Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

Intelligent flash storage arrays

How did it slip under the radar?

The stealthy spread of Flame for at least two years before it was detected has provoked some soul-searching among segments of the security vendor community. Similarly long lags preceded the detection of Stuxnet and Duqu.

Wieland Alge, general manager EMEA at Barracuda Networks, commented: “The scariest and most shocking aspect is the length of time that Flame has remained undetected. Kaspersky’s own security experts estimate that Flame has been infecting systems and stealing data for several years, possibly as long as five years."

Mikko Hypponen, chief research officer F-Secure, said the extended run on Flame and Stuxnet prior to their discovery ought not to have happened and pointed to a failure by security vendors. Hypponen is breaking the party line in even suggesting this, with most vendors spinning that Flame did not spread very far and that was the reason why it escaped detection for so long.

"The worst part of Flame? It has been spreading for years," Hypponen writes. "Stuxnet, Duqu and Flame are all examples of cases where we – the antivirus industry – have failed. All of these cases were spreading undetected for extended periods of time."

Hypponen's colleague Sean Sullivan later qualified these remarks, in a blog on the Flame outbreak, by saying that commercial antivirus products are not really designed to defend against targeted, state-sponsored spyware.

"Commercial-based antivirus and security products are designed for and focus on protecting you from prevalent classes of in the wild threats coming from criminals, thugs and digital mobsters (and it's a constant battle)," he said. "It is not designed to protect you from the digital equivalent of Seal Team Six. So if you're the guy that finds himself in the crosshairs... you're not safe."

Sullivan goes on to argue that even though the technology used by Flame was hardly innovative, its deployment was sophisticated.

"Flame is a 'limited edition' spy tool with a limited scope that was used very carefully. It didn't need to evolve. Clearly there was advanced planning involved, but that doesn't necessarily make it what we would call advanced technology."

James Todd, technical lead for Europe at FireEye, issued a blunter criticism against the shortcomings of antivirus software highlighted by the Flame outbreak: "The fact that Flame evaded detection for so long, and by so many different antivirus tools is deplorable, and proves that the speed at which malicious malware is developed is just steamrolling those organisations trying to keep up."

Secret's out

Security vendors are almost unanimous in saying that Flame poses little or no threat to anyone – even the targeted system administrators in the Middle East – now it has been detected. "Flame is no longer a secret and so it will therefore be abandoned... Op sec has been compromised," F-Secure's Sullivan concludes.

Ollmann argues that Flame stayed under the radar because it was carefully managed, rather than because of the information security failing of its victims or the technologies they used.

He explained: "It would be simple to argue that these regions aren’t known for employing cutting-edge anti-malware defences and aren’t well served with local-language versions of the most capable desktop antivirus suites, but I think the answer is a little simpler than that: the actors behind this threat have successfully managed their targets and victims – keeping a low profile and not going for the masses or complex setups."

Henry Harrison, BAE System’s technical director, said the massive fuss about Flame has deflected attention from the wider cyber-espionage danger. He argued that security firms are talking up the importance of various threats in an attempt to generate publicity for themselves and buzz about the products they sell.

"Individual cases such as Flame – and, a little while back, Shady RAT – are heavily publicised by the security firms who investigate them, but the sad reality is that this sort of attack is not at all unusual," he said.

"Targeted data-stealing attacks are a common phenomenon – but in most cases they don't get reported. That's either because the companies affected didn't report the attacks, for fear of reputational damage, or – most of the time – because the attacks are so successful that the targets don't even realise that their data has been stolen. What is newsworthy here is not so much the attack, but the very fact that it has been reported."

It's like analysing the blueprints for a whole city

Meanwhile, back at the coal-face, antivirus analysts are attempting to figure out the internals of Flame, a process likely to take months if not years.

"Full understanding of Flamer requires analysing approximately 60 embedded Lua scripts, reverse-engineer each or the sub-components, then piece it back together," Symantec explains. "As an analogy, reverse-engineering Flame as opposed to standard malware is like re-creating an architectural drawing, not just for a single house, but for an entire city.

"The threat is a well designed platform including, among other things, a web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.