Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

The Essential Guide to IT Transformation

How did it slip under the radar?

The stealthy spread of Flame for at least two years before it was detected has provoked some soul-searching among segments of the security vendor community. Similarly long lags preceded the detection of Stuxnet and Duqu.

Wieland Alge, general manager EMEA at Barracuda Networks, commented: “The scariest and most shocking aspect is the length of time that Flame has remained undetected. Kaspersky’s own security experts estimate that Flame has been infecting systems and stealing data for several years, possibly as long as five years."

Mikko Hypponen, chief research officer F-Secure, said the extended run on Flame and Stuxnet prior to their discovery ought not to have happened and pointed to a failure by security vendors. Hypponen is breaking the party line in even suggesting this, with most vendors spinning that Flame did not spread very far and that was the reason why it escaped detection for so long.

"The worst part of Flame? It has been spreading for years," Hypponen writes. "Stuxnet, Duqu and Flame are all examples of cases where we – the antivirus industry – have failed. All of these cases were spreading undetected for extended periods of time."

Hypponen's colleague Sean Sullivan later qualified these remarks, in a blog on the Flame outbreak, by saying that commercial antivirus products are not really designed to defend against targeted, state-sponsored spyware.

"Commercial-based antivirus and security products are designed for and focus on protecting you from prevalent classes of in the wild threats coming from criminals, thugs and digital mobsters (and it's a constant battle)," he said. "It is not designed to protect you from the digital equivalent of Seal Team Six. So if you're the guy that finds himself in the crosshairs... you're not safe."

Sullivan goes on to argue that even though the technology used by Flame was hardly innovative, its deployment was sophisticated.

"Flame is a 'limited edition' spy tool with a limited scope that was used very carefully. It didn't need to evolve. Clearly there was advanced planning involved, but that doesn't necessarily make it what we would call advanced technology."

James Todd, technical lead for Europe at FireEye, issued a blunter criticism against the shortcomings of antivirus software highlighted by the Flame outbreak: "The fact that Flame evaded detection for so long, and by so many different antivirus tools is deplorable, and proves that the speed at which malicious malware is developed is just steamrolling those organisations trying to keep up."

Secret's out

Security vendors are almost unanimous in saying that Flame poses little or no threat to anyone – even the targeted system administrators in the Middle East – now it has been detected. "Flame is no longer a secret and so it will therefore be abandoned... Op sec has been compromised," F-Secure's Sullivan concludes.

Ollmann argues that Flame stayed under the radar because it was carefully managed, rather than because of the information security failing of its victims or the technologies they used.

He explained: "It would be simple to argue that these regions aren’t known for employing cutting-edge anti-malware defences and aren’t well served with local-language versions of the most capable desktop antivirus suites, but I think the answer is a little simpler than that: the actors behind this threat have successfully managed their targets and victims – keeping a low profile and not going for the masses or complex setups."

Henry Harrison, BAE System’s technical director, said the massive fuss about Flame has deflected attention from the wider cyber-espionage danger. He argued that security firms are talking up the importance of various threats in an attempt to generate publicity for themselves and buzz about the products they sell.

"Individual cases such as Flame – and, a little while back, Shady RAT – are heavily publicised by the security firms who investigate them, but the sad reality is that this sort of attack is not at all unusual," he said.

"Targeted data-stealing attacks are a common phenomenon – but in most cases they don't get reported. That's either because the companies affected didn't report the attacks, for fear of reputational damage, or – most of the time – because the attacks are so successful that the targets don't even realise that their data has been stolen. What is newsworthy here is not so much the attack, but the very fact that it has been reported."

It's like analysing the blueprints for a whole city

Meanwhile, back at the coal-face, antivirus analysts are attempting to figure out the internals of Flame, a process likely to take months if not years.

"Full understanding of Flamer requires analysing approximately 60 embedded Lua scripts, reverse-engineer each or the sub-components, then piece it back together," Symantec explains. "As an analogy, reverse-engineering Flame as opposed to standard malware is like re-creating an architectural drawing, not just for a single house, but for an entire city.

"The threat is a well designed platform including, among other things, a web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.