Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

Secure remote control for conventional and virtual desktops

How did it slip under the radar?

The stealthy spread of Flame for at least two years before it was detected has provoked some soul-searching among segments of the security vendor community. Similarly long lags preceded the detection of Stuxnet and Duqu.

Wieland Alge, general manager EMEA at Barracuda Networks, commented: “The scariest and most shocking aspect is the length of time that Flame has remained undetected. Kaspersky’s own security experts estimate that Flame has been infecting systems and stealing data for several years, possibly as long as five years."

Mikko Hypponen, chief research officer F-Secure, said the extended run on Flame and Stuxnet prior to their discovery ought not to have happened and pointed to a failure by security vendors. Hypponen is breaking the party line in even suggesting this, with most vendors spinning that Flame did not spread very far and that was the reason why it escaped detection for so long.

"The worst part of Flame? It has been spreading for years," Hypponen writes. "Stuxnet, Duqu and Flame are all examples of cases where we – the antivirus industry – have failed. All of these cases were spreading undetected for extended periods of time."

Hypponen's colleague Sean Sullivan later qualified these remarks, in a blog on the Flame outbreak, by saying that commercial antivirus products are not really designed to defend against targeted, state-sponsored spyware.

"Commercial-based antivirus and security products are designed for and focus on protecting you from prevalent classes of in the wild threats coming from criminals, thugs and digital mobsters (and it's a constant battle)," he said. "It is not designed to protect you from the digital equivalent of Seal Team Six. So if you're the guy that finds himself in the crosshairs... you're not safe."

Sullivan goes on to argue that even though the technology used by Flame was hardly innovative, its deployment was sophisticated.

"Flame is a 'limited edition' spy tool with a limited scope that was used very carefully. It didn't need to evolve. Clearly there was advanced planning involved, but that doesn't necessarily make it what we would call advanced technology."

James Todd, technical lead for Europe at FireEye, issued a blunter criticism against the shortcomings of antivirus software highlighted by the Flame outbreak: "The fact that Flame evaded detection for so long, and by so many different antivirus tools is deplorable, and proves that the speed at which malicious malware is developed is just steamrolling those organisations trying to keep up."

Secret's out

Security vendors are almost unanimous in saying that Flame poses little or no threat to anyone – even the targeted system administrators in the Middle East – now it has been detected. "Flame is no longer a secret and so it will therefore be abandoned... Op sec has been compromised," F-Secure's Sullivan concludes.

Ollmann argues that Flame stayed under the radar because it was carefully managed, rather than because of the information security failing of its victims or the technologies they used.

He explained: "It would be simple to argue that these regions aren’t known for employing cutting-edge anti-malware defences and aren’t well served with local-language versions of the most capable desktop antivirus suites, but I think the answer is a little simpler than that: the actors behind this threat have successfully managed their targets and victims – keeping a low profile and not going for the masses or complex setups."

Henry Harrison, BAE System’s technical director, said the massive fuss about Flame has deflected attention from the wider cyber-espionage danger. He argued that security firms are talking up the importance of various threats in an attempt to generate publicity for themselves and buzz about the products they sell.

"Individual cases such as Flame – and, a little while back, Shady RAT – are heavily publicised by the security firms who investigate them, but the sad reality is that this sort of attack is not at all unusual," he said.

"Targeted data-stealing attacks are a common phenomenon – but in most cases they don't get reported. That's either because the companies affected didn't report the attacks, for fear of reputational damage, or – most of the time – because the attacks are so successful that the targets don't even realise that their data has been stolen. What is newsworthy here is not so much the attack, but the very fact that it has been reported."

It's like analysing the blueprints for a whole city

Meanwhile, back at the coal-face, antivirus analysts are attempting to figure out the internals of Flame, a process likely to take months if not years.

"Full understanding of Flamer requires analysing approximately 60 embedded Lua scripts, reverse-engineer each or the sub-components, then piece it back together," Symantec explains. "As an analogy, reverse-engineering Flame as opposed to standard malware is like re-creating an architectural drawing, not just for a single house, but for an entire city.

"The threat is a well designed platform including, among other things, a web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality." ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.