The Failure of Anti-Virus Companies to Catch Military Malware

Mikko Hypponen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame:

When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.

What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.

It wasn’t the first time this has happened, either. Stuxnet went undetected for more than a year after it was unleashed in the wild, and was only discovered after an antivirus firm in Belarus was called in to look at machines in Iran that were having problems. When researchers dug back through their archives for anything similar to Stuxnet, they found that a zero-day exploit that was used in Stuxnet had been used before with another piece of malware, but had never been noticed at the time. A related malware called DuQu also went undetected by antivirus firms for over a year.

Stuxnet, Duqu and Flame are not normal, everyday malware, of course. All three of them were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered.

His conclusion is simply that the attackers -- in this case, military intelligence agencies -- are simply better than commercial-grade anti-virus programs.

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

We really should have been able to do better. But we didn’t. We were out of our league, in our own game.

I don't buy this. It isn't just the military that tests its malware against commercial defense products; criminals do it, too. Virus and worm writers do it. Spam writers do it. This is the never-ending arms race between attacker and defender, and it's been going on for decades. Probably the people who wrote Flame had a larger budget than a large-scale criminal organization, but their evasive techniques weren't magically better. Note that F-Secure and others had samples of Flame; they just didn't do anything about them.

I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily. It was never a priority to understand -- and then write signatures to detect -- the Flame samples because they were never considered a problem. Maybe they were classified as a one-off. Or as an anomaly. I don't know, but it seems clear that conventional non-military malware writers who want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu.

EDITED TO ADD (6/23): F-Secure responded. Unfortunately, it's not a very substantive response. It's a pity; I think there's an interesting discussion to be had about why the anti-virus companies all missed Flame for so long.

Posted on June 19, 2012 at 7:11 AM • 59 Comments

Comments

Pun CrockerJune 19, 2012 7:37 AM

They can protect you against run-of-the-mill malware

... but not run-of-the-mall milware?

kevinJune 19, 2012 7:52 AM

Also, American anti-virus companies are forbidden to do business with Iran. That knocks out the two industry leaders, Symantec and McAfee, so Iran was probably not running enterprise-grade security software with behavioral analysis that could identify and neutralize 0-day threats. I'm not suggesting that these companies' products would have stopped Stuxnet or Flame, but in this case they weren't even competing.

lolzJune 19, 2012 8:29 AM

AV also doesn't prevent guys like Max Vision from side channel attacking bank employees and getting into their network. He would just change its signature in a VM and test it with the latest installs of any AV software. Hell you can't even flush pesky search engine hijacking malware with most AV not at all surprised

Marc EspieJune 19, 2012 8:32 AM

When I talk about IDS systems, I always tell my students "never use an IDS system without tweaking it a little bit. Attackers have access, they can do so too."

I think that midterm, it's what anti-virus writers have to do. Write polymorphic anti-virus, manage a way to ship it so that customers do not have the exact same product.

There's fuzz in virii. It's deluded to think a non-fuzz anti-virus is going to be able to compete :)

BillJune 19, 2012 8:33 AM

I wouldn't be too worried about the Iranians running enterprise grade security software. The good guys were and probably wouldn't have found it either. This ability to spot so called 0 days threats is pretty specious at best....

BrettJune 19, 2012 8:39 AM

The AV Industry mission is probably along the lines of doing the most good for the most. They provide countermeasures to what is perceived as the most significant threats (fastest propagating, largest number of targets, most costly to the mass market). The 'one-offs' and slow-and-low (not fast propagating, under the radar, no large impact) are ignored (sorry - 'ignore' is a poor word in english) - the AV industry assigns a low priority, and they have finite resources which are assigned to high priority, high threat, high value malware.

This follows that in cyber terms, the impact of a malware ("weapon") is inverse to its targeting. A targeted malware will affect fewer and have a low collateral impact to the non-targeted (the intent being the massively impact the target). A mass malware is designed to propagate so that it might by chance or ratio discover a valuable target or just cause general mayhem. Both the creator of targeted and of mass malware have access to all the defensive technologies, for analysis and testing of the malware, and thus can create a more effective attack.

mmutooJune 19, 2012 8:39 AM

I also think that it is highly likely that whoever designed this malware, paid the antimalware companies to ignore it.

Clive RobinsonJune 19, 2012 8:40 AM

This. is a case of,

If it looks like a duck,
Quacks like a duck
and waddles like a duck

Why would you think it was a goose?

Esspecialy if it was not crapping on your front patch...

Basicaly you don't have time to do a real deep analysis of every bit that crosses your door stop. So if it looks like a legitimate package update (signiture failure issue, both the MS Digsig & Malware detect sig) then you don't waste time on it. Also if there is no harm pointing at it then you realy have no reason to look at it either.

This is the danger of "APT" and it's a message that gets lost in all that silly rhetoric from the "China APT" mob in the US and other places looking to raise yet more "Reds under the bed".

The simple fact is AV has never been a real solution to malware. All it does is "sometimes" catch specific incidents of a type of attack. Proper "product patching" stops the whole class of attacks past present and future on that instance of attack vector.

DilbertJune 19, 2012 8:49 AM

So what's the problem here? Let's take Stuxnet for example. This was designed to specifically cause problems for a particular brand of centrifuge. So what if it compromises your windows box through a 0-day exploit. If you're not connected to the correct type of centrifuge then there's no impact to your systems. If there's no impact to your systems, how do you know this is malware? It has to DO SOMETHING to be detected and identified as malware. I'm sure there is a ton of ("beta", or specific "targeted") malware propagating the 'net right now that isn't doing anything to most general-use computers. So there's no malicious activity to detect and raise suspicions. Make sense?

jujifruitJune 19, 2012 8:57 AM

So I actually think Mikko's points are good ones, and also help support Bruce's argument for military malware treaties. If the military can recruit the highly skilled people to do this, and fund it well beyond commercial protections, then the general population becomes less protected. At some point, if the military grade malware becomes so advanced, then do we have to become reliant on our governments to try to protect our systems even when they are trying to simultaneously subvert them for surveillance?

kashmarekJune 19, 2012 9:02 AM

But, "conventional non-military malware writers" are greedy. The classic example of this is SPAM. If 10,000 messages didn't garner any suckers, try 100,000. If that fails, try one million. When that fails, try 10 million then 100 million. When that fails, do 100 million daily...etc. etc. ad nauseam.

In its early stages, advertising worked because is was low key and almost stealthy. Today, advertising is in the late stages, reflecting greed (and desperation). Politics exhibits a similar behavior; if millions of dollars in political ads doesn't work, try billions of dollars of...etc. etc. ad nauseam.

RandomName989UHFJune 19, 2012 9:09 AM

@Dilbert: Have you ever heard of collateral damages ? In the case of Stuxnet, it's the same as classic war. Some outside boxes were hit and transmitted the worm which shouldn't have gotten out of the Natanz plant. If your computer has a BDOS every time you launch it, it can be a real pain.

For me Mikko has done a great analysis of the situation of AV in general, not specifically for state-sponsored malwares. AV have never been on the attack side, but in its essence will always be on the defense.

charlieJune 19, 2012 9:12 AM

Antivirus is not the best solution to malware, its easy to break them. What is the alternative you suggest ?

Michael BradyJune 19, 2012 9:30 AM

@ Pun Crocker

They can protect you against run-of-the-mill malware

... but not run-of-the-mall milware?

Milware. I like it. Very cyber-stylish.

xenoJune 19, 2012 9:34 AM

www.phrack.com/issues.html?issue=58&id=7#article

www.informit.com/articles/article.aspx?p=23463&rll=1

www.securityfocus.com/columnists/442/2

arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/

www.symantec.com/connect/articles/hacker-tools-and-their-signatures-part-three-rootkits

blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

securitywatch.eweek.com/rootkits/rootkits_on_a_pci_card.html

www.securityfocus.com/news/11372?ref=rss

Patrick G.June 19, 2012 9:38 AM

What it clearly shows is that most Anti-Virus-Suites' Intrusion Detection Systems and Heuristic Engines aren't worth a penny against the unknown malware they are sold against.

So scanning known signatures is still the bread & butter of any AV software, but it is of very limited use against anything new, well programmed and/or uncommon.

Especially if the AV vendors tend to sit on malware samples for years (for whatever reason)...

Walt HowardJune 19, 2012 10:00 AM

It's easy enough to evade Anti Virus programs.

Just run all the AVs against your program and see if they detect it. If so, tweak, repeat and rinse until you are not detected.

This can be used against IDS too.

AV writers need to change their techniques constantly to avoid this.

Poul-Henning KampJune 19, 2012 10:15 AM

"Virus/Malware-scanning" and similar "inspection" methods are mathematically proven to be unable to spot all malware.

The argument and proof that this is so is laid out beautifully and intelligently in Hoffstaedters book from 1979: "Goedel, Escher, Bach".

If you have not read this book, you should do so.

While you read, keep at the back of your head that most malware-scanners have a positive list of other "legitimate" malware-scanner programs, in order to not flag them as malware. You will laugh about this at a certain point in the book.

Another irony is that the APIs added to mainstream operating systems for these malware-scanners to hook into provide deliciously powerful attack vectors for malware, giving access to system events that no 3rd party software should ever have control over or access to, in a well designed computing environment.

Malware-scanners are security-theater.

The only reason they should not be summarily thrown out, is that the security model of the computing environments they "protect" is even worse, so they actually manage to increase security.

rdmJune 19, 2012 10:15 AM

I like to say that a secure system is one that behaves the way the person responsible for it intends.

Note that this means that most systems are woefully insecure. "User Friendliness" is the core issue here (on both sides of the fence). Our systems are not built to be easy to comprehend, except at a superficial level.

In other words, the "virus problem" is a symptom of the fact that our systems need to be deeply user friendly -- and currently they are not.

Deep user friendliness requires computer literacy, and it runs into some intractable problems when viewed from certain perspectives. It's related to the design of interfaces, of debuggers, of modules, and of hardware and of the communication protocols that we employ. In some sense it's "not a priority" but in another sense it has to do with what differentiates successful products from unsuccessful products (and, unfortunately, not always in a good way).

In the long run, though, I think that its lack is going to drive people out of business who neglect it too much, because they will have competitors with unfair insights into their businesses -- their more literate competitors will have systematic advantages. In the short run, though, the competitive risks are completely different -- you can't get away from focused and directed efforts making a difference.

dragonfrogJune 19, 2012 10:49 AM

I rather suspect the "automated reporting mechanisms" through which they received the files were something like www.virustotal.com

What that service offers is a place to upload files you're not sure of, and have them scanned by 40 or so AV engines. The samples are also forwarded by some automated process to the AV vendors.

Probably tens of thousands of people upload thousands of files a day, many of which turn out to be perfectly innocent files.

I upload innocent files all the time - if a computer I'm examining may have had a virus infection, I'll upload any DLLs or EXEs created or modified within a few days of when I suspect an infection took place. Most turn out to be innocuous.

In that case, having a sample would just have meant that some files from Flame would have been in an enormous list of 'things someone uploaded to have checked out and no vendor's AV alerted on them'. You can't very well expect any company to spend much time on every entry in such a list.

MuhammadJune 19, 2012 11:04 AM

Listen up Stuxnet, Duqu and Flame writers, if you can hide your virus within your beloved country's software company operating system, then, don't ever think that your enemy will not respond. Mind it... Don't ever forget Newton's third law...

"For every action there is equal and opposite reaction".

Also, remember Nobel's quote,

"They laugh at me, the man of dynamite as the man of peace. But, since man do not understand the meaning of peace, it is important to invent something destructive, which through fear will make humans move back to peace".

HiroJune 19, 2012 11:14 AM

Isn't is true that anti-virus software can catch between 20 to 35% of all malware around? No wonder how useful anti-virus software has been.... Consumers and organizations should demand at least 80 to 85% of all malware should be caught by anti-malware software to be useful, shouldn't they?

Nick PJune 19, 2012 11:17 AM

I agree with Bruce. I doubt they were paid off b/c there are so many different AV companies in different parts of the world. As Bruce noted, it's easy enough to evade them if you're playing it slow and sneaky.

Harden your systems (incl BIOS) & networks. Quickly apply updates. Use a good sandbox (e.g. SandboxIE) or isolation scheme for untrusted apps. Periodically restore system to clean state from known good medium. Avoid using Windows or x86, if possible, to stop non-targeted sophisticated malware.

KytheJune 19, 2012 11:18 AM

"...but it seems clear that conventional non-military malware writers that want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu."

Evidently, for all we know, they already have.

greyhameJune 19, 2012 11:27 AM

Let's not forget that government agencies have access to Windows source code. That might not fully qualify as magically better, but that's a significant leg up in the arm's race.

Bill RossJune 19, 2012 11:31 AM

The fact is that the cyber military units in nation states are mission oriented and have extensive resources available to them to defeat detection methods that are commercially deployed in corporations. Usually these teams are tightly controlled and organized and they have well-rehearsed attack and defend practices. On the other hand, corporate America and the threat detection (malware, AV, Firewall and etc) companies are a loosely federated band of cyber units that have a wide variance of management skills, techniques and procedures. The best solution for the non-military cyber defense teams is to implement a cohesive and well managed and rehearsed defense-in-depth program that includes these four steps, predict, detect, defend, respond. Many companies use the last three parts of the recommended four and that is a significant mistake because companies need to implement a multiple “predict” venue which would include the analyses of the future threats and how to defend against them. Some companies are moving in this direct but many, many more, especially the big banks and etc, need to do so.

WaelJune 19, 2012 11:37 AM

@Nick P

"Quickly apply updates",
Riiiiiiiiiiiight! Especially the ones that look like ducks :)

kurt wismerJune 19, 2012 11:40 AM

it's easy to evade the scanning engine that's distributed to the customer, but it's difficult to evade the vendor. as a result, evading the engine only works for a short time for any given malware.

what made stuxnet, duqu, and flame stand out from ordinary malware isn't that they evaded the scanner engine, it's that they evaded the vendors. they were different enough from normal malware that vendors' internal automation tools didn't flag it as probable malware.

Brandioch ConnerJune 19, 2012 11:49 AM

I don't know if it was:

a. incompetence on the part of the "anti-virus" vendors (very high likelihood) or

b. the US government influenced the "anti-virus" vendors to overlook it (very high likelihood)

Nor does it matter. This just illustrates how badly computer "security" is done. Even when the people doing it know that they're a target.

They were running Windows. A product made in the USofA by a USofA company owned by USofA citizens. So you cannot trust the digital signatures.

Why weren't the Iranians running other systems in other parts of the world and comparing multiple hashes of the files on those systems? Every system would have to be infected with the same "virus" to escape detection in that case.

Do not try to identify all the suspect software. That is impossible.

Instead, focus on identifying the software that is authorized to be on that machine.

http://www.ranum.com/security/computer_security/...

kurt wismerJune 19, 2012 11:57 AM

@bruce schneier
"I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily. "

this is silly. most malware these days are trojans that don't spread at all (they have to be spread by something else). and many use stealth.

however most are derivative enough that the vendors internal automation can pick out probable malware from the deluge of samples that are submitted to them.

these military-grade pieces of malware, however, had properties that are virtually unheard of in conventional malware (like stuxnet/duqu's proprietary language, or flame's incorporation of professional development components like sqlite).

f-secure (the company mikko hypponen works for) have made that essay available on their own site and have included links to some of the responses to it. readers may find it of benefit http://www.f-secure.com/weblog/archives/...

kurt wismerJune 19, 2012 12:03 PM

@brandioch conner
"Do not try to identify all the suspect software. That is impossible.

Instead, focus on identifying the software that is authorized to be on that machine."

flame spread over windows update. i doubt very much that whitelisting would have fared any better than blacklisting. people trust windows update and the binaries that come through it.

Oiko OikeinkirjoitusJune 19, 2012 12:08 PM

MIKKO HYPPÖNEN, MIKKO HYPPÖNEN, MIKKO HYPPÖNEN. There, that's how you write his name.

jJune 19, 2012 12:40 PM

@ Oiko

Strange, I know danah boyd, for example, deliberately only uses lower case for her name, but I wasn't aware Mikko preferred all caps...

(Sarcasm aside, he doesn't use the ö on what appears to be his personal site, so I don't think it bothers him as much as it does you)

Brandioch ConnerJune 19, 2012 12:41 PM

@kurt wismer
"flame spread over windows update. i doubt very much that whitelisting would have fared any better than blacklisting. people trust windows update and the binaries that come through it."

Yeah, that's why I pointed out:
A product made in the USofA by a USofA company owned by USofA citizens. So you cannot trust the digital signatures.

If only there was some way to perform additional checks. Such as:
Why weren't the Iranians running other systems in other parts of the world and comparing multiple hashes of the files on those systems?

1. Either the "virus" would not be detected as a "virus" because it was official Microsoft software ...
or
2. There would be a difference in at least one of the hashes of one of the infected files and that would provide the warning that their systems were cracked.

Again, particularly when they're using software from the USofA. If this was a movie it would be mocked for that plot hole.

NickJune 19, 2012 1:21 PM

Actually, critter-infecting bacteria often use a chemical signal to indicate when they have reached a critical mass of infection inside a host. They have attacks that are "off" until they start detecting enough of their brethren, and then they turn on and start attacking. This helps them avoid triggering immune defenses too early, as well as making sure that they don't kill the host unless they can do it in such a way that it spreads the infection to other hosts.

Here's a link that discusses this:

http://curiosity.discovery.com/question/...

If I were writing a malicious program, I'd model it on this. It would propagate slowly and essentially do nothing until and unless it had infected enough hosts, as detected by some sort of C&C or even P2P messaging system. Once enough hosts were infected, only then would it begin to perform whatever attack was intended.

CreosoteJune 19, 2012 1:53 PM

IMHO the very point of the problem is that "commercial" grade malware developers are concerned in producing some commercially interesting results, that usually involves spreading and making the machines busy in doing whatever pays back well.
Differently, special purpose malware can afford spreading slowly, selectively, and staying hidden with no action until they have something serious to do.
In this world, commercial grade A/Vs, on their side, must prove to consumers they worth the price, and since security cannot be measured until it fails, the best way in not failing is providing protection against most common menaces - that means the ones spreading faster and that are meant to target the typical buyer of the security product.

RallyJune 19, 2012 2:11 PM

How much of an antivirus company's business comes from the US government? If an antivirus company made an effort to find and uncover government malware, would this put this business at risk?

Surely these calculations are taken into account.

Michael LynnJune 19, 2012 2:32 PM

All you guys arguing that the AV companies were in on this are failing to understand both how the AV industry makes their money, and how easy it is to evade them if your target is small.

The AV industry is in business to make money. The money here comes from defending against the visible threats. The sad truth is that this almost always means they have little or no incentive to go after highly stealthy attacks. There just isn't much money in it. Even less when you consider that many of the primary targets of these attacks are in regions where it would be illegal for most to do business.

The other reason why there is no reason to think they were involved is that you can fly right past their protections for free. Its not hard at all. They are able to detect most malware because it uses very old, and very easy to fingerprint attack vectors. They catch others because they're very loud, and highly visible (spreading fast and wide).

mozJune 19, 2012 3:54 PM

I don't see the contradiction between Bruce's and Mikko's position. The Military outclasses the AV industry because they can afford not only to avoid the AV industry scanners but also to avoid their statistical analysis.

Mikko sees this from he point of view of the virus industry. You don't need to just avoid one virus company; they all compete to find the new viruses, however they also all share their newly found viruses making sure to get credit for the find. You need to avoid them all. You need to do this continually over many different file uploads over months.

There are many tools that the AV guys will use.

  • the pattern of spread
  • your standard tests with false positives turned up
  • any experimental tests you have that haven't yet been released

What resources do you need to avoid this? Probably something like:

  • a full local lab with all available virus engines in multiple configurations
  • ability to write software which specifically doesn't look like a "normal" malware
  • willingness and ability to spread in an abnormal way.
  • some insiders in the anti-virus industry
  • ability to react to new and unexpected tests before they pick up any sign of the malware

Criminals may test against most of the major AV engines. I doubt almost any of them can afford to test against all of the AV engines with all of them carefully tuned.

I bet that several, if not most of the people who worked on Flame and Stuxnet had recently been at work for AV companies. I bet they had access not just to the basic scanning engines, but also knowlege about the satistical engines. The were able to engineer their system overall so that it avoided discovery.


Careful spreading in ways unlikely to be detected was one tool. Bruce is right. The anti-malware industry just wasn't ready to deal with that kind of threat. Mikko is right.

Dirk PraetJune 19, 2012 6:47 PM

At least Mikko has the courage to facepalm himself and admit full defeat whereas many others in the AV industry initially did their very best to downplay Flame's significance.

It's a reminder to many IT and other folks out there that AV and firewalls are just two components out of a wide spectrum of security controls used in a defense-in-depth approach.

CoyneJune 19, 2012 9:14 PM

Maybe it wasn't an accident: Maybe every virus company (unknowningly?) employs a spook so as to protect vital government viruses. That's what I'd do if I were the government: Why take a chance?

No One SpecialJune 19, 2012 10:34 PM

Considering they're talking about a completely new, unknown MD5 collision attack in Flame, which suggests your not-so-run-of-the mill mathematics/cryptanalysis in some darkened room somewhere, I doubt the guys writing the anti-AV code are any less talented.

RonKJune 20, 2012 12:31 AM

@ Brett : "the AV industry ... have finite resources"

This leads to the interesting idea that someday nation-backed malware creators may decide to simultaneously release "high-profile" malware, as chaff, in parallel to the release of their important, highly-targeted stealth product.

Giuseppe56June 20, 2012 5:38 AM

AV companies are not in the business of stopping APT if by APT we mean well funded teams targetting a specific targets. They are in the business of countering untargetted "find a weak system" attacks that are a lot more "noisy" and easier to detect.
Stopping APT requires a completely different approach, I believe the best approach is to drastically reduce the attack surface in crititical systems by not using general purpose software and doing lots of white listing, code reviews and monitoring.
When the stakes are that high I wouldn't trust anything I don't have the, at least theoretical, capability to fully check and that means having as small a code base as possible.
I may choose to take the risk and not do it for costs reasons but the attacker cannot know that and will always have the doubt his investment will be for nothing.

BrettJune 20, 2012 8:12 AM

@RonK: MALWARE CHAFF! Oh, now there is another concept to add to my theses! Thanks. I really hope we don't need to go to conspiracy theories (the AV writers are pawns of the military-industrivirus complex to cause confusion while the military viruses infect.... or something like that).

And to go back to the future, let me say that
1 - we should raise awareness that militarization of the internet is BAD
2 - "Cyber Treaties" (my reference was UN Laws of the Seas - UNCLOS); I don't know if @Bruce has any specific citation here)
3 - Stuxnet/Flame etc are examples of cyber espionage. There aren't any examples of 'cyberwar' that use an established definition of (i.e. real world) war; most fall in to espionage (as current discussion covers), crimes and piracy/anarchy
54 - "Cyber weapons" probably becomes similarly useless as cyberwar - a baseball can be a weapon, as can a centerfuge, as can an airplane and all can be normal, civil, peaceful usages. So where will malware fall? what about firefox or excel?

jailhouse lawyerJune 20, 2012 9:25 AM

@Brett:

Stuxnet/Flame etc are examples of cyber espionage.

Actually Flame appears to have supported info gathering for subsequent acts of sabotage such as were implemented by Stuxnet on the Natanz centrifuges. It possibly also supported campaigns of targeted assassination against Iranian nuclear scientists. As such an argument could be made that what is involved is acts of war.

silJune 20, 2012 2:39 PM

Mikko is the same clown who stated the NSA, CIA teamed up with Microsoft on Flame... The reality behind malware and viruses is that NONE of the AV or Anti Malware company has anything down to a science. You cannot measure the unknown unknowns. Solely monitor the known knowns, make a signature, thump your chest and call yourself a great AV vendor.

Microsoft, the CIA and NSA Collude to Take Over the Internet

fooerJune 20, 2012 3:05 PM

@sil
Mikko is the same clown who stated the NSA, CIA teamed up with Microsoft on Flame

You're wrong. Mikko has never said or even remotely hinted that the NSA, CIA and Microsoft teamed up on flame.

The link you posted is written by someone named "J. Oquendo", and I doubt the J stands for "Mikko".

silJune 20, 2012 3:25 PM

Fooer: “The announcement that links Flame to Stuxnet and the conclusive proof that Stuxnet was a US tool means that Flame is also linked to the US government,” Hypponen said.

... This makes you think that this breach of Microsoft's update system was done by the Americans and most likely a US agency, someone like the NSA,” Hypponen said. “

http://www.pcpro.co.uk/news/security/375169/...

Tim WILSONJune 20, 2012 6:18 PM

This really shouldn't be too remarkable to anyone.

The Sony Rootkit(s) went undetected for an extended period of time, and in the end it was only found by a guy who, literally, probably knows more about Windows than any other one person, including all past and present Microsoft employees (except for himself, as he is now - but was not then - a Microsoft employee).

AV companies missed that until it was literally handed to them by security experts, despite multi-million infection rates over months or possibly years.

I remember the accusation - but I do not remember any proof - that major AV companies in that case were specifically asked by Sony to not detect the software, which - if true - they agreed to until the whole thing went public.

Regardless of whether AV vendors are willing to put their own customers' interests first, they are not capable of doing so.

JDJune 20, 2012 8:09 PM

Maybe Sen. Liberman just reminded the AV companies of their patriotic duties - avoid detection of .mil virus specially if the target hosts are abroad.

Feher Tamas from HungaryJune 21, 2012 11:53 AM

The AV companies did not "have Flamer samples and decided not to do anything about it". They had samples of Flamer-Skywiper and they simply did not realize it was malware!

AV companies receive at least 15k file samples per day (!), sometimes 100k and all those go through automated evaluation first, because of limited human talent resources. Only those samples that raise a flag with the AI part are elevated to the eye of a human analyst for partial disassembly and fingerprint-based recognition generation. Only the most exceptional samples warrant full disassembly.

Flamer was carefully written to be large sized and to work very much like a commercial enterprise software, so AV company AI expert systems classified its samples as benign and the samples never reached the level of human analysts (until the UN ITU computers started to BSoD in the Middle East eventually and a weird dump was obtained).

Bribing or threatening AV companies is not practical, because there are over 40 of them worldwide, under different political climates. For example Stuxnet was first outed by VirusBlokAda, a belorussian company, whose country is very much rogue and pariah to the Free World. Kaspersky is russian, Trend Micro is japanese, Panda Spain, ESET-NOD czech-slovakian, BitDefender romanian, etc. Bye!

rdmJune 21, 2012 12:37 PM

@Brett "we should raise awareness that militarization of the internet is BAD"

I believe that this virus was originally distributed via non-internet vectors (usb drive was mentioned in some reports).

The problem is that any capability for replication runs a risk of succeeding in "inappropriate circumstances". There's a fundamental conflict between secrecy and propagation.

stanley allenAugust 14, 2013 9:13 PM

I have a strong suspicion that anti-virus companies have a separate division of people who create malware and viruses and loose it into the wind to screw up computers and create a demand for anti-virus software, which is sold to the public.

The denial by various CEOs is like baseball players swearing they did not take steroids.

Hopefully, this will be fully investigated and exposed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..