Antivirus Firms Out of Their League With Stuxnet, Flame

Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"

Helps when you have the OS companies helping

[trout007]

I mean seriously does anyone think the OS companies aren't in on this type of operation?

It reminds me of the CIA-Xerox story.

http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm

Re:Helps when you have the OS companies helping

[Narcocide]

Well thats one good theory, but I suppose that if its possible to make a virus like Stuxnet primarily target only computers that control Iranian Uranium enriching centerfuges it would be also possible to write the same virus to *avoid* activating itself anywhere in sight of machines owned by anti-virus corporations.

There's still some level of plausible deniability here, the real question is what to do about the fact that installing anti-virus software in the first place is, while not effective enough, also the limit of most user's capabilty to secure their computers.

Re:Helps when you have the OS companies helping

For that matter, an anti-virus expert would be a good person to ask how to get past anti-virus.

Re:Helps when you have the OS companies helping

[damien_kane]

Not the OS companies, the AV companies
Ironic, no, that a virus with a definite source that isn't an AV company is also immune to those same AV companies?

Re:Helps when you have the OS companies helping

Well, who were these files digitally signed by? Who's private key was used?

If I understand this correctly, pretty much anyone can digitally signed something with a private key and, for a fee, people (that Microsoft deems trustworthy) can get their public keys registered, right? and someone with a registered public key, say a graphics card or other driver manufacturer, can then theoretically sign malware without Microsoft's knowledge or consent. Microsoft will only try to authenticate the public keys of parties they deem to be trustworthy but, beyond that, they have little control over what code authenticated parties write (unless they later detect malicious code and revoke the key I presume, but how practical is it to police all signed code?).

So how hard is it for the U.S. government to get a public key registered (or to gain access to the private key of a registered public key). What kinda software does the govt make?

It would be interesting to know exactly what public key was used to authenticate this hidden code and who it is registered under.

Re:Helps when you have the OS companies helping

[trout007]

And only 90 minutes later....

http://news.slashdot.org/story/12/06/04/1211206/microsoft-certificate-was-used-to-sign-flame-malware

Re:Helps when you have the OS companies helping

[PPH]

The tin foil hatters who worry about NSA-mandated back doors should be worrying about how many code signing keys the CIA/FBI/NSA/Pentagon have extracted from Microsoft. Or borrowed from gov't contractors (Boeing/Lockheed/etc).

And how many US based AV companies, have "found something" out there on the Internet and put it into their database. But then failed to act on it at the behest of one of these TLAs.

That may be one reason Kaspersky has blown the whistle on a few things recently. How is the NSA going to call a Russian company and ask them to sit on some information without that making its way into their intelligence services? And used as leverage in future political events?

Re:Helps when you have the OS companies helping

[stephanruby]

Sure, the OS companies. Yes.

But not the anti-virus companies, which is what we're talking about here. The anti-virus companies are just script kiddies. Their core competencies are public relations and cookie scaremongering, but that's all. They do not pay people to do original research, that would cut into their profit margins.

If they can detect something, it's only because someone else did the research and posted it on their blog. Once someone has written some manual instructions for detecting the malware and removing it, the anti-virus companies are capable of writing a script that tries to do the same automatically, but even that sometimes stretches the limit of their capabilities since they can't even do that part correctly many of the times.

The real research is done by people like Mark Russinovich (and yes, you don't have to trust anything he has written after his company was acquired by Microsoft, you can just take a look at his oldest blog posts first -- which pre-date the acquisition).

Re:Helps when you have the OS companies helping

[Impy+the+Impiuos+Imp]

Intelligence agencies are motivated and find good people. Fraudulent botnets and scams in near-failed states are motivated highly. Antivirus companies have incompetent managers who rub their chins and hire some random, poorly-motivated programmers and call it a night.

It's the difference betwen government lawyers and the OJ defense team.

Re:Helps when you have the OS companies helping

[mrex]

Right down to Microsoft's "mistake" in their Terminal Server certificate assignment process, that "accidentally" allowed those certificates to be used to sign code.

Re:Helps when you have the OS companies helping

[mrex]

>Not the OS companies, the AV companies

Not an either/or. All these big companies know who butters their bread, and jump at the chance to work with "007" anyway.

Re:Helps when you have the OS companies helping

[Makmanak]

I had to read the title a few time because I thought it said "Antivirus Firms IN LEAGUE With Stuxnet, Flame" -- it makes sense that way.

Re:Helps when you have the OS companies helping

[couchslug]

"The tin foil hatters who worry about NSA-mandated back doors" shouldn't be running Windows for anything but gaming....

Re:Helps when you have the OS companies helping

[ganjadude]

He actually didnt say anything other than post the link that it was a microsoft signed article

yeah, i know, dont feed the trolls

Re:Helps when you have the OS companies helping

[hairyfeet]

Yes I seriously think the OS companies aren't "in" on this type of operation because its simply too easy to pull off without them and too hard to keep something a secret in a large org like an OS company.

Try picking just ONE of those components out and see how bog standard common they are now, I know I found over a dozen legitimate applications on my system that use SQLite, from my browser to my network bandwidth monitor. SQLite made having little DBs so damned easy that tons of companies jumped on board, why bother making your own file formats and storage solutions for your data when SQLite is right there and free to use?

In the end your argument would make as much sense as saying "The OS companies must be in it because they used a txt file ZOMFG!" because the REASON these technologies are so damned common is because they solve a shitload of problems that programs big and small had, nothing more. I'd love to see a list of how many companies use SQLite in their applications because i bet that list would be tens of thousands and more added by the month. Hell I'd have to wonder if the malware writers used SQLite because they wanted to 'hide in plain sight" as much as they simply had a problem SQLite solved and that was just a happy side effect for them? Because if I was building an app that needed to store data SQLite would probably be the first thing that came to mind, its small, its easy to use, it just makes sense.

Re:Helps when you have the OS companies helping

[nobodyatnowhere]

How do you know they aren't putting trojans on your linux box through signed updates?

Re:Helps when you have the OS companies helping

Yup, I seriously think "OS companies aren't in on this type of operation".

There are practical reasons to avoid using the backdoors. You want to restrict access to such secrets to the fewest agencies, and the fewest departments and personnel within those agencies. You want to preserve using such a secret until you don't have /any/ other options. You want to avoid using such a secret for an attack, and instead use it sparingly for recon, because attacks draw much more attention. You want that scarcity to help you to develop other methods to preserve your trump card as long as possible. And also you want to avoid using it in case somebody out there has already found your backdoor, and is watching you use it; you must never presume your secret is still secret.

That much is just off the top of my head, first coffee here; yeah there are serious reasons to think the OS companies might not be in on this. These are basic security protocols. It doesn't necessarily follow that advanced nation-state cyberwar methods must rely on backdoors.

Re:Helps when you have the OS companies helping

[Deliveranc3]

It happened to do something to Iranian centrifuges. It probably did something different on journalist or senator PCs that caught the virus.

What the system needs is more honeypots monitoring net activity and changes to the system image.

It will be tough considering how big systems are and how difficult it is to simulate all user activity but it should be sufficient to find a lot of drive by trojans and viruses, if not user installed malware.

Re:Helps when you have the OS companies helping

[kestasjk]

I definitely don't like anti-virus companies or products, but what about Symantec's research into Stuxnet? I think that was original research, and quite comprehensive.

Re:Helps when you have the OS companies helping

[kestasjk]

A software company making a mistake? Yeah, right..

Re:Helps when you have the OS companies helping

[DMUTPeregrine]

How do you know your CPU doesn't have backdoors built in? How about your network card/motherboard? Video card?

Re:Helps when you have the OS companies helping

[stephanruby]

Then, how do you interpret the first line of the specific article you linked to?

Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

That Dutch Profibus expert was Rob Hulsebos, Industrial Network Expert and Owner of Enode Networks. The guy is an independent consultant, and could use the publicity. Don't you find it odd that Symantec didn't name him as their source?

Granted, he may have been under contract at the time, or he may have had a thousand and one reasons not to be quoted by name directly (liability reasons, or whatever).

In any case, the anti-virus companies are really not incentivized to reveal their original sources. I don't know if this is what happened in this case, but then again, I have pretty lowly opinion of anti-virus companies so I may not being objective in all of this.

Re:Helps when you have the OS companies helping

[Pseudonym]

The anti-virus companies are just script kiddies.

Some of them are. You need to send a script kiddie to catch a script kiddie.

Some of the engineers working at anti-virus companies are the most brilliant and talented hackers you've (clearly) never met. It's one of the few white-hat jobs left for diehard assembler programmers. You know how those old-skool mainframe skills, like binary patching executables? These people can still do it.

The problem is that, to use the biological analogy, Stuxnet isn't a virus. Viruses have small payloads. Stuxnet, on the other hand, is indistinguishable from a serious application. Asking an anti-virus company to track down Stuxnet is like sending a microbiologist to catch a serial killer.

Re:Helps when you have the OS companies helping

[DMUTPeregrine]

The NSA has a very big budget. The NSA has quite a lot of very skilled people working there. If you're trying to keep an organization with their resources out you have to verify everything, including the hardware.

First, antivirus authors used generic tools to...

[ArsenneLupin]

... write their warez. And they were easily disassembled, and recognized for the evil they were.

Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.

But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...

So, now they went back to using generic tools and libraries. Full circle!

P.S.

[CajunArson]

If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

Re:P.S.

[Opportunist]

Not wanting to break NDAs but: You overestimate the intelligence in intelligence...

Re:P.S.

[drinkypoo]

If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

Why not? Granted, they have access to all the same attacks the rest of us do, but Windows is the only operating system whose back doors they are in a position to be effectively the sole parties familiar with them. Remember when Microsoft was shown to be guilty of violating its monopoly status? Remember how nothing ever came of that? No, something came of that. Microsoft is now a part of the same group of assholes that controls politics in america. Bill Gates is in like Flynn; he does as he's told and controls vast sums.

You may have noted (here and elsewhere) that the US government told people to use Vista for security. That announcement was met with loud guffaws here on Slashdot, but I presumed then and presume now that it was because it's the operating system they're deepest into. But presumably they've been deep into Windows since NT.

Re:P.S.

[CajunArson]

You obviously didn't both to RTFA did you? Did you notice the list of components that were found in Flame? Lessee here: OpenSSH, OpenSSL, Lua, Sqlite...

Hrm.. now, what OS is most likely to have all of these components already installed by default so that an attacker doesn't even have to bother installing them AND so that it will be even harder to detect the malware since those tools are expected to be installed on the system anyway... I KNOW! That system *MUST* be Windows because Microsoft is known to build all of its products on open source software! [/sarcasm]

I can bet you that a very large percentage of Linux boxes have all of those tools, except for Lua, already installed. A bunch of the desktop/workstation systems might have Lua too, and malware could simply get a legitimate Lua package from a legitimate repository to make it look like Lua belongs on the system in the first place.

  If I saw all that stuff on a Windows machine and didn't already know why why that stuff was installed in the first place, then red flags would go off, but on Linux I'd expect all that stuff to be there just because of normal package dependencies!

But hey, you had the usual mouth-breathing M$-conspiracy-I'm-still-living-in-1998 drivel post, so that MUST be the reason that Linux is magically and completely invincible while Windows always sux0rz.

Re:P.S.

[Johann+Lau]

so that MUST be the reason that Linux is magically and completely invincible

what? who said anything remotely resembling that?

if you didn't like the post you replied to, try addressing it. instead of just spazzing and making a boo boo. geez.

Re:P.S.

[hairyfeet]

I'm sorry friend but you are dead wrong and in fact I'd argue that many of the open source projects would probably be EASIER to plant bugs in than Windows, why? Because there are a ton of projects that are made up of a handful of guys that are always understaffed. Don't think those guys would welcome a highly skilled volunteer from XYZ Corp? And just because the code is open don't mean any people with the skills to spot a highly obfuscated bug actually look at the code, look at how an infected Quake 3 was in the repos for over a year and a half.

So I'm sorry friend but all it takes is money and desire and the three letter agencies have both in abundance so it really wouldn't be hard. Look at how many packages are used in damned near every distro, now tell me have YOU looked at the code for all those common packages? How well do you know the teams that made them? Its not magic folks, you find a weak spot and exploit it and with so many FOSS projects understaffed that is a nice target for exploitation, pure and simple.

Re:P.S.

[drinkypoo]

I'm sorry friend but you are dead wrong

I might be, but your link doesn't show that. It's FUD. I remember that FUD. If there is anything substantive, you may link it.

just because the code is open don't mean any people with the skills to spot a highly obfuscated bug actually look at the code, look at how an infected Quake 3 was in the repos for over a year and a half.

Ah yes, mission-critical software like Quake 3 is often used as a vector.

Look at how many packages are used in damned near every distro, now tell me have YOU looked at the code for all those common packages?

Most of the packages that many people depend on really are looked at by many eyes on a regular basis.

Re:P.S.

[hairyfeet]

Then lets see your link drinkypoo, lets see a list of these "many eyes" or even a single study showing patches given by actual non corporate paid workers. You can't just pull "many eyes" out of your ass because i could argue the same thing for Windows, after all I sign an NDA and pay $10k I can look at the source as well but that wouldn't magically give me the ability to spot an obfuscated bug.

And how exactly is many eyes not just another case of the mythical man month which has been shown to be just that, a myth? Just because you can look at the code doesn't magically give you the power to read it you know. A software developer with the skills to actually spot obfuscated bugs is a hell of a lot rarer than a weekend coder, and I urge you to read the code at the obfuscated c code contest and you'll see that even KNOWING the code is a trap, being given knowledge of HOW the code is a trap, being able to spot the actual trap itself? FUCKING DIFFICULT. Now you honestly think some weekend coders are gonna be able to spot obfuscated code in some low level package used in many distros that nobody messes with? Hell I bet my last dollar that most of the code in your average distro isn't looked at by anybody other than the ones that wrote the thing and without links or citations my view is JUST as valid as "many eyes".

Please, it's "Lua", not "LUA"

[TimHunter]

"Lua" (pronounced LOO-ah) means "Moon" in Portuguese. As such, it is neither an acronym nor an abbreviation, but a noun. More specifically, "Lua" is a name, the name of the Earth's moon and the name of the language. Like most names, it should be written in lower case with an initial capital, that is, "Lua". Please do not write it as "LUA", which is both ugly and confusing, because then it becomes an acronym with different meanings for different people. So, please, write "Lua" right!

http://www.lua.org/about.html

Re:Please, it's "Lua", not "LUA"

1U4 is much 13373r

Re:Please, it's "Lua", not "LUA"

[Cthefuture]

Heh, I came here to make the same post.

And anyone interested in high-performance computing/scripting should check out LuaJIT. One of the coolest software projects ever. Imagine a simple, powerful scripting language that runs as fast (or really close) as compiled C. Kick-ass fast built-in FFI interface and super easy to embed.

Re:Please, it's "Lua", not "LUA"

[Eth1csGrad1ent]

Ahh yes, Lua... thats tied to Angry Birds isn't it?

Re:Please, it's "Lua", not "LUA"

[danbuter]

Reminds me of people who use PERL instead of Perl.

Re:Please, it's "Lua", not "LUA"

[jones_supa]

Then there's people who add extra camel case, such as writing "MicroSoft".

Re:Please, it's "Lua", not "LUA"

Reminds me of people who use PERL instead of Perl.

But those may be genuinely confused by the common backronym "Practical Extraction and Report Language".

Re:Please, it's "Lua", not "LUA"

[BanHammor]

Just add an extra vertical line here, and you are all set.

Re:Please, it's "Lua", not "LUA"

[jones_supa]

I see.

Re:Please, it's "Lua", not "LUA"

[Jiro]

It looks like an acronym to people. While no single characteristic necessarily will cause people to treat a word as an acronym, a combination of characteristics will. It has no obvious meaning, it doesn't look like a word or a name, it's relatively short, and it uses odd combinations of letters.

It is very simple. Virus "protection" isn't

You cannot solve the virus problem as it is an impossible situation.

The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.

Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.

Re:It is very simple. Virus "protection" isn't

[RobbieThe1st]

To be fair, giving out your OS encryption keys to "friendly" nation-states for signed malware basically means that your OS, no matter how securely designed, will always have such malware.

Re:It is very simple. Virus "protection" isn't

[localman57]

The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

I agree with the second part. The first part is probably wishful thinking with the exception of products that are small enough or well funded enough that you can do proofs of their security (such as a couple of the real-time operating systems out there).

I think it's interesting to look at the way that safe vault makers approach this problem. No safe maker ever guarantees their safe to be uncrackable. Rather, they have a standard which basically says "A well qualified attacker with knowledge of the safe's internal workings, but no knowledge of the combination or access to the keys can be expected to breach this safe in X amount of time." They know it's a matter of when, not if. Encryption software people seem to get this as well.

Re:It is very simple. Virus "protection" isn't

[camperdave]

I've always wondered about "selfing" the software installed on a machine. In the body, cells that are part of the body are identified with a protein marker, and the immune system ignores cells with that marker. When a cell does not have that marker, it is considered a foreign invader and is destroyed. So, with software, you would have to add a marker code to it - branding it, as it were - for it to be acceptable to the antivirus software. Essentially, it would be a whitelisting system.

Re:It is very simple. Virus "protection" isn't

You don't even need to "give" them out. Flame was "signed by Microsoft" by exploiting a vulnerability in Terminal Services Licensing Server.

"Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."

from Microsoft releases Security Advisory 2718704

Re:It is very simple. Virus "protection" isn't

[jythie]

Thing is, even with those proved systems, no amount of security is going to stop a good social engineering attack. At some point all systems will have some mechanism for changing their functionality unless the whole thing is ROM and has a hardware enforced switch for being able to change things... and even then all you need is one careless tech or a corrupt contractor and poof, you are infected.

Technological solutions can improve the situation, but are not a panacea.

Re:It is very simple. Virus "protection" isn't

[camperdave]

No. Whitelisted by the USER, not by some third party corporation.

Re:It is very simple. Virus "protection" isn't

[donutz]

A good idea in theory, but in practice, a pain in the butt that most people will not want to deal with.

Re:It is very simple. Virus "protection" isn't

[drinkypoo]

When Microsoft finally got around to making a new TCP stack for Vista they reintroduced all the old bugs that were in the old stack because they proceeded from the same assumptions, forgot everything they learned improving the old stack, and went boldly forth like complete assholes. As a result you could teardrop or LAND Vista RCs. How does this happen? Because they were not using good programming practices.

So it's true, you can't make NO vulnerabilities. But you CAN adopt not just good but proper practices that reduce the number of vulnerabilities you create. This is something Microsoft should try.

Re:It is very simple. Virus "protection" isn't

[roothog]

You should look up Stephanie Forrest's research. She's been doing things like that for the past 20 years. To give you an idea, she has a mid-90's paper called "A Sense of Self for UNIX Processes".

Re:It is very simple. Virus "protection" isn't

[Kijori]

I think maybe that blaming either company - either the OS designer or the AV company - is a little unreasonable. The AV companies were out of their depth, as the article says; the OS team are also out of their depth here. But is that really a surprise? Is this really something that it's reasonable to expect them to be able to cope with?

Even if you hire the best locksmiths and builders around a government agency will still be able to get into your house. If you hire the best bodyguards in the world a nation state could still have you assassinated, or kidnapped. In all three cases they can probably even make it undetectable, or at least untraceable - and our security companies are much more familiar with the physical world than the digital one.

The truth is that a nation state operates on a different level to these companies. Expecting a modern operating system and AV suite to protect you against a determined, specific attack by a well-resourced team of experts is hopelessly optimistic.

The only reasonable response to this news, I think, is to shrug. Of course nation-states were able to compromise computer security. Anyone who thought about it knew that they inevitably could well before Flame was discovered.

Re:It is very simple. Virus "protection" isn't

[ratboy666]

But... isn't that already done?

Isn't tripwire available for Windows? http://www.tripwire.org/ (sorry, I only have experience with the Linux version, part of the standard Fedora/Redhat repositories).

I've been using it for years on my systems. Just seems to be a sensible part of a protection plan. (I got a laptop rooted once -- tripwire detected it, and I've never been without it since).

Re:It is very simple. Virus "protection" isn't

[Johann+Lau]

I guess some people used to think that way about safety belts, until inertia convinced them otherwise. Virus infections cost time and money at best, at worst they destroy irreplacable data... so if people won't wise up, viruses will force them to. Just like it works with actual biological infections. I guess only the really smart kids, of which I wasn't one, brush their teeth regularly even though they never had a toothache or heard the drill of a dentist. Why would they bother, right? Sure, some never learn, but usually a painful experience or two helps the whole process along better than anything else could.

It's ultimately not only a matter of "wanting" to deal with it. At some point there's just no choice. Yes, people can choose to not be healthy, until they die of it, and then that's that. Same for computers (which, just like us, will die either way at some point ^^). You can ignore it; until you lost your stuff and/or find yourself disconnected because your network peers protected themselves from your lack of protecting yourself. "If it's too much work for you to not have rabies, then it's too much work for me to hug you". We all do that all the time, for good reason - why not apply it to the digital domain? How can we even afford not to?

Re:It is very simple. Virus "protection" isn't

[strikethree]

Isn't that what code signing is supposed to do?

Re:It is very simple. Virus "protection" isn't

[lennier]

The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

But... but that's unpossible! It would require developing an industrial software development infrastructure actually capable of telling the difference between a product that meets its design specification and a damp herring before the product was was shipped! This is known to be an absolutely zero-chance mathematically unsolveable problem!!! Nobody can test or prove anything about software because magic and the Halting Problem! Also C++ is the best language ever and automatic range checks are for sillies!

I really don't understand the software industry. We're in the business of automating things. We know that programmers are making mistakes. Therefore, the sensible thing is to automate away the things that programmers make mistakes at. But anytime someone suggests doing the obvious right thing and improving our tools, all the programmers scream like children forced to put their toys away and go to bed on time.

Why are programmers so allergic to automation?

Re:It is very simple. Virus "protection" isn't

[lennier]

The AV companies were out of their depth, as the article says; the OS team are also out of their depth here. But is that really a surprise? Is this really something that it's reasonable to expect them to be able to cope with?

Yes, because software is mathematics - the only vulnerabilities it contains are the ones we put into it. The vulnerabilities are only there because the product, fundamentally, does not do what it is specified to do. (Although strictly speaking, for security, it's usually the case of does what it is specified not to do). And that means one of several things:

1. Software companies are not bothering to test that their product meets specifications (including basic "is the product safe for sale" - the equivalent of food safety or airline safety)
2. Software companies are not bothering to even have correctly defined specifications to test against
3. Software companies are actually UNABLE to test that their products meet specification
4. Software companies are actually UNABLE to create testable specifications

therefore one of these two deeper problems must be true:

5. Software companies are fundamentally corrupt and do not do the basic due diligence required to ship Internet-connected software

or an even worse possibility:

6. Not only software companies but the entire software industry is actually, at a deep mathematical level, unable to tell a working program from a dangerously unsafe failing one.

Personally, I doubt #6 since the hackers seem to be detecting vulnerabilities just fine. So I think it's #5 and that tools and techniques exist, should we choose to use them, that can prevent security errors. But we would have to redesign our software from the language and OS on down, because we've not built using the knowledge we currently possess.

We built this mess. We can unbuild it. Who's going to care enough to fix it?

Re:It is very simple. Virus "protection" isn't

[Kijori]

I think you're being a little bit unfair with possibilities like "software companies are not bothering to even have correctly defined specifications to test against", and that they're "unable to tell a working program from a dangerously unsafe failing one". For you to consider either of those things to be serious failings you have to believe that it is reasonably possible to create a complete specification that sets out exactly what behaviour is expected from an OS in every situation. Not only that, but the specification itself has to be perfect: a mistake or a false assumption going into the specification will lead to an OS that validates against it but isn't secure.

Believing that that is possible is already pretty optimistic. The specification would be the most complicated document ever created; even if it's less likely to contain errors than the equivalent amount of code, the chances of every specified response and every underlying assumption being correct are tiny.

Believing that it is practicable is not just optimistic, it's insane. Bear in mind that formal verification of the OK microkernel, with about 9000 lines of code, took a team of 12 researchers 4 years. Google suggests that the Windows kernel contains over 40 million lines of code (for comparison the Linux kernel apparently contains 15 million, so it doesn't look like the Windows kernel is excessively large). Assuming that Microsoft can refine the verification process to be 10 times faster, and that it's possible to further speed up verification by simply throwing more researchers at it, it would still take a team of 500 researchers working full-time to allow one release every 10 years. And that's not including time spent drawing up the specification or altering it when technological progress leaves it out-of-date.

Maybe it's up to the OS

[Dan9999]

AV software is picking up the slack for badly designed operating systems. Kernels, drivers, the shell, the UI of software, management control and process control have all spiralled out of sync in their evolution in all OSes bar none which is a perfect breeding ground for this.

Come on OS's, raise that bar so that AV companies can do the same.

Re:Maybe it's up to the OS

[buddyglass]

http://www.makeuseof.com/tag/free-linux-antivirus-programs/

Re:Maybe it's up to the OS

[KiloByte]

... which can search the storage on an Unix system looking for Windows viruses.

Re:Maybe it's up to the OS

[buddyglass]

For the most part, yes. On the other hand...

I certainly wouldn't feel the need to run AV if I were using a Linux workstation. That said, the comment I responded to made it seem as if a Linux user has so little use for AV that he can't even remember what the acronym stands for. Given malware is still a threat to Windows environments and given Linux machines can be used to propagate these attacks, it's not the case that a Linux admin is free to ignore AV entirely. For instance, if you're in charge of a Linux-based mail server that's going to be used by Windows-based clients, you should really have some sort of AV solution in place, even if it's only going to be looking for (and finding) malware that targets Windows.

Re:Maybe it's up to the OS

[mcgrew]

AV software is picking up the slack for badly designed operating systems.

I know of only one operating system that needs AV. Are you telling me that MacOS, iOS, BSD, OSX, and Linux need AV? because I 've never heard of a virus in the wild ever attacking any of those OSes.

Call a spade a spade: AV software is picking up the slack for Microsoft's badly designed operating systems (and MS shills and fanbois with mod points be damned).

Microsoft needs to get its act together. Microsoft is the culprit here, and is the sole reason botnets exist.

Re:Maybe it's up to the OS

[Dan9999]

You may be right about the others (MacOS maybe less) but there are also the androids out there where the OS trusts processes to be quiet when minimized. I'll tell you now that with thousands of apps out there, I think trust should be off by default. It's one example of how OS's haven't evolved. But you make a good point about Linux, who would want to write a virus for spaghetti userland!!

Wah...

Wha. We suck. But, what can you do?

Your subscription has expired. Please upgrade to Our Steaming Pile 2013. Now with more steam. Also, we hid some options to make it more challenging/interesting for you!

NO SHIT

[GeneralTurgidson]

Your products do have a tendency to delete system files though. Maybe antivirus software should be a bit more than writing definitions to known CVSs and some anomaly engine which thinks every file in a profile directory is suspicious. While antivirus software is another layer of security, it's a pretty shitty one.

Conspiracy theory

[seyfarth]

With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.

Re:Conspiracy theory

...or might have to help by law...

Re:Conspiracy theory

[synapse7]

I just pushed out a root cert revocation update to help fight the untrusted Microsoft cert that was used for this. I wonder if this "flame" was meant to target the public, or another attack that got out of control?

Re:First, antivirus authors used generic tools to.

[Toth]

Interesting article at the Internet Storm Center "Why Flame is Lame"
http://isc.sans.edu/diary.html?storyid=13342#comment

Security theater...just like the TSA

[techsimian]

crappy Malware and Anti-virus both crush the performance of the machines they're on...why bother? Oh yeah, and the anit-virus software doesn't work. Is it just to keep the masses from spreading too much?

Of course...

[cffrost]

Anti-virus software companies need to acquire, profile, and create removal code for new threats before they can do much to mitigate it. Now obviously, that's going to take genuine time and effort in cases where they didn't write the virus themselves.

Failed to detect?

[Scutter]

By the author's own admission, they didn't "fail to detect". They HAD copies of the virus in their reporting database but ignored them. Why are customers reporting samples if the antivirus companies aren't paying any attention? I'd like to hear more on that explanation and not more excuses like "well, it works like a business database".

Re:Failed to detect?

[AHuxley]

Its Windows, a long list of new code efforts every day, in the wild and doing damage to end users systems.
They get the worst first and work back.

Re:Failed to detect?

[Johann+Lau]

Having it in the reporting database, what does that mean, exactly?

I'm totally guessing here, but let's say the AV software sends checksums/logs of suspicious files/activities detected via heuristics.

Then those sit there in the databse, until someone looks at them. You can't just delete files from millions of computers without actually having looked at a disassembly, network traffic, whatever (I have no idea how that works in detail), to make absolutely sure it's a virus. No heuristic is that good.

I'm not sure what triggers someone to look at it, but I bet you they have TONS of checksums and files in their database, which they never got around looking at. Not because they're lazy, but because to hire that many people to inspect everything instantly, before it became a problem, would make the software cost like 5000 bucks per license... we're talking about automatically collected files from millions and billions of machines.

And now that the virus made the news, it's trivial to search for that stuff and realize "oh wait, we already had that in the database, we just didn't know it's important". How *could* they have known?

And then there's the whole "shady black ops" stuff. We're talking about viruses that might be made by governments, and you bitch at AV companies? Seriously? People pay nothing up to very little for antivirus software. Do you have the faintest idea how much budget we, collectively and worldwide, are pumping into the pockets of the bad guys, how eagerly we offer our services and resources? It's not the same ballpark, not the same league, not even the same fucking game. You can't train someone in martial arts for 20(00) years and feed them choice meat, and then scream at the starving child that doesn't manage to knock them out. That's just sick, but oh well.

AV companies outside their element?

[slack_justyb]

I've not held much faith for anti-virus companies. Never was I under the idea that AV software would stop a *real* virus. To me, anti-virus software is just a way to keep the script kiddies and adware ActiveX controls off a system. Good computing habits preclude the need for AV software. Just my two cents.

Re:AV companies outside their element?

[upside]

Pretty much what Mikko Hypponen is saying in the article:

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Re:AV companies outside their element?

[Kjella]

Good computing habits preclude the need for AV software. Just my two cents.

And how exactly would you know if mozilla.com has been compromised or if someone is running a MITM on you? Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised? Good computing habits are good enough for my single consumer desktop, but they're not exactly hardened servers with tripwires, traffic policies, alerts and intense traffic monitoring. If they send a "real" virus directed towards me, I wouldn't bet too much on my good habits. It's all relative to the threat level, just like my apartment is fairly safe against common burglars but it's not exactly a jeweler's shop with millions in value nor it is a military bunker.

As for AV software, yes I run it as a second opinion. Personally I don't think I'm too smart to make a blunder, or the odd combination of a seeming trusted download and an old virus signature the AV will detect. Besides, how do you know your own opinion is correct? It's not like they announce themselves, it could be sending out your credit card into and be a proxy to everything without telling you. The silent ones are far more dangerous than the popup infestations and ransomware.

Re:AV companies outside their element?

[slack_justyb]

it could be sending out your credit card into and be a proxy to everything without telling you

Don't use your credit card for online purchases, or in my case, setup a secondary bank backed CC that has limited access to your primary funds. Move funding into the secondary as needed. Even if they get the CC number I use on the Internet, at best they are leaving with $11.38 at the current moment.

or if someone is running a MITM on you

Long story short, there are connections where I care about MITM and those that I don't care about them. The ones where I don't care are because even if there was a MITM attack, they've gain absolutely nothing that they couldn't have already gained without attacking me. The ones where I do care, the connection is verified using a method not attached to the Internet. Most MITM attacks are simply watching the Internet traffic and are unaware that second and third channel communications are going on to verify the Internet connection.

how sure are you that not a single signing key to any package on your system is compromised

Again, long story short. Even if someone sent me a bad package, they'll gain nothing as nothing is stored on the machine and the machine has limited access to the information that I'm currently using. The state the machine was in when I get to it, is the state I leave the machine in. As far as network and CPU resources, simply checking your logs will show you any spikes that are out of the usual. A home PC has very little objective value. Usually CC, personal, contact, web history, etc or CPU and bandwidth. Not very difficult to protect that information if you do not keep it on your machine and check your logs. Targeted attacks to get deeper information would spend more money on the attack then on what they gained, I'm okay with the idea that the ROI for the robber is in the negative. That'll teach them.

Also that's a little disingenuous, most distros use one or two keys to sign all of the packages. So I would have to check one or two keys at most. Not exactly a huge sample size. Secondly, someone did hijack a key on Fedora at one point. It was easy to see that the key was jacked, and to check binaries at the tree in large volumes for differences. No differences were found, but if there were, code reviews would be possible to ensure that new builds wouldn't add in non-reviewed code. A signing key getting jacked isn't exactly a huge problem so long as the binary matches binaries built from reviewed code (aka checksums). MD5 has the ability to have collision which is why distros provide SHA and MD5 checksums, to mitigate that risk. A jacked key is only of value if no one finds out about it and bad code can get pushed to systems without no one knowing. So jacked keys require a pretty heafty level of keeping quiet and silently moving updates in while no one is looking. Given that usually a good number of people are watching this, jacked keys are poor for targets at the mass. You'd want to use a hijacked private key at a very small target, because as soon as someone sounds the alarm, your key is usless. The fewer the eyes, the less the chance of getting caught. However, I do indeed check my binaries aganst checksums to make sure that updated packages match known good packages, so I'd be a tripwire for this kind of attack, they may hit me, but they would loose all value in their key. Again, the ROI would be negative on their side because they could have done a lot of damage, but if they hit the one guy that's paranoid and goes back and checks the binarys on every update, boom all that damage they could of done is gone.

Re:AV companies outside their element?

[0123456]

Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised?

Unlike Windows, there are only a tiny number of such keys. You can't exploit them the same way these guys apparently did by creating a random key signed by another random key which happened to be flagged as a CA key, because it wouldn't be accepted when installing the package.

Yes, it's possible that someone has hacked into Red Hat and Ubuntu and stolen a signing key, but if that's the case then we have much bigger problems to worry about.

Re:AV companies outside their element?

[gman003]

Running without an AV works ONLY if
a) You are intelligent enough to avoid viruses
AND
b) Anyone you frequently communicate with have no viruses
AND
c) Any sites you frequent have not been compromised.

That third one is what got me. A webcomic I read - quite a popular one, not at all a shady, untrustworthy site - got exploited, and was used to serve out malware. I happened to read it during the few hours it was compromised. The malware got past Adblock. Everything was fully up-to-date, from Firefox to Java to Windows itself (I even keep IE up-to-date despite never using it, just in case). That thing wreaked some serious havoc on my system - I ended up needing to do a full reformat and reinstall.

So yeah, ever since, I run an antivirus. Because not only can I still make mistakes (unfortunately, and not for lack of trying, I'm still human), but other people's mistakes can affect me as well.

Re:AV companies outside their element?

[interkin3tic]

Government agencies have little problem with antivirus software for consumer, and you say you don't have much faith in AV? Well, wouldn't it be far more disconcerting if $20 a year software COULD defeat the CIA's (or whoever) malware?

I mean, a story about how the CIA can get past your deadbolt and home alarm system wouldn't be shocking, would it? News that the US army can outgun the security guard at your job... no shit.

Of course, the problem is that it DOESN'T require a multi-billion budget to defeat Avast or others, but security isn't simple.

Re:AV companies outside their element?

[mcgrew]

I stopped using AV software when it failed to protect me from XPC. Who would have thought that a large, well respected company like Sony would deliberately infect their paying customers' computers? The irony is, if my daughter had just downloaded the songs instead of buying it from the record store she worked at, I'd not have gotten infected.

If mozilla.com got infected, your AV software isn't going to help any more than mine protected me against XCP.

Re:AV companies outside their element?

[Kjella]

Unlike Windows, there are only a tiny number of such keys. You can't exploit them the same way these guys apparently did by creating a random key signed by another random key which happened to be flagged as a CA key, because it wouldn't be accepted when installing the package.

The key that verifies that it comes from the $distro repository, yes. But there are many thousands of developers and packagers that could be compromised so you get a signed trojan horse, it's not like the distro does code review. Like for example OpenSSL that was badly broken for two years in all Debian based distros and that was pure ignorance, public and obvious. How hard to you think it would be to discover a malicious and covert custom exploit targeting only a few machines? It could have gone unnoticed forever.

Re:AV companies outside their element?

[Johann+Lau]

How would good computing habits stop, or even just phase, a virus of this magnitude? Unless of course by "good computing habits" you mean "not running software that has any exploitable flaw whatsoever".. This post was written on a Etch-A-Sketch?

Nah, that's silly. Here's something that isn't: good democratic, anti-fascist habits would preclude the possibility of unlimited budgets being used for nefarious purposes. You can't breed vipers and not get bitten.

(And yes, that also means if Iranians got rid of their clown tyrants, the clown ops of US and Israel wouldn't have had a reason to do this; much less if they themselves weren't clowns. That'd be something real, the rest is just minor duct tape crap. Clowns eating clowns, and more clowns paying dearly for it.)

Re:AV companies outside their element?

[slack_justyb]

How would good computing habits stop, or even just phase, a virus of this magnitude?

You've missed the point of my post. I was not putting good habits on the level of this virus in question. In fact, I never said the flame virus at any point in my post. The flame virus has nothing to do with my post. You have insert subject matter into my post that was never there, nor was it anywhere closely related to what I posted, meant, or could be possibly derived from my post. In short, my post said absolutely nothing about the virus that is talked about in the news story, nor was there anything in my post that lead to that conclusion. I admonish your interjection that I had ever said anything related to the virus in this story as there could be nothing further from the point and subject matter of my post.

Now that I hope we have made it crystal clear that I am not talking about the flame virus.

Anti-virus companies do not deal with real virus', they deal with run of the mill script kiddies and other things that good computing habits can prevent. Therefore I doubt the value of any AV company's opinion or product. Since it is non-news that they couldn't help anyone when faced with a real threat.
There I've compacted my post for you. Perhaps that will help your comprehension, or if you like I'll put it into a single sentence for you.
AV companies are like mall security, why the bring them up when the subject is a war?
Better?

Re:AV companies outside their element?

[Johann+Lau]

Oh boy. You could simply have told me to read your post again, because yeah, I see it now, too. Though your second one didn't help much with that heh.

And yes, you're right that AV software doesn't play in this league. Yes, AV software is mall security, this is bigger, and while making your main point, which went over my head, you also made it seem as if you're saying you can keep safe from what mall security is claiming to protect you from by simply keeping fit and alert. When actually neither can, and if someone wants to rob or kill you real hard, even a 70 year old lady could if she waited for the right moment. Script kiddies can, too, unless you only browse the web with lynx and compile everything yourself (let's assume for a moment that modifying compilers is out of the range of script kiddies). They just haven't yet, maybe because you're that good, or because you're lucky. Unless you detail your "good computing habits", there's just no telling wether you're right or full of it. List what you think will keep you safe, and someone will prove you wrong. Not a military hacker bred in underground laboratories, but a hobbyist, maybe even a kid.

Re:AV companies outside their element?

[slack_justyb]

List what you think will keep you safe, and someone will prove you wrong.

The first thing I learned about keeping yourself safe from the Internet is to make your computer worthless. Someone is always going to break in, there is no stopping that, but if the information that they gain is absolutely worthless, they've really gained nothing. When someone finally does invade my computer and takes all my information, they'll find a whole lot of information that will direct them to someone who doesn't really exist, a credit card that has $6.00 in the bank, a tax return with invalid SSN, a web browser with two minutes of history, a bunch of photos of people I don't know and pictures of fruit and my hand giving them the finger, and a whole slew of things meant to get their attention, like weakly encrypted files, files that sound important and so on. All of it in an attempt to get them to gather the data, I want them to have. They won't get bandwidth or CPU cycles, I kept pretty detailed logs on my Internet traffic. I'd notice if I saw my CPU working 3% harder than it should at a given time, or if I saw a bump in traffic to addresses I don't visit.

I don't want anyone on my system, but if they do get on it, then I want them to have the data on it. All of the *real* data is elsewhere or never touches a computer.

Okay I'm ready for a rebuttal.

Re:AV companies outside their element?

[Johann+Lau]

I have none. If you don't have it on a computer connected to a network, script kiddies (or anyone who isn't physically breaking in) can't get to it... not much to argue there.

But "real data" includes logins, and that's gonna leave your network in some fashion. "Script kiddies" (short for "non-military-grade hackers" :P) compromise router, done? How much of this is even in the hands of any single one person?

Re:AV companies outside their element?

[slack_justyb]

But "real data" includes logins

Depends on the login. If it is something I care about then the Internet won't be the only channel in the line of communications. The system that I ssh with at work uses three channels of communication, the Internet being one of them, but the others are there to carry information and authenticate the other channels, the system is able to tell if a MITM attack is happening since the packets on the Internet channel will start getting out of sync (basically a different channel asks the remote host to switch certs mid conversation, the MITM never knows about the switch up since they aren't listening to that channel, the host requests more information but the information is sent using the old cert, not the one that was suppose to be switched to, thus you can see the MITM didn't get the notice). Standard emails use two step verification and those that I truly wish to talk to have shared keys for communication. Just two step verification which is offered by GMail is usually enough to keep 99% of hackers out of your inbox. Using an email client that has integrated GPG and using two step disk encryption for your inbox (that's pass phrase and USB stick authentication) will protect you from 99.999% of the crackers out there. All of this is very easy for the home consumer to get.

The Internet isn't the only way to communicate (OTP, SMS, private fiber, usb sticks, shortwave radio, PSTN, and a host of other methods). The more people rely on the Internet as their single channel of communication, the more they open themselves to attack. It's just like anything, having only a single way of doing stuff makes it easy to get attacked.

Re:AV companies outside their element?

[Johann+Lau]

LOL, foe... If only I knew why exactly, so I could do more of that :P Anyway, good luck with all that.

Re:AV companies outside their element?

[slack_justyb]

Don't know, I click stuff on Slashdot all the time and not really know wtf I just hit. Nothing personal.

... and water is wet

Seriously, how is this news? Anyone who has even the slightest clue as to how software security vulnerabilities work (or just what turing completeness and the halting problem are) knows that anti-virus software does not and can not exist, and has known that for decades. Just because some marketing people keep pretending there is such a thing doesn't mean there actually is.

What does exist is black-list filters for some well-known attacks. Which obviously is completely pointless to even try unless you are an idiot and you insist on using software that's equally well-known for its lack of security, in which case such a black list can keep the inconvenience down a tiny bit. Or you own a business that makes money by selling unsuspecting people "protection".

A better solution:

[bmo]

Release armies of flying cats.

Because if you're going to ignore what's in your database for two years, well, flying cats are better.

https://www.youtube.com/watch?feature=player_embedded&v=-S4DZ_aWNuU#!

--
BMO

Re:First, antivirus authors used generic tools to.

Did you really mean "First, antivirus authors used generic tools"?
Mind, I don't object to the classification of much antivirus software as evil, but it gets a bit kinky later where they're detecting themselves...

A: because it breaks the flow of a message

[DNS-and-BIND]

Q: Why is starting a comment in the Subject: line incredibly annoying?

Re:A: because it breaks the flow of a message

[tepples]

What place would you recommend instead for such meta-discussions?

Re:A: because it breaks the flow of a message

[RalphTheWonderLlama]

Well I read yours in order since I usually skip the subject :)

Re:First, antivirus authors used generic tools to.

[bughunter]

but it gets a bit kinky later where they're detecting themselves...

It's not kinky at all. They all do it, most of them nearly every day, but few of them admit it.

Kinky is two of them detecting each other...

Re:First, antivirus authors used generic tools to.

[postbigbang]

Seen another way: Like all artillery system designers, you study the target, understand the medium thru which the the shell must transverse, and get the payload to the target.

To think that Symantec and AVG and Kaspersky et al are omnipotent is silly. At some point, each of these companies has to avoid false positives because they get the worst PR possible when they make mistakes. There are millions of legitimate apps out there, no matter how well or poorly written. It's a matter of getting to the correct controller, seeding it with destructive code, and making sure the code survives long enough to deliver the damaging payload that's necessary. Certainly the explanation is vastly more simple than the deed, but it's the deed that was successful. Does one generate malware detection that traps such a thing: Maybe-- but you don't give it to anyone because no civilians have centrifuges that are used to make weapons grade material.

What about the others? (Smart Fortress 2012)

My Dad's work PC got infected with "Smart Fortress 2012" mid-May. My mistake, I wasn't taking care of Flash and Acrobat reader. But an otherwise up-to-date XP, with an up-to-date Norton antivirus installed, got infected through a webpage. And even though the account was not an administrator account, Smart Fortress 2012 not only disabled Norton antivirus but rendered it inoperable - it had to be reinstalled (through the Administrator account).

Lesson learned. Don't trust much Norton, don't trust much anything else and tighten up as much as possible.

Re:What about the others? (Smart Fortress 2012)

[DigiShaman]

Flash, Acrobat Reader, and Java Runtime (JRE). Don't forget that one. I've seen that pile of shit running malware (written in Java, duh). Unless he needs it (which I doubt these days), just uninstall every instance of Java from the Add/Remove program list.

Antivirus is NO defense against targeted attacks

[Opportunist]

Well, DUH.

AV kits can only protect against attacks that are known. They may be able to detect new variants of attacks, so once a certain botnet type is known they may well be able to find zero-day developments if their heuristics are good (not a trivial task, but some have mighty good detection rates against unknown variants), but how are they supposed to detect what is simply not known to be a threat?

And likewise they cannot protect against attacks that target YOUR and only YOUR company. Where'd they get samples of it in the first place?

Re:AntiVirus companies mess up... apk

[Luckyo]

They do not flag such files as "malware". They flag them as "heuristics found suspicious files that have properties often used in malware".

If you actually read the text that your anti-virus software outputs on your screen, this becomes very obvious. Unfortunately most people, apparently including yourself, do not read these messages and instead assume your file has been filed as malware when you're looking as a false positive hit from heuristics engine warning your about suspicious properties of your file.

Actual malware that is known is labelled very differently by most anti-virus software.

Nothing new here

[Shoten]

Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel. Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians. The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry, while any armored military vehicle would shrug off an attack using weapons available to civilians. There are many other analogues involving surveillance technologies, etc. that show the dichotomy that has always existed between the military/intelligence communities and the civilian world.

But so what? Of course their tools are more sophisticated...they should be. The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

Re:Nothing new here

Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

You should c'mon down and visit us here in Texas.

Re:Nothing new here

[drinkypoo]

Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel.

ballocks

Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

Oddly enough, you can have all the same typical service issue ammo that the military uses.

The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry

...though neither do most military vehicles...

while any armored military vehicle would shrug off an attack using weapons available to civilians

Except for IEDs, for which we are having to redesign our entire fleet basically.

The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

Things have been going very, very badly for a long time. Companies like Coca-Cola and Nestle have their own military forces in third world countries. Corporatists have utterly taken over the majority of world governments. So while I agree with your premise, I don't agree with your conclusion. Civilians already have that capacity, and they always have, and things are already going that way.

Re:Nothing new here

[Threni]

> Except for IEDs

Exactly. Idiot goat farmers or whatever can take out the latest US vehicles again and again using cheap, readily available ingredients with innocous legal uses plus a digital watch or walkie talkie. Such a shame the whole miliary/industrial complex is based on attacking Russia or whatever.

Remind me again, which month do I have to work until before I start earning money for me and not just the taxman?

Re:Nothing new here

[drinkypoo]

Disingenious. You know he's talking about MBTs, not Humvees which are for delivering supplies...

It doesn't take all that much to take out treads. It doesn't take much to take out Humvees either, which is why their days in situations in which combat is expect are numbered. Also, pork. But I am in favor of seeing what soldiers must be in the field (for whatever reason) be better-protected.

Re:Nothing new here

[hob42]

The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

Right, because if they did, then civilians might rebel against an unjust, unpopular, non-representative government.

Oh, wait. That's actually a founding principle of the USA: the government should be afraid of the people, not the other way around. The only way to ensure that is to make sure the people have the ability to overthrow the government and it's military forces, should the need arise.

Re:Nothing new here

[Shoten]

Question: What are most IEDs made from?

Answer: Artillery shells.

Question: Can you buy artillery shells at Wal-mart? How about Home Depot? Radio Shack?

Re:Nothing new here

[Shoten]

Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel.

ballocks

Ah...but when was the last time you saw someone wearing Level IV or higher armor in public who wasn't a cop or a soldier? I'm willing to bet the answer is "never," and that's because there's a difference between "available" in the technical sense and "available" in reality. And I can tell you up front what happens when a police officer sees someone armored that way...they confront the individual and grill them on the spot, because the wearing of armor of that nature is considered a major pre-incident indicator of a bad event. So, no...it's not really feasible for civilians to wear the same heavy multi-hit ceramic armor as soldiers wear.

Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

Oddly enough, you can have all the same typical service issue ammo that the military uses.

Define "typical service issue ammo"? If you mean the +P 9mm rounds in their sidearms, yes, even though about 65% of civilian-owned 9mm firearms will not last long when firing that ammunition. If you mean steel core AP .223 and 7.68mm rounds, which is what's needed to penetrate the armor, then no. You need to either use AP rounds or very high caliber firearms (like .50 caliber) to have much luck against the aforementioned body armor used by the military. The fact that civilians can get standard ball ammo does not counter this.

The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry

...though neither do most military vehicles...

Military vehicles stand up a lot better than civilian ones. I'll put a lightly-armored humvee against a Buick any day of the week with regard to small arms fire. But these days what we're talking about are MRAPS and APCs, and if you think those are an equivalent to a civilian vehicle of any nature, you must seriously be smoking something. The point I am making is that military gear is significantly more defensible, not that it's invincible. And if these vehicles don't hold up better against military weaponry, why are we spending billions on them, and crediting them for saving thousands of lives?

while any armored military vehicle would shrug off an attack using weapons available to civilians

Except for IEDs, for which we are having to redesign our entire fleet basically.

Which are always made from repurposed military explosives and artillery. This only supports my point.

The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

Things have been going very, very badly for a long time. Companies like Coca-Cola and Nestle have their own military forces in third world countries. Corporatists have utterly taken over the majority of world governments. So while I agree with your premise, I don't agree with your conclusion. Civilians already have that capacity, and they always have, and things are already going that way.

Your definition of "badly" is a bit narrow. Go visit a country where the civilians actually have the same weapons as the military. Might I recommend Somalia as a sterling example?

Re:Nothing new here

[moeinvt]

"...bullets fired from the primary weapons carried by military personnel..."

There is no appreciable difference between the penetrating power of a projectile fired from a military rifle and one fired from the civilian equivalent of the same weapon. In fact, many of the civilian model AR-15s are "Mil-Spec" and a lot of the bulk ammo available is military surplus. The difference is only in rate of fire. Military versions can selectively fire in 3 round burst(or full auto on older versions).

"military-grade body armor will stop rounds fired by 99% of the weapons held by civilians"

Well, I don't have an accurate picture of the breakdown of civilian weapon ownership, but the protection ratings on the body armor are standards. The armor is either "Level 3" (or whatever) or it's not. Nothing special about military versions.

Re:Nothing new here

[Rich0]

The issue with IEDs isn't that the vehicles are obsolete so much as they weren't designed for prolonged operations in anti-vehicle minefields.

Normally the model is that you sweep a path, and then send the force through it. Maybe you lose a few vehicles, but compared to what the USSR is doing to you that is statistical noise.

The problem is that this model depends on forward progress and a defined line of battle (bad guys on one side, good guys on the other). Against an insurrection this breaks down.

As far as Humvees go - they have their place. They were never intended to be lead vehicles in some armored assault. However, if you depend on things like MBTs for resupply then you'll be stopped every time you hit a bridge with a 10-ton weight limit and fuel stops every 20 miles.

MBTs are used to make forward progress blowing up everything that moves in your path. Humvees are used as a substitute for horses and jeeps for getting people/food where they need to be outside of general combat. Neither are all that useful in quelling rebellions unless you're willing to blow up everything that moves in your path (see MBT). In fact, I've seen little in the way of equipment which is actually useful for putting down rebellions - that is more a matter of willingness to embrace rather nasty tactics, and just another reason not to deploy the army in unfriendly territory where they aren't actively busy killing anything that moves.

MBTs and light vehicles will always have a place in any country that does not wish to be ruled by those who retain them.

Re:Nothing new here

[Threni]

> Question: What are most IEDs made from?
> Answer: Artillery shells.

Close, but the answer is fertilizer.

Occam's razor

With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.

In order to evaluate your theory, we'd have to put it to the Occam's Razor test.

The simplest answer is that Windows really does have lots of vulnerabilities, and the security companies really are in over their head.

Obviously, this is patently false. Windows is widely known to be bug-free and highly secure, and the security companies have developed a suite of efficient, stable software to help us defend against viruses. So your theory obviously has merit. How could it be otherwise?

Re:Occam's razor

[HiThere]

A good point, with lots of evidence going for it. But it's not the only possible explanation. Don't decide too quickly. After all, you don't need to decide, until you decide to act, and even then it just needs to be an action that's compatible with your decision about what you believe to have happened.

There's nothing saying that Microsoft, and/or the AntiVirus companies aren't BOTH corrupt and incompetent. And I don't see any evidence against that supposition. Still, I wouldn't want to claim it was proven. They might be only one.

Duh.

[jiteo]

The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets.

You don't say.

The best Anti Virus....

[trancemission]

I have seen it on here lately - cleanMyPC or something like that....pretty good so I have heard........

Antivirus is a poor solution anyway

[SCHecklerX]

Once you are hit, it is already too late.

What we as sysadmins and users should focus on instead is prevention.

Unfortunately, prevention relies mostly on end user education. They will always download that cool image, or play that game, forward that e-card, etc. You can't cure user stupidity with technology. The car analogy would be, well, eliminate cars and make everyone take the train.

Re:stop stabbing yourself in the eye

stop using windows bro

But without windows, the house is so dark!

"I Don't Know It, So the Government is to Blame!"

[LifesABeach]

Who benefits from the success of Stuxnet, Flame, et.al.? The U.S. has a simple method, (publicly tested, and verified), of bringing down a countries entire electrical system, and that includes those systems that have backups. Anytime the U.S. wants to "turn off" the power to a country like Iran, it can. But the U.S. hasn't, so who else? I don't see complexity here, I see simple economic warfare. And I see where, Iran could easily handle a problem like a war with guns; but Iran is helpless against a war with credit cards. If I were Iran I would not look west, their guns are chillingly clean.

Out of their league

[sir-gold]

Of course they are out of their league with stuxnet and flame. The AV companies are used to fighting teenage hackers and Russian mobsters, they aren't prepared to fight the two of the highest funded militaries in the world (USA and Israel). It's hard to beat the enemy when they outnumber and "outgun" you by a factor of 100,000

Re:Out of their league

[gweihir]

Surprisingly though, Stuxnet was a good demonstration of how incompetent hackers will write their malware. There is quite a bit of mistakes, errors and incompetence in it. Of course, the Iranian defenders were even more incompetent, whit no independent safety systems on their centrifuges that would have prevented the damage. Really pathetic on both sides.

This basically shows that you can get past current AV software with something that is not very good in any regard. It also shows that the AV approach is fundamentally flawed.

Re:apk is fail

[drinkypoo]

who is that 'U' who keeps failing (according to you) ? there is no user named 'U' on slashdot, so who is it ?

Whoever replies to apk fails. I've done it. Don't do it.

[citation needed]

[heypete]

Or, put another way, "extraordinary claims require extraordinary evidence."

Re:[citation needed]

[cavreader]

Yes, Start with posting the details on the MS back doors for a start. And a company being a monopoly is not illegal it is how they take advantage of their monopoly. And one reason MS gained their monopoly position was by people and companies lining up to sale their technology for the money. Nothing wrong with that. At some point a company becomes so big and successful they can't just stop and say we have made enough money so we should just stop building new stuff. The monopoly case against them had just as much to do with the incompetence of it's competitors than it did with MS actions. Industry practices change over time. The PC industry is relatively new and very dynamic so there is always someone who can leverage the game until laws and regulations are imposed.

Re:[citation needed]

[cavreader]

"That is a staggeringly stupid thing to say, because by definition they are in a position to know about them and I am not." Your the one who made the backdoor claim without facts. If you can't back up your statements then shut the fuck up until you can.

Re:[citation needed]

[drinkypoo]

If you can't back up your statements then shut the fuck up until you can.

Make me.

Re:[citation needed]

https://en.wikipedia.org/wiki/NSAKEY

Re:[citation needed]

[cavreader]

I don't have to stop you. Your idioct statements are on display for all to see so why bother.

Not a surprise

[gweihir]

From a certain attacker competence and resource level upwards, a leaky bucket like Windows cannot be fixed anymore. It takes competent system administration on a solid platform and a minimal attack surface. It also takes quality engineering with security in mind on everything that is reachable over the network. Most current software is so pathetically insecure (and yes, that includes quite a bit of FOSS software), that no amount of add-ons will ever make it secure.

On the other hand, software that was done with sound secure software engineering practices, competent personnel and adequate resources is very hard to attack and will quite often be impossible to attack. The saying that everything can be attacked is just a lame excuse for insecure software. It has no relation to what can actually be done.

What the article also shows is that the reactive, try-to-patch-thousands-of-tiny-holes-on-insecure-platforms-by-external-software that the AV companies are selling is fundamentally limited. This is not a surprise to any real security expert.

Right...

[Corson]

Flamer has been out in the wild since cca. 2007, with a MS signed certificate, and the first IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Right, because all of these antivirus companies are so dumb they cannot detect a 20 MB spyware pack on Windows machines for four years.

Consumer-grade

[mrex]

The most bothersome statement to me is right here:

>consumer-grade antivirus products

Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago. Why? Are the billions of dollars a year in claimed corporate losses to computer intrusions insufficient profit motive for someone to bring something better to market? Are we really expected to believe that billion dollar companies like Intel, Microsoft, Google, and Apple simply aren't up to the technical challenge, let alone government agencies like the NSA whose job it is supposed to be to protect the security of America's communications? I guess they're too busy violating that security to care, these days.

The pace of progress on the consumer internet used to be blinding. Now, with the network mostly taken over by large corporations and the governments they are symbiotic with, and the capture of the knowledge and creative spheres by government dollars and NDAs, the internet is becoming just as dysfunctional as the lumbering dinosaurs all-too-willing to ruin anything and hurt anyone necessary to ensure their continued place at the head of the table.

Re:Consumer-grade

[cyberfunkr]

The most bothersome statement to me is right here:

>consumer-grade antivirus products

Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago.

Agreed.

One of my biggest issue most AV software nowadays is that they claim to be improving, but still use the same methodologies as always. What they are spending their money, time, and resources on is the f'n UI. In the end, I really don't need or want a pretty UI. Don't nag me about updates, just do it. I don't need a graph showing how many files were scanned per hour/day, just scan.I don't need a separate screen showing how well the mail scanner is working versus the web scanner. Just put a small icon in the system tray to say, "Your AV is running, Keep calm and carry on"

If the software does find something, pop up a simple box saying, here is what was found, where it found it, why it thinks it's bad, and what should it do. Oh, and make sure that the name of virus is copy-able; so that I can paste it into a Google search and see details about what I'm up against.

Re:Consumer-grade

[lgw]

There was a recent /. article on how the military found and rmeoved a virus that got into the control consoles for some dones: "host based scanning". Anyone can do this - simply scan the suspect drive by mounting it in a machine known to be clean. The most c;lever rootkit in the world has to be in order to hide itself. Want to do that in realtime? Do everything in a VM and scan it from the host - problem solved.

If the TPM hadn't been perverted into some anti-consumer DRM thing, we'd all have this already by default. (A VM used just for virus scanning that is protected from unwanted alteration by hardware level encryption, TPM-style).

Re:Consumer-grade

[mrex]

Great stuff. We could do a lot of extra auditing and processing, even potentially at the hardware level, if we were willing to make the trade in time and memory. With our recent relative abundance in those areas and the costs of our presently lax security, doing something more than plugging fingers into the dam seems prudent.

Re:Consumer-grade

[mrex]

The Common Malware Enumeration list matured into the Malware Attribute Enumeration and Characterization project a while ago. We could use that pretty effectively.

Re:First, antivirus authors used generic tools to.

[slew]

As if biological virus detection works any differently. There's an inherent problem of identifying what is "good" and what is "bad" if you have a complicated system. The virus detection companies have a problem that mirrors the complexity of the biological varieties. Sure you can detect certain "signatures" of potentially bad invaders, but evolutionary pressure will weed those out and then you are leave you the ones that are harder to detect...

Another option seems to be to attempt to identify "self" and not-self. Unfortutnatly, although that's potentially easier, the fact that the apple closed eco-system and the proposed win8 closed eco-system ruffles so many feathers, yet doesn't seem to be fool-proof either.

Sadly for many of us (meaning the tinkers of the world), perhaps the better answer is complete lock-down. If you can't install or un anything, then less options exist for problems. Although this probably won't work either (bugs are inevitible and now they will be hard coded-in).

What does that leave? Probably we need to flip this around evolve and learn to live with viruses. Viruses are inevitable, and the problem we have is that we trust each other too much. So how do we (as in human biological systems) deal with viruses? In addition to the ability to We have evolved get "sick" (when we get a virus) and evolved to learn how to detect when our comrades are sick and avoid them. Perhaps OS vendors and anti-virus firms should concentrate more on teaching our computers how to recognize when they are in contact with other "sick" computer (basically a firewall on steroids). Some commercial devices are doing this already (they look through emails, torrents, etc to try to identify stuff like high-risk data, etc). We probably need to get better at this stuff... On how to force computers to get "sick" (other than slow down), perhaps anonymity is the biggest problem (in an anonymous situation, biological vectors tend to spread faster).

This is perhaps the most unfortunate realization that open-ness and anonymity are perhaps the environment that actually allows for viruses to cause the problem that exists to day (think shared needles in a heroin den or any other analogy you might think of).

MS revokes certificates

[gstrickler]

MS has issued a security update KB2701704 that revokes some certificates, presumably the ones used in these attacks.

Microsoft Malicious Software Removal Tool FAIL

[Animats]

"Flame" isn't on the list of malware detected by the Microsoft Malicious Software Removal Tool. Why not?

Re:First, antivirus authors used generic tools to.

[Johann+Lau]

packers and obfuscators, which no legitimate code would have...

Yeah, right. I constantly get warnings about packers (or even keyloggers, because they like hooking it up low level style I guess, and who can blame them) in code that isn't only legitimate, but blows all other code on my computer (including the AV software) out of the water. Things you'd download from scene.org or pouet.net. Sweet, sexy little things.

Re:First, antivirus authors used generic tools to.

[hairyfeet]

Sounds like what you are wanting is what Avast and Comodo already do, which is scan before load all web pages and sandbox the browser. This way if the website you try to hook to is "infected' instead of just running the code it blocks it and gives you a warning and since by default the browser is sandboxed anyway if something manages to get past their heuristics its not gonna be going anywhere anyway.

Re:Luckyo, if the "best you've got" is

[Luckyo]

Fyi, I do not reply as AC unless I have serious reason for it. Being asked for a clarification is not one of these things. As you can see from my posting history, I often argue on some pretty hot and difficult topics all under my own handle. Thanks for not assuming things and not getting some random flamer get his kicks.

On your point, you clearly state that the reason for the "false positive" was "certain techniques I used in the file, for good reasons". That's not malware detection hit - that's heuristics seeing certain properties of the file and labelling it as such. Malware detection usually hits on specific code inherent to particular malware, not methods of compression of the executable.
(Obvious caveat: typically. YMMV).

I'm not trying to be the last authority here, I'm merely pointing out that some parts of your story seem to not match other parts. Perhaps you overly assumed things about scanners that weren't true?

Re:First, antivirus authors used generic tools to.

That guy just comes off as being an asshole and doesn't really provide any useful info whatsoever. He sounds bitter that someone was able to come up with a virus that didn't fit the preconceived package they expected and therefore fooled them all.

Re:First, antivirus authors used generic tools to.

[TheRealMindChild]

But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...

You mean like they detect UPX'd apps as a "potential threat"?

Or, you've just seen Red Dawn too many times.

[Uberbah]

How are you and the rest of the Wolverines going to do with small arms against drone warfare and nerve gas?

Re:Or, you've just seen Red Dawn too many times.

[Agent0013]

Don't forget that a percentage of the military will join in the revolt also. They can bring the drones and nerve gas over to our side and help out, hopefully after taking out a couple of high ranking military!

Re:Or, you've just seen Red Dawn too many times.

[Uberbah]

But that percentage of the military would be reduced to using the same small arms as the rest of the Wolverines. Because if a fascist government were to take over the United States, brownshirts would be placed in key positions of control, and military hardware would be centralized. It's how every unpopular military dictatorship has maintained control throughout history, but it's gotten ever easier as warfare has gone high tech.

So lets say some enlisted men join up with the Colorado National Guard and try to take some armaments from a local military base. It's all captured by spy satellite - which the Wolverines don't have access to - and then promptly bombed by a Predator Drone.

This wouldn't be like the Revolutionary War, where a bunch of colonists with muskets could present a real threat to an army wielding muskets and cannons.

Re:Or, you've just seen Red Dawn too many times.

[Uberbah]

Hilarious in which way - that the use of nerve gas wouldn't be denied and classified like Obama's warrantless spying and drone war, or how Americans rose up against the assassination of American citizens and a law allowing military detention of American citizens on American soil?

El. Oh. El.

Well when the professional software makers help ya

[WOOFYGOOFY]

Look this is done by NSA or CIA or the like. That means they had help from M$ and the lot, and also from name-brand people in the open source world. This has to include possibly getting help from the virus protection makers themselves, who knows? . You can't know because where national security intersects with stuff we use from companies we know, lying becomes virtuous and anyone can be lying. You're through the looking glass now. That's how this game is played. So the fact that they were able to pass as a trusted application component is no surprise.

One thing that's distressing is that, just as in non-cyber warfare, the ability to invoke entropy exceeds the ability to preserve order. For example, we can't protect ourselves against nukes. In fact, we can't protect ourselves against most weapons. That's only going to become more true as weapons become fiercer. Worse, this is not just true of our side, it unfortunately holds for the other side. This fact holds huge political and societal ramifications.

As the ability to create destructive artifacts moves from the nation-state to the level of small groups and finally to the level of individual actors, then the interest of the majority- in the form of the state- in controlling and knowing the actions of not just nation states, but also small groups and finally individual actors will only increase.

If it only takes one guy (it's always a guy) to harm a lot of people in very bad or mortal ways, the state, unfortunately, has a legitimate interest in knowing as much as it can about everyone's doings :(

This is not even something that will be inflicted on an unwilling populace- it's something they'll demand.

You can see this principle in action today. Virus writers hurt a whole lot of people but it's just a little damage. So the state has created the new category of cybercrime and pursues offenders with a little vigor.

They pursue with a lot more vigor small groups who want to mortally harm small groups of people, say at a mall by shooting it up.

They pursue with yet vigor and money small groups who want to acquire WMD and any person or entity who wants to help them. This is something we (allegedly) go to war over, point being at least Congress conceives of this as being worthy of an all out national response, whether they're right on the facts or wrong is irrelevant in this context.

As technology progresses, the number of people needed to inflict damage tends towards one. The type of damage that person can inflict tends towards death and disability. The number of people that damage can be inflicted upon tends towards hundreds, then thousands then millions. All three variables moving independently yet all trending overall towards their mayhem extrema.

It will serve us to remember that this is a basic fact about the world and the future that is no one's fault. The changes to come between individuals and the state are inevitable.

The challenge for the future is how do we structure society and redefine the roles of state and individual so that we can keep ourselves safe against the lone psycho with the nano-lab in the basement AND ALSO have a free, democratic and trusted form of government? How can we create a government that is at once radically more transparent and trustworthy than the one we have now and also opaque enough to be able to wage devastating, indefensible, asymmetrical warfare on any one individual anywhere in the world at any time?

I dunno.