Are we really expected to believe that billion dollar companies like Intel, Microsoft, Google, and Apple simply aren't up to the technical challenge, let alone government agencies like the NSA whose job it is supposed to be to protect the security of America's communications? I guess they're too busy violating that security to care, these days.

    The pace of progress on the consumer internet used to be blinding. Now, with the network mostly taken over by large corporations and the governments they are symbiotic with, and the capture of the knowledge and creative spheres by government dollars and NDAs, the internet is becoming just as dysfunctional as the lumbering dinosaurs all-too-willing to ruin anything and hurt anyone necessary to ensure their continued place at the head of the table.

    • Re:Consumer-grade (Score:4, Insightful)

      by cyberfunkr ( 591238 ) on Monday June 04, 2012 @12:19PM (#40210627)

      The most bothersome statement to me is right here:

      >consumer-grade antivirus products

      Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago.

      Agreed.

      One of my biggest issue most AV software nowadays is that they claim to be improving, but still use the same methodologies as always. What they are spending their money, time, and resources on is the f'n UI. In the end, I really don't need or want a pretty UI. Don't nag me about updates, just do it. I don't need a graph showing how many files were scanned per hour/day, just scan.I don't need a separate screen showing how well the mail scanner is working versus the web scanner. Just put a small icon in the system tray to say, "Your AV is running, Keep calm and carry on"

      If the software does find something, pop up a simple box saying, here is what was found, where it found it, why it thinks it's bad, and what should it do. Oh, and make sure that the name of virus is copy-able; so that I can paste it into a Google search and see details about what I'm up against.

    • by lgw ( 121541 )

      There was a recent /. article on how the military found and rmeoved a virus that got into the control consoles for some dones: "host based scanning". Anyone can do this - simply scan the suspect drive by mounting it in a machine known to be clean. The most c;lever rootkit in the world has to be in order to hide itself. Want to do that in realtime? Do everything in a VM and scan it from the host - problem solved.

      If the TPM hadn't been perverted into some anti-consumer DRM thing, we'd all have this alrea

  • MS has issued a security update KB2701704 [microsoft.com] that revokes some certificates, presumably the ones used in these attacks.

  • "Flame" isn't on the list of malware detected by the Microsoft Malicious Software Removal Tool. [microsoft.com] Why not?

Be sociable. Speak to the person next to you in the unemployment line tomorrow.

Working...