Flame was just the start

Over the last year, the fascinating saga of the Flame malware unfolded with all the ingredients of a spy thriller: secretive government agencies, industrial espionage, and weapons so hi-tech they might as well be science fiction.

Mikko Hypp"onen, chief research officer at anti-virus firm F-Secure, wrote in Wired that the episode was “a spectacular failure for our company, and for the anti-virus industry in general. It's our job as an industry to protect computers against malware... we failed to do that with Stuxnet and DuQu and Flame. This makes our customers nervous.”

Now, Hypp"onen has told ITWeb that he is certain other attacks are already under way. “There absolutely are other, important cases of malware out there going completely undetected,” he said.

So, what does the incident, and the AV world's meek surrender, mean for security professionals, the security industry, and the man on the street?

Obsolete? No, not really, despite its failure with Flame. Statistically speaking, the vast majority of malware you are likely to encounter is garden-variety stuff: viruses and Trojans of the most basic sort, which signature-based anti-virus is good at preventing. Just because someone is armed with a nuke, it doesn't mean most criminals don't still carry guns and knives, so don't throw away the Kevlar vest just yet.

There has, however, been growing concern for some time: signature-based AV is definitely flawed. It gets away with being flawed, because the damage caused by the flaw is manageably small, and the investment required for a complete rethink of malware prevention was held to be more effort than it was worth. Flame blew that thinking out of the water.

Flame's authors beat the AV firms at their own game, and can probably do so at will. But, we always assume that a sufficiently determined and resourced attacker can penetrate almost any system, so why are we so concerned about Flame?

The problem is that Flame ripped open the underbelly of the anti-virus world, hitting it directly where it is most vulnerable. And it began an era of a new generation of malware we can't currently prevent.

The life cycle of malware is normally quite predictable: zero-day deployment, detection and reportage (usually after a payload is activated and damage is identified), the response point where signature updates are distributed, then clean-up (in parallel with exploitation of the “long tail” of users behind the update curve). Flame was no different, but it magnified the process by evading detection for so long.

This was a spectacular failure for the anti-virus industry... There absolutely are other, important cases of malware out there going completely undetected.

Mikko Hypp"onen, chief research officer at F-Secure

Signature-based anti-virus will not - cannot - protect you against an unknown attack. If you're on the left of the “response” point of the timeline, you are a victim. That's the deal.

AV firms try to squeeze that window by building global networks to report possible malware samples as quickly as possible, creating automated tools to create signatures for new variants of known malware, and employing follow-the-sun teams of engineers around the globe to analyse and dissect malicious code to deliver protection faster. They try, in short, to move the “update” point to the left. Customers just hope they are lucky enough to dodge bullets - hope, in other words, that someone else gets infected first.

The AV companies have done well enough that a complete overhaul of malware detection (for example, to a white-list system, or developing working behaviour heuristics) doesn't make sense.

Malware authors, conversely, try to move that point to the right, to buy as much time as possible for deployment and for the payload to remain active. Any malware author has a single definitive advantage over security technologies, be they anti-virus, intrusion detection or anything else: foreknowledge. Prior to deployment, any piece of malware can be tested against every available anti-virus product to ensure it passes unnoticed. The window of infection, therefore, remains open.

Flame's success was largely due to its slow, stealthy spread, and near-silent payload. In other words, its authors shoved the response point way across to the right. Instead of hours or days, it went undetected for years. Not only was it in the field without being discovered, anti-virus companies did in fact have samples of Flame, which had been collected as potential malware, and failed to classify or analyse it.

How much more is out there? If Flame lay undiscovered, in the vaults at AV firms and on victim computers for so long, how many similar tools are in the field?

Probably a lot - the tools used by Flame were too valuable to waste on a handful of tools like Stuxnet and DuQu. “When the agency behind Flame launched the attack, they must have understood that the capability to sign code as Microsoft is very, very valuable,” said Hypp"onen.

“As soon as they start using it, they run the risk of this valuable mechanism getting detected and becoming worthless. So, when they started using it in 2010, they would have been stupid if they would not have been using the same mechanism in other attacks as well.”

Nor is the use of Flame itself as narrow as many think. If it was strictly a CIA/NSA tool under control of the US government, then the list of likely targets would be relatively small. But we know that at least one other state - Israel - was directly involved, either as a joint development partner or using the software with the blessing of its US allies. It was, in fact, Israel's clumsy handling of the Stuxnet network that led to its discovery, to the reported disappointment of the Americans.

Where there is one ally there may be others. Who else has access to the Flame platform, or others like it? The UK, perhaps, long an electronic intelligence partner of the US. Or internal US agencies, such as the FBI and DEA, which already use hacking tools during investigations and would clearly benefit from a targeted cyber-weapon to leverage against powerful criminal syndicates.

Flame originated in the US, but it would be dangerous to assume other states are not equally competent at cyber warfare. Other nations will have watched the unfolding Flame story with enormous interest. The fact is that a state-initiated cyber-weapon was enormously successful. It gathered intelligence, disrupted industrial process and defeated the security industry for years. Who wouldn't want a piece of that action? It seems unlikely that any nation with a cyber-security discipline within its intelligence or military apparatus would NOT be trying to replicate the feat.

“What I'm really worried about is Russia,” said Hypp"onen. “Because we've seen Stuxnet, Flame and Duqu from the US and Israel. We've seen a huge collection of espionage attacks from China. But we've seen nothing from Russian government. Nothing. And they must be doing something. This worries me.”

Flame and its derivatives together form a master-class in malware creation and deployment. The security community may have done a hopeless job detecting it, but stepped up with analysis - AV firms and security researchers were practically climbing over each other to release papers detailing the internals of the malware, papers of great interest to any existing, or aspiring, malware authors. Whether other authors have the skills or resources to replicate Flame's feat is debatable, of course, and anti-virus software might have missed the early samples, but will surely spot derivatives.

Just how hard would it be to replicate? We know the basic ingredients: very well-written code, at least one zero-day operating system vulnerability, a network of command and control servers, and a means of deployment. Every piece of that puzzle is available for a price.

But don't underestimate the effort required to bring Flame to market. Multiple zero-day vulnerabilities in Microsoft Windows, a compromised digital certificate from Windows Terminal Server, a complete programming framework for extensible modules, mechanisms for capturing and secretly exfiltrating intelligence, the incredibly sophisticated attack against Siemens centrifuges in the case of Stuxnet, and all the usual botnet stuff, only better - a network of command and control servers, encryption, evasion, and the rest.

High-end organised criminal syndicates haven't achieved that level of sophistication, nor do they need to. The rinse-and-repeat process of sneaking new malware past existing signatures already works just fine. “Criminals will never go to the lengths nation-states do. It doesn't make economic sense to them,” said Hypp"onen. “They don't care if their malware gets caught sooner or later; they'll just make more of them. Money talks.”

The point, of course, is that the run-of-the-mill malware authors have already figured out how to consistently defeat anti-virus. They don't need Flame.

A common sentiment among security professionals is that they and their employers are not targets. Flame, Stuxnet and DuQu were created by attackers far more powerful than the average hacker, and aimed at very specific targets. Unless you're running a uranium enrichment centrifuge, Stuxnet is probably not a big concern for you.

Or is it? Several chapters in the Flame saga undermine the “I'm not a target” line of thinking. Intelligence agencies have always targeted foreign private sector firms, looking to give domestic competitors an edge. And you don't have to be the ultimate target to come into the firing line - just being part of an extended supply chain is enough. If the Stuxnet authors couldn't go after those centrifuges directly, they could have targeted Siemens, or Siemens' suppliers, to find an entry point. “Are the US intelligence agencies interested in you?” asked Hypp"onen. “If so, consider yourself a target. If not, don't.” Unfortunately, it's the intelligence agencies' jobs to be interested in everyone.

There is collateral damage to consider too. Stuxnet got away from its creators, spreading beyond its original target into the general public. Being so single-minded in payload, the damage was negligible, but the next instances (which may already be out there, as Hypp"onen believes) might not be so benign.

Maybe we just expect too much from anti-virus. Signature-based detection of known malware is still a necessary evil and there are good tools for doing that.

New generations of threat have found this approach wanting, like online spyware and mobile malware (despite these same firms talking up the mobile threat for years).

Someone - either the anti-virus vendors or other security players - needs a new answer to modern threats. Traditional anti-virus isn't dead, or obsolete. But it is helpless against attacks like Flame, and we are only at the start of the Flame era. The whole industry needs to up its game to compete in that arena.