Dealing With Advanced Threats – Where AV Fails

If the Flame malware gets one message to the masses it should be that antiviruses are a failure.

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. [1]

Yeah, no kidding.

The fact is that, at best, a few antiviruses would give a warning about generic heuristic detection for Flame and obviously that wasn’t enough because it’s been around for years. Potentially quite a few years, actually. And it’s not the first, Stuxnet went undercover sometime as well as various others.

Antiviruses, in terms of blacklists and heuristics, are actually a necessary part of security. I currently wouldn’t touch a single one of them out there but I appreciate the principal, that I as a human am not capable of knowing whether a file is malicious or not therefor an AV automates the process on a level only achievable programatically.

The point is, whether AVs can or can’t be great in some ideal world, the current security solutions aimed at users are not enough and trying to lock a users computer down beyond that is impractical with the tools we have been provided with. If we’re ever going to see improvement we need something radically new.

Did We Really Need Proof?

The latest news is confirmation that the US ordered Stuxnet.Of course, everyone who’s been paying attention already knew this. I swear I think I remember knowing this before I even knew what Stuxnet was.

Anyways, it was never publicly discussed, which I always found strange since it seems both obvious and widespread knowledge. That’s changed though as the NYTimes has published confirmation (so-called) that the US was involved and that Obama accelerated the program.

So, there we have it. If you’ve been paying attention this isn’t really news… but now everyone knows about it and you don’t sound crazy when you say “Yes, the US government is behind Stuxnet.” So there’s that.

And Now… The Worst Cyber Attack In History

That is the opening line to a youtube video that calls the attack “massive… historic.” Something about the British accents makes it sound so damn serious too… “The most complex *intense pause* they’ve ever seen.”

I wrote about The Flame in a post the other day and I was absolutely pointing out that this is a sophisticated and, yes, scary piece of malware.

While The Flame may be scary it is not all that new. It is highly modularized, more than anything in the past, but the exploits used are old news and the data collection, albeit it intense, isn’t new either.

These words like “attack” and “cyber war” and “super weapon” are scary. I’m not even running Windows and they make me a little scared.

I think Flame is definitely not your typical malware but is it deserving of such terms? It’s new and we’re learning more about it daily, but the media isn’t saying “We’re finding new information blah blah blah” it’s jumping straight to panic.

Where in the report is “Here’s how to stay safe” or “Don’t panic, the vulnerabilities seem to have been patched.”

Anyways, since I’ve already mentioned it, to stay safe you can run Windows Update right now (seriously, stop reading, now) and follow this guide to securing Windows.

“The Flame” and Why You Shouldn’t Be Scared (Or Should You Be?)

We’ve got our next “Super Threat” coming out of the Duqu and Stuxnet FUD-fest. The latest big thing is entitled “The Flame” (scary sounding, right?) – a highly sophisticated piece of malware that targets the Windows Operating System and essentially spies on users.

Why It’s Scary

“The Flame” is a highly sophisticated piece of malware. It makes use of multiple Windows exploits to run on users machines without their consent or interaction and it’s also just creepy – the thing spies on you using every piece of hardware on your machine. It’s looking through your webcam, it’s picking up keystrokes, it’s recording through your microphone, and it’s taking screenshots as well.

Oh, and it’s potentially been spreading for 8 years (though it’s looking more like 2) just covering its tracks. It’s also still unknown exactly how it’s infecting systems (best guess seems to be MS10-033, but it’s likely that there are multiple channels of initial infection.) It is potentially being spread (initial infection) through a 0day exploit, though nothing has been substantiated (apparently it has infected fully patched Windows 7 machines.)

It’s not just creepy. The complexity and sophistication of the code as well as the sheer size of it makes it likely to be the work of not just one hacker but potentially a team of trained and well paid hackers. And that leads to the next, and potentially scariest aspect…

This is probably government born. The fact that it’s so advanced means that it probably cost big money and it’s clearly a tool for spying and collecting as much information as possible so it should be a fairly short leap of logic to see why governments would be after this.

Why It Isn’t Scary

It actually is pretty scary when you read the above. Government commissioned hacker teams trying to watch me post on the internet? It’s enough to make you want to just unplug.

But let’s remember a few things…

It propagates throughout networks through a lot of different ways but at least some of the exploits have been patched (MS10-061MS10-046, potentially MS10-033) so your first step is to go check for Windows Updates. Now.

If you’re running an Antivirus (I suggest Microsoft Security Essentials) it’s a good idea to keep it up to date as, at this point, they should all detect Flame.

The top infection nations are: Iran, Isreal Palestine, Sudan,  Syria, Lebanon, Saudi Arabia, Egypt. If you aren’t there, your chances are good. That said, it’s been spotted all around.

All in all it’s definitely a cool piece of malware. It still needs to make use of some already patched vulnerabilities so make sure you’re up to date, that’s one of the only ways to ensure you aren’t infected.

Is Flame the end all be all malware? No. But it’s a nice reminder that there are people out there willing to put serious work into infecting machines.

I’ll be posting more on staying secure on Linux and Windows in the future.

Sources:

http://www.crysys.hu/skywiper/skywiper.pdf

http://technet.microsoft.com/en-us/security/bulletin/

https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers#page_top