×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Antivirus Firms Out of Their League With Stuxnet, Flame

timothy posted about 2 years ago | from the doesn't-say-much-good-for-their-product dept.

Security 233

Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

233 comments

Helps when you have the OS companies helping (5, Interesting)

trout007 (975317) | about 2 years ago | (#40207385)

I mean seriously does anyone think the OS companies aren't in on this type of operation?

It reminds me of the CIA-Xerox story.

http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm [lunarpages.com]

Re:Helps when you have the OS companies helping (5, Interesting)

Narcocide (102829) | about 2 years ago | (#40207419)

Well thats one good theory, but I suppose that if its possible to make a virus like Stuxnet primarily target only computers that control Iranian Uranium enriching centerfuges it would be also possible to write the same virus to *avoid* activating itself anywhere in sight of machines owned by anti-virus corporations.

There's still some level of plausible deniability here, the real question is what to do about the fact that installing anti-virus software in the first place is, while not effective enough, also the limit of most user's capabilty to secure their computers.

Re:Helps when you have the OS companies helping (-1)

Anonymous Coward | about 2 years ago | (#40207435)

Feel free to spin any conspiracy theory without providing even a shred of evidence. You probably are stupid and your understanding of OS security architecture is close to that of a toddler, hence somebody of your intelligence would certainly require external help. Don't assume the rest of us are as dumb as you.

Re:Helps when you have the OS companies helping (2, Interesting)

Anonymous Coward | about 2 years ago | (#40207449)

For that matter, an anti-virus expert would be a good person to ask how to get past anti-virus.

Re:Helps when you have the OS companies helping (2)

damien_kane (519267) | about 2 years ago | (#40207587)

Not the OS companies, the AV companies
Ironic, no, that a virus with a definite source that isn't an AV company is also immune to those same AV companies?

Re:Helps when you have the OS companies helping (5, Interesting)

PPH (736903) | about 2 years ago | (#40208541)

The tin foil hatters who worry about NSA-mandated back doors should be worrying about how many code signing keys the CIA/FBI/NSA/Pentagon have extracted from Microsoft. Or borrowed from gov't contractors (Boeing/Lockheed/etc).

And how many US based AV companies, have "found something" out there on the Internet and put it into their database. But then failed to act on it at the behest of one of these TLAs.

That may be one reason Kaspersky has blown the whistle on a few things recently. How is the NSA going to call a Russian company and ask them to sit on some information without that making its way into their intelligence services? And used as leverage in future political events?

Re:Helps when you have the OS companies helping (1)

mrex (25183) | about 2 years ago | (#40208883)

>Not the OS companies, the AV companies

Not an either/or. All these big companies know who butters their bread, and jump at the chance to work with "007" anyway.

Re:Helps when you have the OS companies helping (1)

Anonymous Coward | about 2 years ago | (#40207887)

Well, who were these files digitally signed by? Who's private key was used?

If I understand this correctly, pretty much anyone can digitally signed something with a private key and, for a fee, people (that Microsoft deems trustworthy) can get their public keys registered, right? and someone with a registered public key, say a graphics card or other driver manufacturer, can then theoretically sign malware without Microsoft's knowledge or consent. Microsoft will only try to authenticate the public keys of parties they deem to be trustworthy but, beyond that, they have little control over what code authenticated parties write (unless they later detect malicious code and revoke the key I presume, but how practical is it to police all signed code?).

So how hard is it for the U.S. government to get a public key registered (or to gain access to the private key of a registered public key). What kinda software does the govt make?

It would be interesting to know exactly what public key was used to authenticate this hidden code and who it is registered under.

Re:Helps when you have the OS companies helping (3, Insightful)

stephanruby (542433) | about 2 years ago | (#40208793)

Sure, the OS companies. Yes.

But not the anti-virus companies, which is what we're talking about here. The anti-virus companies are just script kiddies. Their core competencies are public relations and cookie scaremongering, but that's all. They do not pay people to do original research, that would cut into their profit margins.

If they can detect something, it's only because someone else did the research and posted it on their blog. Once someone has written some manual instructions for detecting the malware and removing it, the anti-virus companies are capable of writing a script that tries to do the same automatically, but even that sometimes stretches the limit of their capabilities since they can't even do that part correctly many of the times.

The real research is done by people like Mark Russinovich [microsoft.com] (and yes, you don't have to trust anything he has written after his company was acquired by Microsoft, you can just take a look at his oldest blog posts first -- which pre-date the acquisition).

Re:Helps when you have the OS companies helping (1)

Impy the Impiuos Imp (442658) | about 2 years ago | (#40208817)

Intelligence agencies are motivated and find good people. Fraudulent botnets and scams in near-failed states are motivated highly. Antivirus companies have incompetent managers who rub their chins and hire some random, poorly-motivated programmers and call it a night.

It's the difference betwen government lawyers and the OJ defense team.

Re:Helps when you have the OS companies helping (4, Insightful)

mrex (25183) | about 2 years ago | (#40208873)

Right down to Microsoft's "mistake" in their Terminal Server certificate assignment process, that "accidentally" allowed those certificates to be used to sign code.

First, antivirus authors used generic tools to... (4, Insightful)

ArsenneLupin (766289) | about 2 years ago | (#40207391)

... write their warez. And they were easily disassembled, and recognized for the evil they were.

Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.

But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...

So, now they went back to using generic tools and libraries. Full circle!

Re:First, antivirus authors used generic tools to. (1)

Anonymous Coward | about 2 years ago | (#40207595)

Did you really mean "First, antivirus authors used generic tools"?
Mind, I don't object to the classification of much antivirus software as evil, but it gets a bit kinky later where they're detecting themselves...

Re:First, antivirus authors used generic tools to. (5, Interesting)

bughunter (10093) | about 2 years ago | (#40207723)

but it gets a bit kinky later where they're detecting themselves...

It's not kinky at all. They all do it, most of them nearly every day, but few of them admit it.

Kinky is two of them detecting each other...

A: because it breaks the flow of a message (5, Funny)

DNS-and-BIND (461968) | about 2 years ago | (#40207691)

Q: Why is starting a comment in the Subject: line incredibly annoying?

Re:A: because it breaks the flow of a message (-1, Offtopic)

neonKow (1239288) | about 2 years ago | (#40207853)

It doesn't really break the flow as badly as an off-topic post.

Re:A: because it breaks the flow of a message (1)

tepples (727027) | about 2 years ago | (#40208643)

What place would you recommend instead for such meta-discussions?

Re:A: because it breaks the flow of a message (0)

Anonymous Coward | about 2 years ago | (#40209157)

Q: Why is starting a comment in the Subject: line incredibly annoying?

No it doesn't; the flow is perfectly fine. Unlike your post, which is fucking backwards.

Re:First, antivirus authors used generic tools to. (2)

postbigbang (761081) | about 2 years ago | (#40207775)

Seen another way: Like all artillery system designers, you study the target, understand the medium thru which the the shell must transverse, and get the payload to the target.

To think that Symantec and AVG and Kaspersky et al are omnipotent is silly. At some point, each of these companies has to avoid false positives because they get the worst PR possible when they make mistakes. There are millions of legitimate apps out there, no matter how well or poorly written. It's a matter of getting to the correct controller, seeding it with destructive code, and making sure the code survives long enough to deliver the damaging payload that's necessary. Certainly the explanation is vastly more simple than the deed, but it's the deed that was successful. Does one generate malware detection that traps such a thing: Maybe-- but you don't give it to anyone because no civilians have centrifuges that are used to make weapons grade material.

Re:First, antivirus authors used generic tools to. (0)

Anonymous Coward | about 2 years ago | (#40207959)

Years ago I got hit by a package that consisted of a bog standard mirc.exe and a bunch of scripts that, er, made it do Interesting.cn things, like run itself as a service and be otherwise clumsily less than obviously visible, opening up the machine for remote commands. Now my operating system of choice doesn't run those things, so to me it was merely a curios. So I sent it in to one of these security companies, and the poor bod at the threat evaluation desk didn't recognise it for what it was. Apparently if his threat evaluator script didn't flag it, it wasn't a threat, and understanding what was going on was entirely beyond him. This experience seems to mesh well with observations how the IT threat mitigation industry operates. It leaves something to be desired, no matter how many really smart people they have.

P.S. (5, Insightful)

CajunArson (465943) | about 2 years ago | (#40207403)

If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

Re:P.S. (3, Funny)

Opportunist (166417) | about 2 years ago | (#40207801)

Not wanting to break NDAs but: You overestimate the intelligence in intelligence...

Re:P.S. (-1)

Anonymous Coward | about 2 years ago | (#40208245)

You must be retarded.

Re:P.S. (0)

Anonymous Coward | about 2 years ago | (#40208415)

That's what they WANT you to believe...

Re:P.S. (3, Interesting)

drinkypoo (153816) | about 2 years ago | (#40208855)

If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

Why not? Granted, they have access to all the same attacks the rest of us do, but Windows is the only operating system whose back doors they are in a position to be effectively the sole parties familiar with them. Remember when Microsoft was shown to be guilty of violating its monopoly status? Remember how nothing ever came of that? No, something came of that. Microsoft is now a part of the same group of assholes that controls politics in america. Bill Gates is in like Flynn; he does as he's told and controls vast sums.

You may have noted (here and elsewhere) that the US government told people to use Vista for security. That announcement was met with loud guffaws here on Slashdot, but I presumed then and presume now that it was because it's the operating system they're deepest into. But presumably they've been deep into Windows since NT.

stop stabbing yourself in the eye (0, Insightful)

Anonymous Coward | about 2 years ago | (#40207405)

stop using windows bro

Re:stop stabbing yourself in the eye (1)

Anonymous Coward | about 2 years ago | (#40208517)

stop using windows bro

But without windows, the house is so dark!

Please, it's "Lua", not "LUA" (5, Informative)

TimHunter (174406) | about 2 years ago | (#40207407)

"Lua" (pronounced LOO-ah) means "Moon" in Portuguese. As such, it is neither an acronym nor an abbreviation, but a noun. More specifically, "Lua" is a name, the name of the Earth's moon and the name of the language. Like most names, it should be written in lower case with an initial capital, that is, "Lua". Please do not write it as "LUA", which is both ugly and confusing, because then it becomes an acronym with different meanings for different people. So, please, write "Lua" right!

http://www.lua.org/about.html [lua.org]

Re:Please, it's "Lua", not "LUA" (0)

Anonymous Coward | about 2 years ago | (#40207423)

lUa

Re:Please, it's "Lua", not "LUA" (1)

Anonymous Coward | about 2 years ago | (#40207443)

1U4 is much 13373r

Re:Please, it's "Lua", not "LUA" (0)

Anonymous Coward | about 2 years ago | (#40207519)

Crazy! I saw the moon last night and, lo and behold, there was another one outside!

Re:Please, it's "Lua", not "LUA" (1)

Cthefuture (665326) | about 2 years ago | (#40207551)

Heh, I came here to make the same post.

And anyone interested in high-performance computing/scripting should check out LuaJIT [luajit.org] . One of the coolest software projects ever. Imagine a simple, powerful scripting language that runs as fast (or really close) as compiled C. Kick-ass fast built-in FFI interface and super easy to embed.

Re:Please, it's "Lua", not "LUA" (0)

Jiro (131519) | about 2 years ago | (#40207783)

Having to tell someone how to write your language name because that is not naturally how people would write it is a classic example of a bad user interface in a geek-written program.

Re:Please, it's "Lua", not "LUA" (0)

Anonymous Coward | about 2 years ago | (#40207823)

There are people who capitalize "MAC" when they're talking about a computer from Apple. Not every user problem is the fault of the implementer.

Re:Please, it's "Lua", not "LUA" (0)

Anonymous Coward | about 2 years ago | (#40209305)

Having to tell someone how to write your language name because that is not naturally how people would write it is a classic example of a bad user interface in a geek-written program.

How is it natural to capitalize words at random?

What is there about "Lua" that would make the writer think, "Oh, I bet that should be written out as 'LUA;' it probably stands for something that I'm too lazy to look up?"

Please share your linguistic insight with the hopelessly geeky, out-of-touch Slashdot readership, so that we might have a chance at picking names that do not resemble acronyms in the future. We seem to be particularly lousy at this. After all, we've tried naming computer languages with common words like "Java," (no good, people still write it as JAVA) or human names like Ada (no good, people still write it as ADA) and made-up words like Perl (which people insist on writing as PERL.)

Re:Please, it's "Lua", not "LUA" (1)

danbuter (2019760) | about 2 years ago | (#40208089)

Reminds me of people who use PERL instead of Perl.

Re:Please, it's "Lua", not "LUA" (1)

Anonymous Coward | about 2 years ago | (#40208597)

Reminds me of people who use PERL instead of Perl.

But those may be genuinely confused by the common backronym "Practical Extraction and Report Language".

It is very simple. Virus "protection" isn't (5, Insightful)

Anonymous Coward | about 2 years ago | (#40207427)

You cannot solve the virus problem as it is an impossible situation.

The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.

Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.

Re:It is very simple. Virus "protection" isn't (5, Interesting)

RobbieThe1st (1977364) | about 2 years ago | (#40207459)

To be fair, giving out your OS encryption keys to "friendly" nation-states for signed malware basically means that your OS, no matter how securely designed, will always have such malware.

Re:It is very simple. Virus "protection" isn't (5, Interesting)

Anonymous Coward | about 2 years ago | (#40207609)

You don't even need to "give" them out. Flame was "signed by Microsoft" by exploiting a vulnerability in Terminal Services Licensing Server.

"Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."

from Microsoft releases Security Advisory 2718704 [technet.com]

Re:It is very simple. Virus "protection" isn't (4, Interesting)

localman57 (1340533) | about 2 years ago | (#40207485)

The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.

I agree with the second part. The first part is probably wishful thinking with the exception of products that are small enough or well funded enough that you can do proofs of their security (such as a couple of the real-time operating systems out there).

I think it's interesting to look at the way that safe vault makers approach this problem. No safe maker ever guarantees their safe to be uncrackable. Rather, they have a standard which basically says "A well qualified attacker with knowledge of the safe's internal workings, but no knowledge of the combination or access to the keys can be expected to breach this safe in X amount of time." They know it's a matter of when, not if. Encryption software people seem to get this as well.

Re:It is very simple. Virus "protection" isn't (4, Insightful)

jythie (914043) | about 2 years ago | (#40207729)

Thing is, even with those proved systems, no amount of security is going to stop a good social engineering attack. At some point all systems will have some mechanism for changing their functionality unless the whole thing is ROM and has a hardware enforced switch for being able to change things... and even then all you need is one careless tech or a corrupt contractor and poof, you are infected.

Technological solutions can improve the situation, but are not a panacea.

Re:It is very simple. Virus "protection" isn't (5, Interesting)

drinkypoo (153816) | about 2 years ago | (#40208891)

When Microsoft finally got around to making a new TCP stack for Vista they reintroduced all the old bugs that were in the old stack because they proceeded from the same assumptions, forgot everything they learned improving the old stack, and went boldly forth like complete assholes. As a result you could teardrop or LAND Vista RCs. How does this happen? Because they were not using good programming practices.

So it's true, you can't make NO vulnerabilities. But you CAN adopt not just good but proper practices that reduce the number of vulnerabilities you create. This is something Microsoft should try.

Re:It is very simple. Virus "protection" isn't (3, Interesting)

camperdave (969942) | about 2 years ago | (#40207527)

I've always wondered about "selfing" the software installed on a machine. In the body, cells that are part of the body are identified with a protein marker, and the immune system ignores cells with that marker. When a cell does not have that marker, it is considered a foreign invader and is destroyed. So, with software, you would have to add a marker code to it - branding it, as it were - for it to be acceptable to the antivirus software. Essentially, it would be a whitelisting system.

Re:It is very simple. Virus "protection" isn't (0)

Anonymous Coward | about 2 years ago | (#40207607)

But the malware in question had valid digital signatures. It was already whitelisted.

Re:It is very simple. Virus "protection" isn't (1)

camperdave (969942) | about 2 years ago | (#40208319)

No. Whitelisted by the USER, not by some third party corporation.

Re:It is very simple. Virus "protection" isn't (1)

donutz (195717) | about 2 years ago | (#40208603)

A good idea in theory, but in practice, a pain in the butt that most people will not want to deal with.

Re:It is very simple. Virus "protection" isn't (2)

roothog (635998) | about 2 years ago | (#40209141)

You should look up Stephanie Forrest's research. She's been doing things like that for the past 20 years. To give you an idea, she has a mid-90's paper called "A Sense of Self for UNIX Processes".

Maybe it's up to the OS (5, Interesting)

Dan9999 (679463) | about 2 years ago | (#40207439)

AV software is picking up the slack for badly designed operating systems. Kernels, drivers, the shell, the UI of software, management control and process control have all spiralled out of sync in their evolution in all OSes bar none which is a perfect breeding ground for this.

Come on OS's, raise that bar so that AV companies can do the same.

Re:Maybe it's up to the OS (0)

QuantumRiff (120817) | about 2 years ago | (#40207873)

What is AV software? Audio Visual? I guess I have used Linux a bit too long now :)

Wah... (5, Funny)

Anonymous Coward | about 2 years ago | (#40207445)

Wha. We suck. But, what can you do?

Your subscription has expired. Please upgrade to Our Steaming Pile 2013. Now with more steam. Also, we hid some options to make it more challenging/interesting for you!

NO SHIT (1)

GeneralTurgidson (2464452) | about 2 years ago | (#40207453)

Your products do have a tendency to delete system files though. Maybe antivirus software should be a bit more than writing definitions to known CVSs and some anomaly engine which thinks every file in a profile directory is suspicious. While antivirus software is another layer of security, it's a pretty shitty one.

Conspiracy theory (3, Interesting)

seyfarth (323827) | about 2 years ago | (#40207481)

With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.

Re:Conspiracy theory (1)

Anonymous Coward | about 2 years ago | (#40207569)

...or might have to help by law...

Re:Conspiracy theory (0)

Anonymous Coward | about 2 years ago | (#40207895)

There is no law on the books that would force Microsoft or AV companies to cooperate with the government in that manner. If they chose to cooperate, it would be for different reasons.

Re:Conspiracy theory (1)

synapse7 (1075571) | about 2 years ago | (#40207611)

I just pushed out a root cert revocation update to help fight the untrusted Microsoft cert that was used for this. I wonder if this "flame" was meant to target the public, or another attack that got out of control?

Re:Conspiracy theory (0)

Anonymous Coward | about 2 years ago | (#40207763)

talking about sense of duty, writing innovative worms and distributing them for virus writers everywhere to benefit sounds like very responsible behaviour. I know country that has no restraints in those matters.

Occam's razor (1)

Anonymous Coward | about 2 years ago | (#40208195)

With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.

In order to evaluate your theory, we'd have to put it to the Occam's Razor test.

The simplest answer is that Windows really does have lots of vulnerabilities, and the security companies really are in over their head.

Obviously, this is patently false. Windows is widely known to be bug-free and highly secure, and the security companies have developed a suite of efficient, stable software to help us defend against viruses. So your theory obviously has merit. How could it be otherwise?

Security theater...just like the TSA (2)

techsimian (2555762) | about 2 years ago | (#40207499)

crappy Malware and Anti-virus both crush the performance of the machines they're on...why bother? Oh yeah, and the anit-virus software doesn't work. Is it just to keep the masses from spreading too much?

Of course... (1)

cffrost (885375) | about 2 years ago | (#40207529)

Anti-virus software companies need to acquire, profile, and create removal code for new threats before they can do much to mitigate it. Now obviously, that's going to take genuine time and effort in cases where they didn't write the virus themselves.

Failed to detect? (1, Redundant)

Scutter (18425) | about 2 years ago | (#40207535)

By the author's own admission, they didn't "fail to detect". They HAD copies of the virus in their reporting database but ignored them. Why are customers reporting samples if the antivirus companies aren't paying any attention? I'd like to hear more on that explanation and not more excuses like "well, it works like a business database".

Re:Failed to detect? (2)

AHuxley (892839) | about 2 years ago | (#40207571)

Its Windows, a long list of new code efforts every day, in the wild and doing damage to end users systems.
They get the worst first and work back.

AV companies outside their element? (5, Informative)

slack_justyb (862874) | about 2 years ago | (#40207543)

I've not held much faith for anti-virus companies. Never was I under the idea that AV software would stop a *real* virus. To me, anti-virus software is just a way to keep the script kiddies and adware ActiveX controls off a system. Good computing habits preclude the need for AV software. Just my two cents.

Re:AV companies outside their element? (0)

Anonymous Coward | about 2 years ago | (#40207677)

I'm inclined to agree.
"consumer-grade antivirus products can't protect against targeted malware".
Well duh, its consumer-grade, its meant to keep a consumer's PC a bit cleaner. There's no reason to believe that it could stop a sophisticated, targeted attack, that's really not what it was meant for. Most malware target generally, in the hopes that it will hit and stick a certain amount of unsecured systems. A targeted attack knows what kind of security it is up against, so if its designed well enough, AV is never going to catch on. That's really the whole point of the virus/worm/malware in the first place.

Re:AV companies outside their element? (4, Informative)

upside (574799) | about 2 years ago | (#40208075)

Pretty much what Mikko Hypponen is saying in the article:

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Re:AV companies outside their element? (4, Insightful)

Kjella (173770) | about 2 years ago | (#40208153)

Good computing habits preclude the need for AV software. Just my two cents.

And how exactly would you know if mozilla.com has been compromised or if someone is running a MITM on you? Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised? Good computing habits are good enough for my single consumer desktop, but they're not exactly hardened servers with tripwires, traffic policies, alerts and intense traffic monitoring. If they send a "real" virus directed towards me, I wouldn't bet too much on my good habits. It's all relative to the threat level, just like my apartment is fairly safe against common burglars but it's not exactly a jeweler's shop with millions in value nor it is a military bunker.

As for AV software, yes I run it as a second opinion. Personally I don't think I'm too smart to make a blunder, or the odd combination of a seeming trusted download and an old virus signature the AV will detect. Besides, how do you know your own opinion is correct? It's not like they announce themselves, it could be sending out your credit card into and be a proxy to everything without telling you. The silent ones are far more dangerous than the popup infestations and ransomware.

Re:AV companies outside their element? (0)

Anonymous Coward | about 2 years ago | (#40208917)

Good computing habits mitigate the risk. You still have to do the business case analysis. At home, we do irregularly scheduled backups to multiple media, and we don't click on random links. Good enough, but we've still got a laptop that's trashed and cost 10 hours of me retardedly failing to just spend that much value on replaceing it. However, due dilligence in other organziations will require you to have AV software, even if the straight numbers business case wouldn't actually support it.

... and water is wet (1)

Anonymous Coward | about 2 years ago | (#40207547)

Seriously, how is this news? Anyone who has even the slightest clue as to how software security vulnerabilities work (or just what turing completeness and the halting problem are) knows that anti-virus software does not and can not exist, and has known that for decades. Just because some marketing people keep pretending there is such a thing doesn't mean there actually is.

What does exist is black-list filters for some well-known attacks. Which obviously is completely pointless to even try unless you are an idiot and you insist on using software that's equally well-known for its lack of security, in which case such a black list can keep the inconvenience down a tiny bit. Or you own a business that makes money by selling unsuspecting people "protection".

MacOS X is the answer (-1)

Anonymous Coward | about 2 years ago | (#40207577)

We should all move to MacOS X. Steve Jobs himself told us there was no malware for it. We should be safe...

AntiVirus companies mess up... apk (0)

Anonymous Coward | about 2 years ago | (#40207637)

Recently, I had submitted a ware to hpHosts/malwarebytes for hosting (it's a custom hosts file mgt. & acquisition system from 12 reputable + reliable sources in the security community). Mr. Steven Burn & Mr. Henry Hertz Hobbit (of malwarebytes/hpHosts + hostfile.org respectively) sent it through the JOTTI online & VirusTotal online scanners (which use Linux based scanning). It came up as a "malware". I immediately wrote:

1.) ArcaBit/ArcaVir
2.) Comodo
3.) ClamAV
4.) Symantec/Norton
5.) McAfee

The 5 antivirus makers (of 70++ total who found my app "ok") who detected my app as a malware.

I wrote & informed them of my using a special new exe packer/compressor which is EXTREMELY fast, & does 64-bit executables properly also!

I use exe packing for good reasons for security & performance, since it obfuscates attempts @ "hacking" or resource altering a program + I check the exe size @ startup & if it alters even 1 BYTE? It automatically "shuts down" informing the user the program has been tampered with (which IS what a std. virus would have to do attaching code to an exe's "tail" & altering jump tables etc.)

It also makes it load faster since the file on disk is smaller & today's CPU's offset the decompression stage into RAM as a bonus!

So, to that?

The antivirus makers performed a special analysis @ Mr. Burn's request, & found the detection was a 'false positive'...

I.E.-> They have some "rules for detection" that are way, Way, WAY WRONG/OFF, in that IF they detect a "non-std." Win32/64 PE header? They flag it INSTANTLY as a malware... which IS wrong, & was proven so by myself to they...

I redid the app, improving it once more (adding in exceptions abilities to NOT download certain sites IF the users choose not to from certain custom HOSTS file data sources of the 12 it can use, & also better filtering vs. sites that ought NOT be in a custom HOSTS file + a bit better speed)...

So, then what happened?

Same crap: I had to go to them AGAIN, & say "check it", same deal - removal of FALSE POSITIVE DETECTION!

Many also have a "rule" in many of them, according to Mr. Henry Hertz Hobbit, of flagging an app as a malware IF THE MAKER DECIDES TO USE WinRar SFX files... DUMB & MORE THAN POTENTIALLY INCORRECT, see above for proof, or ask the gents I noted...

(Using a simple install like WinRar SFX makes for a small, fast, compact installation system functioning essentially like a "tarball" package... & makes tinier installers than does say, InnoSetup or InstallShield & the like, as well!)

* They are FAR from perfect... & make mistakes, due to DUMB rules!

Especially the use of exe packing (even Dr. Mark Russinovich uses it, ala Rootkit Revealer, to stop malwares from detecting & shutting down the program, as well as altering it adversely etc.) & of course, also the use of a WinRar Self-Extracting SFX distribution file (which functions as a "tarball" more-or-less for MY app @ least, just keeping its single exe & data files in 1 package for extract install to a single folder + run it type deal)...

APK

P.S.=> That's my "protest" & statement of FACT regarding things antivirus makers really OUGHT to correct for... it makes for false positives!

Ask Nir Sofer of NIRSOFT also...

E.G.-> He has gone thru the SAME GARBAGE with these people I have recently & years before with Computer Associates (who did the same to another app I wrote in 2004 & I passed ALL 21 of their questions for removal, & they downgraded the app threat to ZERO levels)... apk today's CPU's offset the decompression stage into RAM as a bonus!

So, to that?

The antivirus makers performed a special analysis @ Mr. Burn's request,

Especially the use of exe packing (even

Re:AntiVirus companies mess up... apk (1)

Luckyo (1726890) | about 2 years ago | (#40207883)

They do not flag such files as "malware". They flag them as "heuristics found suspicious files that have properties often used in malware".

If you actually read the text that your anti-virus software outputs on your screen, this becomes very obvious. Unfortunately most people, apparently including yourself, do not read these messages and instead assume your file has been filed as malware when you're looking as a false positive hit from heuristics engine warning your about suspicious properties of your file.

Actual malware that is known is labelled very differently by most anti-virus software.

Explain the retraction of false positive then (0)

Anonymous Coward | about 2 years ago | (#40208027)

IF they didn't mess up & on the grounds I stated? See subject-line above...

"They do not flag such files as "malware". They flag them as "heuristics found suspicious files that have properties often used in malware" - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)

WRONG!

* The online scanners I noted don't DO what you said either... they only report "malware" & flagged it with malware names (virus names actually) no less... & they were WRONG too, of course, admittedly wrong on THEIR part no less... explain that!

(The last part in their admission of false positive is the BIGGEST burden on YOU now... the antivirus makers noted in my initial post, 5/70++ at JOTTI online + VirusTotal & even Microsoft Security Essentials said it was FINE!)

---

"If you actually read the text that your anti-virus software outputs on your screen, this becomes very obvious." - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)

WRONG AGAIN, & IF YOU READ WHAT I ACTUALLY WROTE AND WHAT SCANNERS TYPES I USED (online Jotti & VirusTotal)?

You wouldn't have stated that... period!

---

"Unfortunately most people, apparently including yourself, do not read these messages and instead assume your file has been filed as malware when you're looking as a false positive hit from heuristics engine warning your about suspicious properties of your file.." - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)

See above - &, I wouldn't SPEAK of READING, where I you... not by this point.

---

"Actual malware that is known is labelled very differently by most anti-virus software." - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)

Again, B.S.: READ MORE CLOSELY NEXT TIME & check what online virus scanners I noted ACTUALLY DO!

Lastly - buddy look: I've been writing software that's done EXTREMELY well from the commercial software world more than once (to great acclaim in books, magazines, newspapers, technical trade shows & more), freeware/shareware, as well as custom database applications professionally since 1994...

So please: Don't even *TRY* tell me "how it works", or worse, act "condescending" to me, until YOU can show you've done the same (as well as "turning the antivirus makers over onto their heads" more than once, which I have a couple times now)...

In fact?

I'd actually wager I may have been doing things like that before you were even BORN.

APK

P.S.=> "Proof's in the pudding" & argue with the results, + IF you doubt them? Write this fellow, Mr. Steven Burn of malwarebytes/hpHosts ->

services@it-mate.co.uk

(Who happens to be a respected member of the security community in Mr. Steven Burn of Malwarebytes' hpHosts website -> http://hosts-file.net/?s=Download [hosts-file.net] & he can substantiate my ENTIRE tale you replied to here -> http://it.slashdot.org/comments.pl?sid=2892215&cid=40207637 [slashdot.org] )...

... apk

Re:Explain the retraction of false positive then (0)

Anonymous Coward | about 2 years ago | (#40208433)

boring cunt

Luckyo, if the "best you've got" is (0)

Anonymous Coward | about 2 years ago | (#40208559)

"boring cunt" - by Anonymous Coward on Monday June 04, @10:16AM (#40208433)

Using profanities in reply after your "blunders" here -> http://it.slashdot.org/comments.pl?sid=2892215&cid=40208027 [slashdot.org] ?

* "U FAIL"... period.

APK

P.S.=> My, my "such language", lol... Yes, that's exactly the typical "geek angst" ridden b.s. I get in reply, after some "wannabe genius/computer guru" blows it vs. myself & yes, almost EVERY time... lol!

... apk

apk is fail (0)

Anonymous Coward | about 2 years ago | (#40208869)

"U FAIL"

who is that 'U' who keeps failing (according to you) ? there is no user named 'U' on slashdot, so who is it ?

also it should be written "U fails", grammar moron

Re:apk is fail (2)

drinkypoo (153816) | about 2 years ago | (#40208929)

who is that 'U' who keeps failing (according to you) ? there is no user named 'U' on slashdot, so who is it ?

Whoever replies to apk fails. I've done it. Don't do it.

What about the others? (Smart Fortress 2012) (4, Interesting)

Anonymous Coward | about 2 years ago | (#40207777)

My Dad's work PC got infected with "Smart Fortress 2012" mid-May. My mistake, I wasn't taking care of Flash and Acrobat reader. But an otherwise up-to-date XP, with an up-to-date Norton antivirus installed, got infected through a webpage. And even though the account was not an administrator account, Smart Fortress 2012 not only disabled Norton antivirus but rendered it inoperable - it had to be reinstalled (through the Administrator account).

Lesson learned. Don't trust much Norton, don't trust much anything else and tighten up as much as possible.

Antivirus is NO defense against targeted attacks (1)

Opportunist (166417) | about 2 years ago | (#40207863)

Well, DUH.

AV kits can only protect against attacks that are known. They may be able to detect new variants of attacks, so once a certain botnet type is known they may well be able to find zero-day developments if their heuristics are good (not a trivial task, but some have mighty good detection rates against unknown variants), but how are they supposed to detect what is simply not known to be a threat?

And likewise they cannot protect against attacks that target YOUR and only YOUR company. Where'd they get samples of it in the first place?

Nothing new here (4, Insightful)

Shoten (260439) | about 2 years ago | (#40208105)

Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel. Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians. The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry, while any armored military vehicle would shrug off an attack using weapons available to civilians. There are many other analogues involving surveillance technologies, etc. that show the dichotomy that has always existed between the military/intelligence communities and the civilian world.

But so what? Of course their tools are more sophisticated...they should be. The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

Re:Nothing new here (2, Funny)

Anonymous Coward | about 2 years ago | (#40208477)

Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

You should c'mon down and visit us here in Texas.

Re:Nothing new here (4, Interesting)

drinkypoo (153816) | about 2 years ago | (#40208805)

Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel.

ballocks [bulletproofme.com]

Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.

Oddly enough, you can have all the same typical service issue ammo that the military uses.

The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry

...though neither do most military vehicles...

while any armored military vehicle would shrug off an attack using weapons available to civilians

Except for IEDs, for which we are having to redesign our entire fleet basically.

The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

Things have been going very, very badly for a long time. Companies like Coca-Cola and Nestle have their own military forces in third world countries. Corporatists have utterly taken over the majority of world governments. So while I agree with your premise, I don't agree with your conclusion. Civilians already have that capacity, and they always have, and things are already going that way.

Re:Nothing new here (2)

Threni (635302) | about 2 years ago | (#40208967)

> Except for IEDs

Exactly. Idiot goat farmers or whatever can take out the latest US vehicles again and again using cheap, readily available ingredients with innocous legal uses plus a digital watch or walkie talkie. Such a shame the whole miliary/industrial complex is based on attacking Russia or whatever.

Remind me again, which month do I have to work until before I start earning money for me and not just the taxman?

Duh. (1)

jiteo (964572) | about 2 years ago | (#40208281)

The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets.

You don't say.

The best Anti Virus.... (1, Funny)

trancemission (823050) | about 2 years ago | (#40208317)

I have seen it on here lately - cleanMyPC or something like that....pretty good so I have heard........

Antivirus is a poor solution anyway (4, Insightful)

SCHecklerX (229973) | about 2 years ago | (#40208379)

Once you are hit, it is already too late.

What we as sysadmins and users should focus on instead is prevention.

Unfortunately, prevention relies mostly on end user education. They will always download that cool image, or play that game, forward that e-card, etc. You can't cure user stupidity with technology. The car analogy would be, well, eliminate cars and make everyone take the train.

"I Don't Know It, So the Government is to Blame!" (1)

LifesABeach (234436) | about 2 years ago | (#40208669)

Who benefits from the success of Stuxnet, Flame, et.al.? The U.S. has a simple method, (publicly tested, and verified), of bringing down a countries entire electrical system, and that includes those systems that have backups. Anytime the U.S. wants to "turn off" the power to a country like Iran, it can. But the U.S. hasn't, so who else? I don't see complexity here, I see simple economic warfare. And I see where, Iran could easily handle a problem like a war with guns; but Iran is helpless against a war with credit cards. If I were Iran I would not look west, their guns are chillingly clean.

Out of their league (3, Insightful)

sir-gold (949031) | about 2 years ago | (#40208673)

Of course they are out of their league with stuxnet and flame. The AV companies are used to fighting teenage hackers and Russian mobsters, they aren't prepared to fight the two of the highest funded militaries in the world (USA and Israel). It's hard to beat the enemy when they outnumber and "outgun" you by a factor of 100,000

Re:Out of their league (2)

gweihir (88907) | about 2 years ago | (#40209227)

Surprisingly though, Stuxnet was a good demonstration of how incompetent hackers will write their malware. There is quite a bit of mistakes, errors and incompetence in it. Of course, the Iranian defenders were even more incompetent, whit no independent safety systems on their centrifuges that would have prevented the damage. Really pathetic on both sides.

This basically shows that you can get past current AV software with something that is not very good in any regard. It also shows that the AV approach is fundamentally flawed.

Not a surprise (2)

gweihir (88907) | about 2 years ago | (#40209197)

From a certain attacker competence and resource level upwards, a leaky bucket like Windows cannot be fixed anymore. It takes competent system administration on a solid platform and a minimal attack surface. It also takes quality engineering with security in mind on everything that is reachable over the network. Most current software is so pathetically insecure (and yes, that includes quite a bit of FOSS software), that no amount of add-ons will ever make it secure.

On the other hand, software that was done with sound secure software engineering practices, competent personnel and adequate resources is very hard to attack and will quite often be impossible to attack. The saying that everything can be attacked is just a lame excuse for insecure software. It has no relation to what can actually be done.

What the article also shows is that the reactive, try-to-patch-thousands-of-tiny-holes-on-insecure-platforms-by-external-software that the AV companies are selling is fundamentally limited. This is not a surprise to any real security expert.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...