Mikko Hypponen: Flame Worm Another ‘Failure’ For Security Industry

The Flame worm has marked a failure of the anti-virus industry for the third time in two years, according to one of the biggest names in the security industry.

Mikko Hypponen, chief research officer at F-Secure, said he was disappointed AV companies had taken such a long time to find Flame.

Flame (also known as Flamer and Skywiper) caused shockwaves across the security industry yesterday, when it was described as possibly the most sophisticated piece of malicious software ever seen.

It has the ability to steal data from a variety of sources, including cameras and microphones, and many suggested it was the creation of a nation’s intelligence agency. Iran was the number one target and fingers have already been pointed at the likes of Israel. According to the Haaretz publication, Israel’s vice prime minister and strategic affairs minister Moshe Ya’alon responded to questions on Flash by saying “anyone who sees the Iranian threat as a significant threat – it’s reasonable [to assume] that he will take various steps, including these, to harm it”.

‘The whole industry should improve’

But Hypponen said the most concerning aspect of Flame was that it has been spreading for years. There were different claims on how long Flame had been alive, with Kaspersky saying the attacks started appearing in the wild in 2010.

The Budapest University of Technology and Economics’s Laboratory of Cryptography and System Security (CrySyS) said it had found files relating to Flame stemming from 2007, indicating the worm may be more than five years old.

“If we missed it for two years, maybe five years, not just us but the whole goddamn industry, what else could we characterise that as other than a failure? And it is not the first time – we missed Duqu for an extended period of time, we missed Stuxnet for at least two years. Apparently the traditional anti-virus technologies cannot cope with highly advanced attacks like this,” Hypponen told TechWeekEurope.

“Anti-virus works against the average problems for the average end user. But when you have an attacker of this level of skill, funding and manpower, it is quite clear they can create attacks that go through regular defences all too well.

“The parties that need to worry about this – we’re talking about defence contractors, armies, governments – they have to deploy defences at a much deeper level. AV is part of the puzzle, but if they rely on that alone it is unlikely they will be protected.

“There’s still job security in security, but it doesn’t take away the fact that I’m disappointed about how poorly we’ve fared with this.

“It is highly likely [the AV industry isn’t picking up on similar threats to Flame]. And we should do better. The whole industry should improve.”

The AV industry will not be able to analyse Flame as quickly as it could take apart Duqu and Stuxnet – the two other cyber “super-weapons” seen over the past two years. That is because Flame is far more complex.

As McAfee noted yesterday, just one of its smaller encrypted modules is over 70,000 lines of code. Flame is a sizeable beast as well, weighing in at 20MB when all its modules are deployed, or about 20 times the size of Stuxnet, which was seen infiltrating Iranian nuclear infrastructure in 2010.

Yet some have moved to soothe any panic caused by the worm. Most businesses should not fear, due to the apparently targeted nature of the attack, which is mainly aimed at the Middle East, said Sergei Shevchenko, writing on BAE Systems security research blog.

“Flame is probably not aimed at you, but don’t discount the chance of one that is aimed at you, turning up in future,” he said.

Hypponen added that 99 percent of people do not need to worry about the AV industry’s failure. “Nevertheless, it is a failure.”

Are you a security geek? Try our quiz!