Anti-virus software out of its league with Stuxnet and Flame
In an editorial for Ars Technica, F-Secure's Chief Research Officer Mikko Hypponen admits to his company's failure in detecting viruses such as Flame and Stuxnet in a timely manner. In the article, he tries to explore the reasons for this and argues that the anti-virus industry as a whole has struggled with these new viruses.
According to Hypponen, F-Secure has discovered that it has had a specimen of Flame in its internal databases since 2010 but that it was reported through automatic processes which never raised any flags to warrant closer scrutiny by human engineers. Other anti-virus vendors have reported to have received samples of Flame even earlier with much the same results. This means that Flame was operating undetected, hidden in plain sight for over two years.
Stuxnet and Duqu were using similar strategies to remain undetected, says Hypponen. That malware even used digital signing to give it an air of legitimacy. The developers also eschewed the usual code obfuscation techniques to not trip any automatic detection systems. With Flame, its creators also used tools such as SQLite, SSH, SSL and Lua which made the program seem more like a bona fide database or library and less like traditional malware.
The virus expert concludes that traditional anti-virus software can protect its users from commonplace attacks such as banking trojans, keyloggers or the usual worms and viruses transmitted via email, but that it is helpless against targeted attacks being perpetrated by professional developer teams which are well funded by state-owned organisations. These developers apparently used a variety of off-the-shelf anti-virus tools to test their creations. Hypponen's sobering diagnosis: "Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game."
The reality is grimmer than Hypponen will admit, however. Criminals who are building banking trojans such as Zeus and SpyEye actually have a comparable workflow to whoever created Flame, Duqu and Stuxnet. They are highly organised, motivated and have similar resources at their disposal. Testing one's own viruses with available anti-virus software to make them harder to detect is a widespread modus operandi. Current numbers from the ZeuS Tracker project, for example, show that the detection rate for this kind of malware is still below 40 per cent. There are 294 variants of the virus that cannot be detected with anti-virus software even today.
The H's FAQ on Flame explains that the major difference between Flame and more conventional malware such as Zeus can be found in the low rate of infections. Since Flame is explicitly designed to spread as little as possible, it was a lot less likely that it would be discovered and could stay hidden for a much longer time. But even without such a low rate of infection as Flame's 1,000 machines in two years, it seems that defending against more everyday banking trojans such as Zeus is still hard work for current anti-virus software – and the effort often does not succeed.