Bit9

Bit9: 2, Antivirus: 0

By now, you’ve heard about the latest cyber attack called Flame. It’s been all over the news as  security researchers learn more about the attack and debate its ramifications. To recap, Flame is an advanced cyber spy toolkit capable of accessing a computer’s screen, files, microphone, Bluetooth, network and more.

Flame was around for at least two years, operating completely under the radar of every major antivirus product or behavioral HIPS solution. Kaspersky Lab went so far as to say: “Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it.”

I’m going to refute that assertion. Flame attacked one of our customers 8 months ago, long before it had a name in the press, and we did in fact prevent it from executing or spreading to any system protected by Bit9. This wasn’t the first time we stopped a high profile targeted cyber attack. We stopped the attack that hit RSA last year when that same malware hit one of our customer sites, before any information was publicly disclosed about the attack. Since that attack used a previously unknown vulnerability in Adobe Flash (a zero-day), none of the antivirus products and endpoint protection suites stopped it.

A number of antivirus security companies have said they had pieces of Flame already in their databases from years ago, but only now in hindsight realize that it was “bad.” Flame operated by hiding in plain sight. It used off-the-shelf utilities for communication and common libraries for data gathering. It was as large in overall size as a normal application. There was no reason for the antivirus companies to suspect these components, and since the entire antivirus model is predicated on knowing what is bad, Flame simply went unnoticed. But knowing what is bad is a much harder problem than knowing what is trustworthy. When Flame hit our customer, we didn’t know it was malicious; we simply knew it was not trusted.

So while the antivirus companies continue to chase their own tails updating their “signatures” and trying to figure out how to obtain the next piece of targeted malware before it goes public, Bit9 will continue to stop these attacks. Mikko Hypponen, Chief Research Officer at the security company F-Secure, recently wrote a refreshingly honest post about the failure of traditional security. He said:

“The truth is, consumer-grade antivirus products can’t protect well against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition… It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.”

What’s not a “fair war” is continuing to fight with the same weapons you used 25 years ago when the enemy has long ago switched both their tactics and their techniques.

Bit9 Security Solutions

One Response to Flame Lessons: How Trust-Based Security Protects where Antivirus Fails

  1. avatar Robert says:

    The truth is antivirus vendors WANT their products to fail, otherwise their out of business.

    The entire security industry relies on systems to fail in order to maintain high levels of income. That’s the ugly hidden truth about our jobs.

    Security will always be flawed as long as governments stick their fingers into the pie and muddle with the works.

    Now let’s see how you deal with a NDIS layer HW based attack with your hashes… ;)

Leave a Reply