14 DAY TRIAL // F-Secure’s Chief Research Officer Mikko Hypponen has recently explained why security companies have failed to catch malware like Duqu, Stuxnet and Flame before they became widely known.
In an article written for Wired, Hypponen admitted that the antivirus industry had failed because it couldn’t see that Flame, which had been in their possession since 2010, could pose a serious threat.
He admitted that the same thing happened with Duqu and Stuxnet and concluded that malware developed by military intelligence agencies was harder to combat with commercial antivirus products.
“They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition,” he said.
He added that the attackers have most likely tested their malicious codes against all relevant pieces of security software.
On the other hand, security guru Bruce Schneier believes that this isn’t the case.
“I don't buy this. It isn't just the military that tests their malware against commercial defense products; criminals do it, too. Virus and worm writers do it. Spam writers do it. This is the never-ending arms race between attacker and defender, and it's been going on for decades,” Schneier explained.
He stressed that while the development budgets might have been much larger than the one of the everyday malware creator, the evasion techniques “weren’t magically better.”
“I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily. It was never a priority to understand - and then write signatures to detect - the Flame samples because they were never considered a problem,” he added.
“Maybe they were classified as a one-off. Or as an anomaly. I don't know, but it seems clear that conventional non-military malware writers that want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu.”