Security Myth Burns With A Brilliant Flame

Stuxnet, Duqu and now Flame continue to show that when national authorities get involved in writing malware everyone is vulnerable.

Mikko Hypponen, chief research officer at F-Secure, wrote in his blog that these “are all examples of cases where we – the antivirus industry – have failed. All of these cases were spreading undetected for extended periods of time.”

Highly sophisticated

Hypponen’s concern is well-founded. The Laboratory of Cryptography and System Security (CrySyS Lab) in Budapest, Hungary, has been tracking the spread of Flame, which it called sKyWIper, and believes it may have been circulating undetected for five years or more. Its complexity suggests that a highly sophisticated programming team must have developed it.

The targets seem to be highly focused in the Arab world with Iran, Lebanon, Syria and Sudan. These locations put the US, UK and Israel into the frame of suspects. Also, according to Hypponen, the method of dispersal through USB sticks and hacking into systems implies a Western modus operandi.

That Flame has gone undetected for at least two years is surprising because it is not a small piece of malware. The various parts add up to 20MB when fully deployed. This is also an indication of its complexity

Despite all the activity, Flame could hide from at least 43 anti-malware tools. This is the weakness of the antivirus software networks because they are reactive systems and only detect commonly found malware or ones that exhibit particular behaviour.

One of the many interesting features of Flame is its ability to fully monitor devices. Keyboard, screen, storage devices, network, Wi-Fi, Bluetooth, USB and system processes can all be examined. It can even turn on a microphone attached to a computer to eavesdrop on local conversations. With many systems now being fitted with webcams, the future direction is obvious.

Flame also carried its own virtual environment for executing Lua scripts. Lua is a very light, open source scripting language which was initially developed in Brazil. The language was used to gather and organise data on the attacked systems and to compile information about Flame itself. The malware could also detect which antivirus was in use and modify its behaviour accordingly – a main reason for its non-detection.

Ross Brewer, managing director and vice president for international markets at LogRhythm, said: “This discovery once again highlights how critical it is to have a clear view of every single event that occurs across an organisation’s entire IT estate at all times. Having this constant 360 degree visibility of IT network log data means that organisations can monitor all anomalous cyber activity. Rather than just keeping threats out – which clearly no longer serves as an effective security strategy – data security now depends on addressing any potential threats in real time.”

Re-imaging security

For most companies this means a complete rethink of how security is handled. Real time monitoring is a burden on both systems and networks but it looks like it is something that will have to be factored in.

Flagging anomalous behaviour is one safeguard but disguised behaviour is harder to detect. Various companies, such as FireEye, are developing visualisation techniques that could eventually help to make small changes in the network more noticeable.

James Todd, technical lead for Europe at FireEye, commented: “The next big trend in IT security was always going to be cyber-espionage, given the potentially huge rewards for the taking. This is particularly true if hackers can infiltrate information relating to policy, patents, intellectual property and R&D plans. As such, any organisation – or nation for that matter – with significant investments in R&D or IP must up the ante on pre-emptive security before it is too late. Over-reliance on signature-based perimeter defences and traditional heuristics means that too many are still woefully exposed to zero day, unknown attacks. While most now recognise that breaches are a matter of when and not if, what they don’t realise is that the ‘when’ might have already happened, as evidenced by the failure to discover Flame until now.”

The CrySyS report noted that “sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found”. Nation state espionage has reached new heights and begs the question of what else may be out there and what it may be doing unobserved and undetected.

Can you look after your personal data online? Take our quiz!