The bloated, modular Flame malware may or may not be the biggest threat since Stuxnet, but its tardy discovery highlights the limits of antivirus in a world where governments are investing heavily in offensive cyber capabilities.
Today, two days after Kaspersky’s Flame announcement and over two years since Flame’s speculated creation, nearly every antivirus vendor has added a signature for it.
It’s likely these signature won’t add to the security of the billions of businesses and individuals who fell outside Flame’s middle eastern targets, but no matter how narrow its focus, it was missed.
F-Secure’s chief malware analyst, Mikko Hypponen, on Monday lamented the industry’s failure to identify Stuxnet, Duqu and now Flame before they had been “spreading for years”.
While none of these threats affected the masses, any AV vendor with a major government contract would have preferred to know about each of them earlier than 'years' afterwards.
Johannes Ullrich, chief technology officer of the SANS Internet Storm Center tells CSO.com.au that knowing how the AV industry sets its priorities, rather than technical prowess, was why it escaped attention.
“Flame was used in targeted attacks. Antivirus vendors typically prioritise samples based on how many reports they receive about a particular specimen,” says Ullrich.
“In this case, it appears that the people behind Flame were careful enough to only affect few hosts—to stay below this threshold. Only Kaspersky's publicity around this malware made other anti-virus vendors add signatures for it.”
As Sophos’ Graham Cluley pointed out yesterday, it faces around 100,000 “new pieces of malware” each day. Even factoring in the magnifying effect of ‘polymorphic’ threats, a fraction of that is likely enough to warrant some prioritisation.
On the other hand, vendors have a very good reason not to ignore narrow attacks if and when they detect them.
“I believe there is a triage in place for vendors,” Marcus Carey, a former cryptography specialist for the NSA and now security researcher for Metasploit-owner, Rapid 7, tells CSO.com.au.
“They also keep in mind how lucrative government contracts are, which places malware that targets governments and large organisations on a higher priority.”
The problem for AV vendors when it comes to such narrowly defined attacks is that they are at the whim of the target.
"Sometimes governments do not share malware samples with the vendors for weeks, months, and up to a year in some cases,” says Carey.
"Even in this case Iran says that they identified the malware and removed it in early May however they didn't share the info with AV vendors."
Whether it’s the volume of malware forcing vendors to prioritise, or government agencies’ unwillingness to share information with their suppliers, if either are true, antivirus vendors appear set to miss more targeted malware as governments expand 'offensive' cyber capabilities.
At the recent AusCERT conference, Hyppnen pointed out that defence contractors like Northrop Grumman, Raytheon, and Lockheed Martin are hiring ‘cyber software engineers’ with skills to develop offensive cyber tools.
If a defence contractor is behind it, as F-Secure suggested today, they would probably not be mystified by the discovery of the Lua programming language in Flame.
Lua might be the preferred language of game makers like Angry Birds creator Rovio, but Carey points out it is also preferred by several widely-used penetration testing tools.
“The fact is that penetration testers have been using tools that heavily leverage the Lua programming language for the last couple of years,” says Carey.
Examples include network scanner, Nmap, the Wireshark packet analyser, and the Snort intrusion detection system.
“In software development it is common to re-use software to meet various goals. It doesn't make much sense to re-invent the wheel, so attackers, including ‘state sponsored’, use readily-available exploits and frameworks to meet their objectives,” says Carey.