The subject of state-sponsored malware has become a major topic across the cybersecurity media lines, and for good reason: not only has it been caught in the nets of antivirus firms, but we’ve decompiled it and received confirmation from the states who released it. However, it turns out that the antivirus industry is poorly suited for detecting and stopping these threats even though it’s their job to capture, dissect, and prepare antivirus defenses against malware.
Recently, Mikko Hypponen from F-Secure, a Helsinki-based Internet security outfit, published an apology about not discovering Flame earlier in Wired magazine. As it turns out, the security scholars looked through their old archives and found that they’d already caught Flame in their nets almost two years ago; and also had older samples of Stuxnet and Duqu.
“Yet we failed to do that with Stuxnet and DuQu and Flame,” he writes, “This makes our customers nervous.
“The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose.”
He went on to say that it was obvious that state-sponsored antivirus would have better intelligence about what flaws existed and persisted and also better knowledge of how antivirus worked and thus would be able to capably code camouflage.
Like me, Bruce Schneier—almost super-hero level cybersecurity expert and industry pundit—didn’t find this apology very compelling.
“I don’t buy this,” said Schneier in a blog post on the subject. “It isn’t just the military that tests their malware against commercial defense products; criminals do it, too. Virus and worm writers do it. Spam writers do it. This is the never-ending arms race between attacker and defender, and it’s been going on for decades.”
I’ve mentioned this issue before that it’s obvious that contemporary enterprise antivirus are ill-equipped for detecting state-sponsored malware, but it certainly doesn’t look like it’s because they’re particularly more sophisticated in code than anything else out there. Instead, Schneier argues, it’s because enterprise antivirus aren’t looking for state sponsored malware because it doesn’t often attack consumers or even corporations. It’s an issue of behavior more so than brilliant coding.
“I think the difference has more to do with the ways in which these military malware programs spread,” Schneier explains. “That is, slowly and stealthily. It was never a priority to understand–and then write signatures to detect–the Flame samples because they were never considered a problem. Maybe they were classified as a one-off. Or as an anomaly. I don’t know, but it seems clear that conventional non-military malware writers that want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu.”
As I’ve said before, antivirus are ill-equipped to detect military-grade malware because the entities that release it are generally careful about not letting it loose in the wild. It doesn’t serve their purpose if ends up in the drift nets of some random antivirus outfit and gets dissected. Most state-sponsored malware to date has been fairly specific in target and stayed in its region or close to home as it went about its rounds (Stuxnet, in fact, suffered a bug that caused it to spread more rapidly.)
It’s only proper that antivirus vendors triage that malware that they collect for the limited amount of research time that they have to update their software. Something that just cropped up once or twice, doesn’t seem to have spread very far, and isn’t assailing corporate networks and customer computers alike is going to fall through the cracks in favor of something virulent.
The reason why Flame or Stuxnet stayed below the radar wasn’t superior programming; it was thoughtful social engineering about what dangerous malware acts like.