Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Firms Out of Their League With Stuxnet, Flame

Posted by timothy on from the doesn't-say-much-good-for-their-product dept.

Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"

18 of 233 comments (clear)

  1. Helps when you have the OS companies helping by trout007 · · Score: 5, Interesting

    I mean seriously does anyone think the OS companies aren't in on this type of operation?

    It reminds me of the CIA-Xerox story.

    http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm

    --
    I love Jesus, except for his foreign policy.
    1. Re:Helps when you have the OS companies helping by Narcocide · · Score: 5, Interesting

      Well thats one good theory, but I suppose that if its possible to make a virus like Stuxnet primarily target only computers that control Iranian Uranium enriching centerfuges it would be also possible to write the same virus to *avoid* activating itself anywhere in sight of machines owned by anti-virus corporations.

      There's still some level of plausible deniability here, the real question is what to do about the fact that installing anti-virus software in the first place is, while not effective enough, also the limit of most user's capabilty to secure their computers.

    2. Re:Helps when you have the OS companies helping by trout007 · · Score: 5, Informative

      And only 90 minutes later....

      http://news.slashdot.org/story/12/06/04/1211206/microsoft-certificate-was-used-to-sign-flame-malware

      --
      I love Jesus, except for his foreign policy.
    3. Re:Helps when you have the OS companies helping by PPH · · Score: 5, Interesting

      The tin foil hatters who worry about NSA-mandated back doors should be worrying about how many code signing keys the CIA/FBI/NSA/Pentagon have extracted from Microsoft. Or borrowed from gov't contractors (Boeing/Lockheed/etc).

      And how many US based AV companies, have "found something" out there on the Internet and put it into their database. But then failed to act on it at the behest of one of these TLAs.

      That may be one reason Kaspersky has blown the whistle on a few things recently. How is the NSA going to call a Russian company and ask them to sit on some information without that making its way into their intelligence services? And used as leverage in future political events?

      --
      Have gnu, will travel.
  2. P.S. by CajunArson · · Score: 5, Insightful

    If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  3. Please, it's "Lua", not "LUA" by TimHunter · · Score: 5, Informative

    "Lua" (pronounced LOO-ah) means "Moon" in Portuguese. As such, it is neither an acronym nor an abbreviation, but a noun. More specifically, "Lua" is a name, the name of the Earth's moon and the name of the language. Like most names, it should be written in lower case with an initial capital, that is, "Lua". Please do not write it as "LUA", which is both ugly and confusing, because then it becomes an acronym with different meanings for different people. So, please, write "Lua" right!

    http://www.lua.org/about.html

    1. Re:Please, it's "Lua", not "LUA" by Eth1csGrad1ent · · Score: 5, Funny

      Ahh yes, Lua... thats tied to Angry Birds isn't it?

  4. It is very simple. Virus "protection" isn't by Anonymous Coward · · Score: 5, Insightful

    You cannot solve the virus problem as it is an impossible situation.

    The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

    The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.

    Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.

    1. Re:It is very simple. Virus "protection" isn't by RobbieThe1st · · Score: 5, Interesting

      To be fair, giving out your OS encryption keys to "friendly" nation-states for signed malware basically means that your OS, no matter how securely designed, will always have such malware.

    2. Re:It is very simple. Virus "protection" isn't by Anonymous Coward · · Score: 5, Interesting

      You don't even need to "give" them out. Flame was "signed by Microsoft" by exploiting a vulnerability in Terminal Services Licensing Server.

      "Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."

      from Microsoft releases Security Advisory 2718704

    3. Re:It is very simple. Virus "protection" isn't by drinkypoo · · Score: 5, Interesting

      When Microsoft finally got around to making a new TCP stack for Vista they reintroduced all the old bugs that were in the old stack because they proceeded from the same assumptions, forgot everything they learned improving the old stack, and went boldly forth like complete assholes. As a result you could teardrop or LAND Vista RCs. How does this happen? Because they were not using good programming practices.

      So it's true, you can't make NO vulnerabilities. But you CAN adopt not just good but proper practices that reduce the number of vulnerabilities you create. This is something Microsoft should try.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Maybe it's up to the OS by Dan9999 · · Score: 5, Interesting
    AV software is picking up the slack for badly designed operating systems. Kernels, drivers, the shell, the UI of software, management control and process control have all spiralled out of sync in their evolution in all OSes bar none which is a perfect breeding ground for this.

    Come on OS's, raise that bar so that AV companies can do the same.

  6. Wah... by Anonymous Coward · · Score: 5, Funny

    Wha. We suck. But, what can you do?

    Your subscription has expired. Please upgrade to Our Steaming Pile 2013. Now with more steam. Also, we hid some options to make it more challenging/interesting for you!

  7. Re:First, antivirus authors used generic tools to. by Toth · · Score: 5, Interesting

    Interesting article at the Internet Storm Center "Why Flame is Lame"
    http://isc.sans.edu/diary.html?storyid=13342#comment

  8. AV companies outside their element? by slack_justyb · · Score: 5, Informative

    I've not held much faith for anti-virus companies. Never was I under the idea that AV software would stop a *real* virus. To me, anti-virus software is just a way to keep the script kiddies and adware ActiveX controls off a system. Good computing habits preclude the need for AV software. Just my two cents.

  9. A better solution: by bmo · · Score: 5, Funny

    Release armies of flying cats.

    Because if you're going to ignore what's in your database for two years, well, flying cats are better.

    https://www.youtube.com/watch?feature=player_embedded&v=-S4DZ_aWNuU#!

    --
    BMO

  10. A: because it breaks the flow of a message by DNS-and-BIND · · Score: 5, Funny

    Q: Why is starting a comment in the Subject: line incredibly annoying?

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  11. Re:First, antivirus authors used generic tools to. by bughunter · · Score: 5, Interesting

    but it gets a bit kinky later where they're detecting themselves...

    It's not kinky at all. They all do it, most of them nearly every day, but few of them admit it.

    Kinky is two of them detecting each other...

    --
    I can see the fnords!