Flame a glimpse into the Bermuda triangle of malware

The AV industry only knows what victims of targeted attacks choose to share.

The bloated, modular Flame malware may or may not be the biggest threat since Stuxnet, but its tardy discovery highlights the limits of antivirus in a world where governments are investing heavily in offensive cyber capabilities.

Today, two days after Kaspersky’s Flame announcement and over two years since Flame’s speculated creation, nearly every antivirus vendor has added a signature for it.

It’s likely these signature won’t add to the security of the billions of businesses and individuals who fell outside Flame’s middle eastern targets, but no matter how narrow its focus, it was missed.

F-Secure’s chief malware analyst, Mikko Hypponen, on Monday lamented the industry’s failure to identify Stuxnet, Duqu and now Flame before they had been “spreading for years”.

While none of these threats affected the masses, any AV vendor with a major government contract would have preferred to know about each of them earlier than 'years' afterwards.

Johannes Ullrich, chief technology officer of the SANS Internet Storm Center tells CSO.com.au that knowing how the AV industry sets its priorities, rather than technical prowess, was why it escaped attention.

“Flame was used in targeted attacks. Antivirus vendors typically prioritise samples based on how many reports they receive about a particular specimen,” says Ullrich.

“In this case, it appears that the people behind Flame were careful enough to only affect few hosts—to stay below this threshold. Only Kaspersky's publicity around this malware made other anti-virus vendors add signatures for it.”

As Sophos’ Graham Cluley pointed out yesterday, it faces around 100,000 “new pieces of malware” each day. Even factoring in the magnifying effect of ‘polymorphic’ threats, a fraction of that is likely enough to warrant some prioritisation.

On the other hand, vendors have a very good reason not to ignore narrow attacks if and when they detect them.

“I believe there is a triage in place for vendors,” Marcus Carey, a former cryptography specialist for the NSA and now security researcher for Metasploit-owner, Rapid 7, tells CSO.com.au.

“They also keep in mind how lucrative government contracts are, which places malware that targets governments and large organisations on a higher priority.”

The problem for AV vendors when it comes to such narrowly defined attacks is that they are at the whim of the target.

"Sometimes governments do not share malware samples with the vendors for weeks, months, and up to a year in some cases,” says Carey.

"Even in this case Iran says that they identified the malware and removed it in early May however they didn't share the info with AV vendors."

Whether it’s the volume of malware forcing vendors to prioritise, or government agencies’ unwillingness to share information with their suppliers, if either are true, antivirus vendors appear set to miss more targeted malware as governments expand 'offensive' cyber capabilities.

At the recent AusCERT conference, Hyppnen pointed out that defence contractors like Northrop Grumman, Raytheon, and Lockheed Martin are hiring ‘cyber software engineers’ with skills to develop offensive cyber tools.

If a defence contractor is behind it, as F-Secure suggested today, they would probably not be mystified by the discovery of the Lua programming language in Flame.

Lua might be the preferred language of game makers like Angry Birds creator Rovio, but Carey points out it is also preferred by several widely-used penetration testing tools.

“The fact is that penetration testers have been using tools that heavily leverage the Lua programming language for the last couple of years,” says Carey.

Examples include network scanner, Nmap, the Wireshark packet analyser, and the Snort intrusion detection system.

“In software development it is common to re-use software to meet various goals. It doesn't make much sense to re-invent the wheel, so attackers, including ‘state sponsored’, use readily-available exploits and frameworks to meet their objectives,” says Carey.

Join the CSO newsletter!

Error: Please check your email address.

More about CERT AustraliaetworkF-SecureKasperskyKasperskyLockheed MartinNorthrop GrummanNSARapid 7Raytheon AustraliaSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts