First published: 20th June 2012
Flame, along with Stuxnet and DuQu are continuing to generate a lot of discussion about the value of different security models, particularly the reactive model that is the major part of most anti-virus products. Naturally, antivirus expert Mikko Hyppönen's admission that the antivirus industry had failed on Stuxnet, Duqu and Flame drew a lot of attention. Mikko has qualified the admission with a longer explanation in wired, saying. "consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware".
Security expert Bruce Schneier has responded to Mikko's article, saying, "Probably the people who wrote Flame had a larger budget than a large-scale criminal organization, but their evasive techniques weren't magically better".
I think these are both valid points of view, and the full articles are well worth reading for deeper understanding of the issues. What I would like to add is a warning against less thoughtful commentators who conclude, "therefore we should get rid of reactive antivirus". Mikko's honesty about his industry failing in these cases has distracted attention from failure of other security models in the same cases:
- Whitelisting / Code signing / walled gardens: malware modules were signed with forged or stolen certificates.
- Keeping your software patched: Flame pretended it was a genuine MS update.
- Keeping your software unchanged: Then you fall to the the zero-day vulnerabilities present when you started.
- Not networking: Stuxnet spread on USB memory. There's no such thing as an isolated system, there never was.
I am not advocating disregarding these, they are all of some use in our security policy. We should try to get our software from trusted sources, not make unnecessary changes to production systems, limit access to sensitive systems, and search for known malware. In short, practise defence in depth and always remember that each layer is flawed.
What the antivirus industry must do now is look for ways to identify the slow, stealthy attacks like Stuxnet, DuQu and Flame in among the mountains of samples they constantly receive. It is going to be a difficult job.