
Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet - wglb
http://www.wired.com/threatlevel/2012/06/internet-security-fail/
======
jgmmo
I also work for an AV company, but unlike Mikko - I do not think Flame or
Stuxnet should be focused on. They do not cause malicious behavior to our
users, therefore our time will be better spent addressing real threats that
steal credit card numbers and ruin OS's.

~~~
noahm
Out of curiosity, which AV company do you work for? I want to make sure I
never recommend that anybody purchase your products. _Any_ software that
exploits security flaws in OS or other system-level software needs to ring
every alarm bell you've got. Sure Stuxnet, et al, target specific systems and
hardware that are unlikely to belong to your customers, but Stuxnet's escape
into the wild shows that mistakes or false assumptions were made by the
designers and implementers. The software may not be intentionally malicious,
but it's already behaving in ways not predicted by its authors. Yet you claim
that I should just trust them and not worry that their software might be
running on my system against my wishes? That's not what I, as a hypothetical
customer of yours, pay you for.

~~~
jgmmo
There is limited amount of time and resources to deal with an enormous number
of new samples daily, would you prefer we focus on samples that a) cause real
harm to live users? b) could theoretically be dangerous down the line?

I am sorry if you disagree, but with over 50,000 new samples of malware out
daily I personally think that all of our time would be better spent on zero
days that actually are hurting out users today.

------
jrabone
And this is why antivirus is, by and large, an utter waste of CPU cycles and
IO wait time.

The ones it catches you could have avoided by not being an idiot. The ones you
WANT it to catch go sailing by. Meanwhile your life is a misery because every
single little file access goes through the antivirus - much like any other
root kit, in fact. Ask me what that does to performance when you develop in
Java, and every single JAR file gets unpacked and scanned every time...

~~~
lawnchair_larry
My grandmother got a virus, and I don't appreciate you calling her an idiot.

Really, just stop and think before making claims like this.

------
freehunter
It's nice to see a bit of humility in a market where posturing is so
prevalent. It's true that commercial AV can't be expected to pick up these
well-funded, targeted attacks. But mom and pop can't be expected to know this
from the advertising the AV companies put out.

~~~
uxp
Until a targeted attack turns every computer into a zombie DDoS farm inside an
air-gapped network (thus, by definition not really a targeted attack anymore),
AV companies and Mom and Pop shouldn't need to worry about these kinds of
things. Stuxnet can be installed on your mom's PC and it'll provide just as
much system instability and maliciousness as Winamp or uTorrent.

The real threats to moms and pops buying off the shelf AV products from their
local BestBuy are the threats that are targeted at your mom and dad to steal
their passwords, bank accounts, and include a trickle of Spam into the torrent
of daily inbox junk that gets sent out every minute. If a nationstate decides
to buy Norton 360 (et. al) to protect their nuclear reactor PLCs from being
fucked with by another nationstate, well, they're screwed. There is no
solution at that level (yet).

~~~
sliverstorm
Well, unless Mom and Pop are running a secret nuclear facility in their
basement.

------
wmf
I can understand why behavioral techniques might not detect this stuff in the
wild, but what about honeypots? _Anything_ that shows up on a honeypot should
be detectable as malware.

------
ryanjkirk
This would have been a good opportunity to educate the public about APT.
Mikko's argument is essentially that this was an APT attack, which is by
definition unstoppable.

A more productive way to take this essay is how to detect and close breaches
once they've happened. But AV companies aren't interested in pursuing this
part of the market, because it's not as simple as selling a piece of automated
software.

~~~
alt_
Definition for the lazy:
<http://en.wikipedia.org/wiki/Advanced_persistent_threat>

------
btilly
Simple solutions. Designate random computers as secure. Have them in normal
places, for instance in workplaces, but with agreements to have special
monitoring, and serious penalties for putting software on them without
properly logging that you're doing so.

Every so often scan those computers. Any software that is there which was not
installed, is presumed to be malware. (And if not, trigger those penalties for
having installed stuff without saying.)

Humans being humans, you'll get a lot of false positives. But you'll notice
things like Flame and Stuxnet.

~~~
jquery
> Simple solutions. Designate random computers as secure.

Well, I laughed.

------
waveman2
"In the case of Stuxnet and DuQu, they used digitally signed components to
make their malware appear to be trustworthy applications."

How did they do this? This seems to imply that either

(1) the certification authorities or the (2) vendors of these "trustworthy"
software applications were "part of the team".

------
ajays
It's the same with spammers. If you are a public email provider, the spammers
create accounts and spam them before unleashing their spam. Since they have
access to both sides of the wall, they can keep trying till they are
successful. Rinse, lather, repeat.

------
vampirechicken
I'd like to hear more about how they had samples already submitted but some
process caused them to ignore them, and what they're doing to prevent that
omission in the future.

------
Heyw00d
@jgmmo sounds like trolling. These things escaped into the wild, which means
the code is now available to a whole lot of malwre develoeprs who just upped
their game.

------
excuse-me
"consumer-grade antivirus products can’t protect against targeted malware
created by well-resourced nation-states with bulging budgets"

Sorry - NO. These aren't some super secret stealth aircraft needing special
materials and billions of $ to develop. They are programming the same Windows
targets using the same compilers, generating the same instructions using the
same system calls. Yes they were clever to target the particular facility and
to hide the code. But they didn't build anything that some other malicous
hacker couldn't build.

"And the zero-day exploits used in these attacks are unknown to antivirus
companies by definition."

I must try that excuse. The bugs in my software are by definition unknown so I
can't be expected to have fixed them.

So exactly what is the point of virus scanners? If all they are doing is
checking for the obvious signatures in email attachments called "naked
pictures of whoever readme.exe" to look for well known threats isn't the
solution simply for the user to not be a moron?

~~~
jerf
"'consumer-grade antivirus products can’t protect against targeted malware
created by well-resourced nation-states with bulging budgets'"

That's not the relevant bit. This is the relevant bit (emphasis mine):

"As far as we can tell, before releasing their malicious codes to attack
victims, the attackers _tested them against all of the relevant antivirus
products on the market_ to make sure that the malware wouldn’t be detected."

This means that they can be certain they've bypassed the signatures, and
whatever imperfect heuristics are being used have been bypassed, with the
attackers essentially having all the time in the world to play with and
understand the heuristics, up to and including a complete disassembly of the
heuristics if necessary. And you can't have perfect heuristics (hi, halting
problem!).

Yes, when the enemy has full access to all these things and sufficient
resources to use them, the antivirus loses. Other malicious hackers don't have
this scale of resources, and that's the sole reason they can't do it.

~~~
planetguy
So what they're saying is: "We can't possibly defend against any attack if the
attacker bothers to take the time to test their attack against our software."

That's a startling admission, not just because they're saying "our software
ain't _that_ good" but because they've also gone and told you exactly how to
defeat it.

[insert conspiracy theory here]

~~~
Achshar
> they've also gone and told you exactly how to defeat it.

No, what they said is that since they [hackers] can test their code with
antivirus before deploying, they can be sure of the fact that it wont be
detected.

So it's obvious that to "defeat" the antivirus, they have to test against it.
It's in no way a solution. Anyone with a little common sense will tell you
that to defeat an antivirus, the best way is to test against it before you
release your malware.

