It's nice to see a bit of humility in a market where posturing is so prevalent. It's true that commercial AV can't be expected to pick up these well-funded, targeted attacks. But mom and pop can't be expected to know this from the advertising the AV companies put out.
Until a targeted attack turns every computer into a zombie DDoS farm inside an air-gapped network (thus, by definition not really a targeted attack anymore), AV companies and Mom and Pop shouldn't need to worry about these kinds of things. Stuxnet can be installed on your mom's PC and it'll provide just as much system instability and maliciousness as Winamp or uTorrent.
The real threats to moms and pops buying off the shelf AV products from their local BestBuy are the threats that are targeted at your mom and dad to steal their passwords, bank accounts, and include a trickle of Spam into the torrent of daily inbox junk that gets sent out every minute. If a nationstate decides to buy Norton 360 (et. al) to protect their nuclear reactor PLCs from being fucked with by another nationstate, well, they're screwed. There is no solution at that level (yet).
The real danger is that it's not just mom and pop that rely on the $25 anti-virus that came pre-installed.
Does your doctor use a mil-spec antivirus developed by the NSA? What about the police, the paramedic dispatcher, the control system for your local water treatment plant?
How many of these machines are connected to the internet AND to infrastructure that could cost lives ? How many have people who use the same USB key they used on their machine at home?
I also work for an AV company, but unlike Mikko - I do not think Flame or Stuxnet should be focused on. They do not cause malicious behavior to our users, therefore our time will be better spent addressing real threats that steal credit card numbers and ruin OS's.
Out of curiosity, which AV company do you work for? I want to make sure I never recommend that anybody purchase your products. Any software that exploits security flaws in OS or other system-level software needs to ring every alarm bell you've got. Sure Stuxnet, et al, target specific systems and hardware that are unlikely to belong to your customers, but Stuxnet's escape into the wild shows that mistakes or false assumptions were made by the designers and implementers. The software may not be intentionally malicious, but it's already behaving in ways not predicted by its authors. Yet you claim that I should just trust them and not worry that their software might be running on my system against my wishes? That's not what I, as a hypothetical customer of yours, pay you for.
There is limited amount of time and resources to deal with an enormous number of new samples daily, would you prefer we focus on samples that a) cause real harm to live users? b) could theoretically be dangerous down the line?
I am sorry if you disagree, but with over 50,000 new samples of malware out daily I personally think that all of our time would be better spent on zero days that actually are hurting out users today.
The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.
Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda.
What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.
But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.
There is an army of senior citizens calling support everyday complaining about Rogue Antivirus's which say they are infected and to give them their CC number, as well as the popups/redirectors.
Nobody is worried about the things they cannot see, and the things which are not directly harming them.
It behooves us to focus on the things people do see, so that we do a better job of eliminating the malware that is giving them tangible issues.
I'm not saying 'Flame is a non-issue, suspend all analysis of it by malware researchers!'. I am saying, that for most of us in the AV field this is a hand-to-hand combat type of industry and we don't have the time or resources to get all academic and hypothetical. We need to fix real infections on real machines, like yesterday!
I can understand why behavioral techniques might not detect this stuff in the wild, but what about honeypots? Anything that shows up on a honeypot should be detectable as malware.
"consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets"
Sorry - NO. These aren't some super secret stealth aircraft needing special materials and billions of $ to develop. They are programming the same Windows targets using the same compilers, generating the same instructions using the same system calls. Yes they were clever to target the particular facility and to hide the code. But they didn't build anything that some other malicous hacker couldn't build.
"And the zero-day exploits used in these attacks are unknown to antivirus companies by definition."
I must try that excuse. The bugs in my software are by definition unknown so I can't be expected to have fixed them.
So exactly what is the point of virus scanners? If all they are doing is checking for the obvious signatures in email attachments called "naked pictures of whoever readme.exe" to look for well known threats isn't the solution simply for the user to not be a moron?
"'consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets'"
That's not the relevant bit. This is the relevant bit (emphasis mine):
"As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected."
This means that they can be certain they've bypassed the signatures, and whatever imperfect heuristics are being used have been bypassed, with the attackers essentially having all the time in the world to play with and understand the heuristics, up to and including a complete disassembly of the heuristics if necessary. And you can't have perfect heuristics (hi, halting problem!).
Yes, when the enemy has full access to all these things and sufficient resources to use them, the antivirus loses. Other malicious hackers don't have this scale of resources, and that's the sole reason they can't do it.
" the attackers tested them against all of the relevant antivirus products on the market"
And the other bad guys wouldn't be able to do this?
There are only 2-3 common anti-virus products it's not hard to check if you are detected by Mcaffee/Symantec/AVG
Most antivirus products simply check for signatures. That way you keep paying for updates and they sell themselves on how many 1000s of viruses they detect.
Yes you can't have perfect heuristics and some of these are operating system issues - why does browsing a USB key run a program, why can a game on my phone access to my address book, why can an app connect to the internet without me knowing.
At this point do we just give up on both antivirus AND using general computers to access the web? Should we just use settop boxes with no persistent writeable storage?
In which case the zero day isn't a real excuse.
If you aren't checking for specific exploit code signatures then if a particular exploit is an unknown zero day or not doesn't matter.
Perhaps it's time to switch back to Harvard architecture. Programs and data are separate - you can't change program codeand you can't execute data.
0-day exploits aren't the problem. You're focusing on just one type of malware behavior.
Even if all of our software today was free of exploits, it wouldn't do anything to stop the bad guys from building trojan horses, and using that to bootstrap into broader pwning.
You say it as if checking for signatures it the ONLY effective method and you seem to be saying it's not that effective, so all AV's are useless. Well, it's not the only method and there are other effective methods.
"And the other bad guys wouldn't be able to do this?"
Yes, absolutely. Part of the fear is that they indeed have. But your average bad guy isn't an intelligence agency. The antivirus vendors can outclass the guy in a basement, or even a few guys working in a basement, and right now our threat profile is such that stopping those guys is still a big gain. There is definitely a large class of threats they can prevent.
I know for a fact that the average bad guy does this. Google "fud crypter", they are programs that take malware and makes it Fully UnDetectable by encrypting it, similar to how upx does it. Even skiddies use them.
Heh, I went back and forth between highlighting the "can" in my post. I think you can make a great case that they do not do all the things they could be doing, and there's been rather more focus on the sort of things that have produced bloatware rather than better virus scanning.
But it should be pointed out that in the arms race it should generally be expected that the mid-level underground is always pretty much exactly one step ahead of Symantec etc. It's the nature of the arms race that they are in that the attackers have the temporal advantage. The question is less about whether a given technique works today and more about how long it works. The big advantage an intelligence agency and a large attacker has that doesn't apply to the mid-level underground is that their malware won't (or shouldn't) be detected by the various early-detection techniques that the anti-virus companies have, because they aren't necessarily just going to release their stuff into any place the antivirus company will see. Ideally, they'll simply never see it, which is why its interesting when these "escape".
It's not that theoretical, the following complex program fits that description:
def IsProgramAVirus(program):
return True
But it's not particularly useful. In practice the false positive rate is extremely important, because if it gets too annoying users will switch it off.
In the best of worlds, developers could make an effort not to do anything shady, like self modifying code, dll-injection etc, making heuristics complaining about such behaviours viable.
So what they're saying is: "We can't possibly defend against any attack if the attacker bothers to take the time to test their attack against our software."
That's a startling admission, not just because they're saying "our software ain't that good" but because they've also gone and told you exactly how to defeat it.
A nation state might have access to the antivirus source code (and maybe some of the ex-programmers (or present!) as consultants).
What was it the guy said, who was poisoned with Polonium in London? Something like "Spy organisations are made to compete with other spy organisations, with budgets in the billions. As a private person, you're hopelessly outmatched."
> they've also gone and told you exactly how to defeat it.
No, what they said is that since they [hackers] can test their code with antivirus before deploying, they can be sure of the fact that it wont be detected.
So it's obvious that to "defeat" the antivirus, they have to test against it. It's in no way a solution. Anyone with a little common sense will tell you that to defeat an antivirus, the best way is to test against it before you release your malware.
Billions, no, but certainly millions, if not tens of millions. If 10 people worked on Stuxnet for a year (this includes programmers and managers across both the US and Israel), that's roughly $1 million. And I would be surprised if there was just 10 people a year working on this between both the US and Israeli governments.
So, yes, they're using the same platform as other hackers. But I think you are understating the scope of what a team of dedicated people with governmental approval and budgets can accomplish by just calling it "clever."
Simple solutions. Designate random computers as secure. Have them in normal places, for instance in workplaces, but with agreements to have special monitoring, and serious penalties for putting software on them without properly logging that you're doing so.
Every so often scan those computers. Any software that is there which was not installed, is presumed to be malware. (And if not, trigger those penalties for having installed stuff without saying.)
Humans being humans, you'll get a lot of false positives. But you'll notice things like Flame and Stuxnet.
And this is why antivirus is, by and large, an utter waste of CPU cycles and IO wait time.
The ones it catches you could have avoided by not being an idiot. The ones you WANT it to catch go sailing by. Meanwhile your life is a misery because every single little file access goes through the antivirus - much like any other root kit, in fact. Ask me what that does to performance when you develop in Java, and every single JAR file gets unpacked and scanned every time...
@jgmmo sounds like trolling. These things escaped into the wild, which means the code is now available to a whole lot of malwre develoeprs who just upped their game.
This would have been a good opportunity to educate the public about APT. Mikko's argument is essentially that this was an APT attack, which is by definition unstoppable.
A more productive way to take this essay is how to detect and close breaches once they've happened. But AV companies aren't interested in pursuing this part of the market, because it's not as simple as selling a piece of automated software.
It's the same with spammers. If you are a public email provider, the spammers create accounts and spam them before unleashing their spam. Since they have access to both sides of the wall, they can keep trying till they are successful.
Rinse, lather, repeat.
I'd like to hear more about how they had samples already submitted but some process caused them to ignore them, and what they're doing to prevent that omission in the future.
39 comments
[ 5.6 ms ] story [ 63.5 ms ] threadThe real threats to moms and pops buying off the shelf AV products from their local BestBuy are the threats that are targeted at your mom and dad to steal their passwords, bank accounts, and include a trickle of Spam into the torrent of daily inbox junk that gets sent out every minute. If a nationstate decides to buy Norton 360 (et. al) to protect their nuclear reactor PLCs from being fucked with by another nationstate, well, they're screwed. There is no solution at that level (yet).
Does your doctor use a mil-spec antivirus developed by the NSA? What about the police, the paramedic dispatcher, the control system for your local water treatment plant?
How many of these machines are connected to the internet AND to infrastructure that could cost lives ? How many have people who use the same USB key they used on their machine at home?
I am sorry if you disagree, but with over 50,000 new samples of malware out daily I personally think that all of our time would be better spent on zero days that actually are hurting out users today.
Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda.
What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.
But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.
http://www.schneier.com/blog/archives/2005/11/sonys_drm_root...
Nobody is worried about the things they cannot see, and the things which are not directly harming them.
It behooves us to focus on the things people do see, so that we do a better job of eliminating the malware that is giving them tangible issues.
I'm not saying 'Flame is a non-issue, suspend all analysis of it by malware researchers!'. I am saying, that for most of us in the AV field this is a hand-to-hand combat type of industry and we don't have the time or resources to get all academic and hypothetical. We need to fix real infections on real machines, like yesterday!
Sorry - NO. These aren't some super secret stealth aircraft needing special materials and billions of $ to develop. They are programming the same Windows targets using the same compilers, generating the same instructions using the same system calls. Yes they were clever to target the particular facility and to hide the code. But they didn't build anything that some other malicous hacker couldn't build.
"And the zero-day exploits used in these attacks are unknown to antivirus companies by definition."
I must try that excuse. The bugs in my software are by definition unknown so I can't be expected to have fixed them.
So exactly what is the point of virus scanners? If all they are doing is checking for the obvious signatures in email attachments called "naked pictures of whoever readme.exe" to look for well known threats isn't the solution simply for the user to not be a moron?
That's not the relevant bit. This is the relevant bit (emphasis mine):
"As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected."
This means that they can be certain they've bypassed the signatures, and whatever imperfect heuristics are being used have been bypassed, with the attackers essentially having all the time in the world to play with and understand the heuristics, up to and including a complete disassembly of the heuristics if necessary. And you can't have perfect heuristics (hi, halting problem!).
Yes, when the enemy has full access to all these things and sufficient resources to use them, the antivirus loses. Other malicious hackers don't have this scale of resources, and that's the sole reason they can't do it.
And the other bad guys wouldn't be able to do this? There are only 2-3 common anti-virus products it's not hard to check if you are detected by Mcaffee/Symantec/AVG
Most antivirus products simply check for signatures. That way you keep paying for updates and they sell themselves on how many 1000s of viruses they detect.
Yes you can't have perfect heuristics and some of these are operating system issues - why does browsing a USB key run a program, why can a game on my phone access to my address book, why can an app connect to the internet without me knowing.
At this point do we just give up on both antivirus AND using general computers to access the web? Should we just use settop boxes with no persistent writeable storage?
No, I don't think a single AV product can be described this way for many years now. But people like to repeat it.
Perhaps it's time to switch back to Harvard architecture. Programs and data are separate - you can't change program codeand you can't execute data.
0-day exploits aren't the problem. You're focusing on just one type of malware behavior.
Even if all of our software today was free of exploits, it wouldn't do anything to stop the bad guys from building trojan horses, and using that to bootstrap into broader pwning.
Yes, absolutely. Part of the fear is that they indeed have. But your average bad guy isn't an intelligence agency. The antivirus vendors can outclass the guy in a basement, or even a few guys working in a basement, and right now our threat profile is such that stopping those guys is still a big gain. There is definitely a large class of threats they can prevent.
But it should be pointed out that in the arms race it should generally be expected that the mid-level underground is always pretty much exactly one step ahead of Symantec etc. It's the nature of the arms race that they are in that the attackers have the temporal advantage. The question is less about whether a given technique works today and more about how long it works. The big advantage an intelligence agency and a large attacker has that doesn't apply to the mid-level underground is that their malware won't (or shouldn't) be detected by the various early-detection techniques that the anti-virus companies have, because they aren't necessarily just going to release their stuff into any place the antivirus company will see. Ideally, they'll simply never see it, which is why its interesting when these "escape".
1. All my computers have finite memory 2. You could in theory make heuristics with false positives but without false negatives.
def IsProgramAVirus(program): return True
But it's not particularly useful. In practice the false positive rate is extremely important, because if it gets too annoying users will switch it off.
That's a startling admission, not just because they're saying "our software ain't that good" but because they've also gone and told you exactly how to defeat it.
[insert conspiracy theory here]
What was it the guy said, who was poisoned with Polonium in London? Something like "Spy organisations are made to compete with other spy organisations, with budgets in the billions. As a private person, you're hopelessly outmatched."
No, what they said is that since they [hackers] can test their code with antivirus before deploying, they can be sure of the fact that it wont be detected.
So it's obvious that to "defeat" the antivirus, they have to test against it. It's in no way a solution. Anyone with a little common sense will tell you that to defeat an antivirus, the best way is to test against it before you release your malware.
This. I haven't used an antivirus program in a long time.
So, yes, they're using the same platform as other hackers. But I think you are understating the scope of what a team of dedicated people with governmental approval and budgets can accomplish by just calling it "clever."
Every so often scan those computers. Any software that is there which was not installed, is presumed to be malware. (And if not, trigger those penalties for having installed stuff without saying.)
Humans being humans, you'll get a lot of false positives. But you'll notice things like Flame and Stuxnet.
Well, I laughed.
The ones it catches you could have avoided by not being an idiot. The ones you WANT it to catch go sailing by. Meanwhile your life is a misery because every single little file access goes through the antivirus - much like any other root kit, in fact. Ask me what that does to performance when you develop in Java, and every single JAR file gets unpacked and scanned every time...
Really, just stop and think before making claims like this.
A more productive way to take this essay is how to detect and close breaches once they've happened. But AV companies aren't interested in pursuing this part of the market, because it's not as simple as selling a piece of automated software.
How did they do this? This seems to imply that either
(1) the certification authorities or the (2) vendors of these "trustworthy" software applications were "part of the team".