Flame: why was it missed for so long?

F-Secure’s Mikko Hypponen has written a mea culpa account. He admits that when the story broke over the last week, F-Secure found they had samples of the malware “dating back to 2010 and 2011, that we were unaware we possessed,” and that other anti-virus firms had even earlier evidence. “That's a failure for our company, and for the antivirus industry in general,” he writes.

It’s not the first time, he admits, citing Stuxnet and Duqu as well as Flame. “All three of them were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered.” The reality is that western states have been producing their own malware for many years. The Dutch police developed and used a trojan to warn infected users that they had been infected; the Chaos Computer Club exposed the German ‘Staatstrojaner’; and of course the FBI has its CIPAV trojan. “It's highly likely there are other similar attacks already underway that we haven't detected yet,” adds Hypponen. “Put simply, attacks like these work.”

Not everybody accepts his apology or reasons. Jericho, writing on attrition.org, is more than forthright. “For those of us in the world of security,” he writes, “hearing an antivirus company say ‘we missed detecting malware’ isn't funny, because the joke is so old and so very tragically true.” The implication from Jericho is that the AV industry is effectively incompetent (for whatever reason).

Luis Corrons, the technical director of PandaLabs, has little time for jericho’s article, pointing out that Jericho had written, “I believe VirusTotal is the first stop for many bad guys.” 

“Seriously,” responds Corrons, “the person writing that has absolutely no idea of how an antivirus lab works. Actually he doesn’t have a clue on how cybercriminals work... The very last thing a cybercriminal will do is to send a sample to VirusTotal, as that means the sample will be distributed to every antivirus company.” Kurt Wismer has a more detailed rebuttal of Jericho’s views, suggesting, “a number of the specific criticisms jericho makes are unfortunately based on an understanding of the AV industry that is too shallow.”

But if the AV industry isn’t incompetent, there remains one other possible reason for the failure to detect: it is requested by government to not do so. This is a suggestion that refuses to go away; but the AV industry is adamant that it never happens. “Certainly F-Secure wouldn’t have decided not to detect it because of a government request: Mikko has been very clear on that in the past,” ESET’s David Harley (who has been equally clear) told Infosecurity. “No government asked us to ‘forget’ about that or any other threat,” added Corrons.

While tempting to think that intelligence agencies would seek to keep their own malware undetected by applying pressure on the AV industry, the reality is that the industry’s business model would make this unlikely. Once it became known, and such things always do become known eventually, the credibility of any AV company would be instantly destroyed – and none could afford to take that risk. 

Not surprisingly, Harley believes Hypponen’s analysis is accurate: Flame went undetected because it hid in plain sight. “Deliberately or not, Flamer has characteristics that put it way down on the probability scale as possible malware,” he said. “It’s exceptionally large for malware, it doesn’t have the hallmarks of obfuscation, and it’s stuffed with code that we simply don’t expect to see in malware. (Who on earth uses SQLite in malware!? Well, I guess we may find out in due course...) And it’s digitally signed. All stuff that would make it look probably legit to a heuristics engine. I guess everyone is going to have to take a long hard look at their filtering now.”

Worrying though it is, Hypponen’s own conclusion is probably accurate. “We really should have been able to do better. But we didn't. We were out of our league, in our own game.”

What’s hot on Infosecurity Magazine?