Failure to detect Flame marks 'the end of signature-based anti-virus'

News by Dan Raywood

The failure to detect Flame means simplistic signature-based detection is obsolete.

The failure to detect Flame means simplistic signature-based detection is obsolete.

According to a blog by Sergei Shevchenko, in order to spot malicious code an anti-virus product should emulate the malware to "unwind" the covert logic programmatically until the vicious chunks of it are revealed.

He said: “A large code often means more code to emulate or the usage of higher-level languages that are much harder to emulate or their emulation is simply not supported. Without an ability to follow the execution logic programmatically, an anti-virus product might not be able to detect a well-protected sample effectively.”

Wieland Alge, general manager EMEA at Barracuda Networks, said: “The scariest and most shocking aspect is the length of time that Flame has remained undetected. Kaspersky's own security experts estimate that Flame has been infecting systems and stealing data for several years, possibly as long as five years.

“One aspect of the success of this particular malware is due to its ability to log into what's being said or typed across the many multimedia aspects of today's desktop PCs and laptops – things like webcams, microphones and Bluetooth features.”

Rob Rachwald, director of security strategy at Imperva, said: “Currently, most estimates think that Flame has been around for two to eight years. Using either end of the scale, how could it have gone undetected for so long?

"How did they do it? Flame drops binaries with the .OCX extension, as they are often not scanned by anti-virus. If it finds McAfee on the system it uses the .TMP extension because McAfee also scans .OCX by default. Worse, according to one Twitter statement, Kaspersky knew about Flame within a month and didn't even add signature to their anti-virus till few days ago. If true, this is another black eye for the anti-virus industry.

“It's no secret that there is a huge industry devoted to bypassing anti-virus. Flame, we hope, will help serve as a key event that compels organisations to rethink their security spend. Turns out the UN is warning member states about Flame. Let's hope ‘updating your anti-virus' isn't one of the recommendations.”

Shevchenko said that as Flame is 20MB, a larger size does not always mean something is easier to detect – as this is a result of either "careless" malware authors (novice authors, or those who prefer using higher-level languages) or the fact that the project has recently attracted programmers with a professional development background.

Tomer Teller, security evangelist at Check Point, said he had reverse-engineered Flame and while he had not analysed everything as yet, the stories about it being 20 times bigger than Stuxnet were true.

He said: “I have looked at the strings and it verifies what the media is saying. This is a fancy keylogger that will send data to remote command and control (C&C) servers, and there are 70 C&Cs across Asia."

In terms of detection, Teller said: “Anti-virus didn't detect this as patches were deployed before Stuxnet, then they probably installed a rootkit to make sure it was not detected. My assumption is that this was around more than two years ago and kept hiding until we found the files.”

Gil Shwed, CEO and founder of Check Point, said: “This is one of the most significant attacks I have seen, there is not much new but it took known techniques and used them together. It uses multiple exploit combinations so it is pretty significant that it hid itself, but maybe the best ones have not been discovered yet.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews