The complex attack toolkit known as Flame quickly made front-page news around the world as researchers uncovered the next great cyber espionage instrument assumed to be created by a nation-state.
Is it a worm, trojan or a backdoor? It's all of the above, according to an analysis conducted by Kaspersky Lab, whose researchers brought the malware to light after being approached by the United Nation's International Telecommunication Union.
Dubbed a “cyber weapon” by its revealers, Flame is capable of gathering intelligence by detecting network traffic, logging keystrokes and tapping into a computer's microphone to record conversions, even taking control of Bluetooth devices.
While the characteristics of the spy virus are important to note, the question is why it went undetected for so long. With research tracing it back to 2008, that means Flame has been siphoning information from networks – primarily located in the Middle East – for nearly four years.
After the malware's authors forged Microsoft certificates to make it pass as legitimate software, and built never-before-seen cryptographic collision attacks, Flame remained unnoticed, even though its code base is much larger than its predecessors Duqu and Stuxnet.
In this particular case, the anti-virus (AV) industry, which is heavily reliant on signatures for detection, may have missed the boat, said Eric Byres, CTO and VP of engineering for Belden, the industrial ethernet company, and its Tofino security division. He compares Flame to a very well created Swiss Army knife outfitted with built-in code to handle any AV software standing in its way.
“It's not using the hiding techniques that we so often see,” Byres said. “Ultimately, the anti-virus industry is going to have to work more on the heuristics.” Researchers consider behavior-based approaches to detecting malware much more effective than traditional, signature-based scans.
Those outside of the security industry may perceive AV and firewalls as the all-encompassing security solution, but according to Roel Schouwenberg, senior researcher for Kaspersky Lab, it is only part of what should be a layered approach. He says that traditional anti-malware, signature-based or not, is not designed to deal with the sharpened and expensive-to-produce “military-grade” threats we're seeing today.
“Unfortunately, there's no such thing as a magic bullet,” Schouwenberg said.
There's no doubt that the industry will quickly react. But how it intends to prepare its software for looming sophisticated threats such as this one remains to be seen.