Mikko Hyppönen, chief research officer F-Secure
When Flame malware became front-page news, we went digging through our collections for related samples. We were surprised to find out that we had samples of Flame already from 2010, sent to us via automated systems. They had been classified as clean. So, we missed Flame for two years. That’s a spectacular failure for our company, and for the anti-virus industry in general. Basically, nobody detected Flame.
Flame was most likely written by a Western intelligence agency. The fact that it evaded detection proves how well they did their homework. The unfortunate truth is that traditional, consumer-grade anti-virus products won’t be able to protect against targeted malware created by nation-states with big budgets. It will protect you against the regular stuff: banking trojans, keyloggers and email worms. But protecting your systems against malware from foreign intelligence agencies requires a layered defense, with network intrusion detection systems, whitelisting and active monitoring of inbound and outbound traffic of the organization.
Stealth isn’t unique to military malware as criminals also test their malware against commercial defense products. They test viruses and spam. This is the never-ending arms race between attacker and defender, and it’s been going on for decades. The people who wrote Flame had a larger budget than a large-scale criminal organization, but their evasive techniques weren’t magically better. And they didn’t evade detection. F-Secure and others found year-old samples in their archives. They just didn’t do anything about them.
The difference has more to do with the ways in which military malware programs spread. That is, slowly and stealthily. It was never a priority to understand – and then write signatures to detect the Flame samples – because they were never considered a problem. Maybe they were classified as an anomaly or a one-off problem. I don’t know – I’m not privy to how anti-virus companies decide what malware to follow up on and what can be ignored until later.