How Flame Evaded Antivirus
Currently, most estimates think that Flame has been around for 2-8 years. Using either end of the scale: How could it have gone undetected for so long?
Mikko Hypponen CRO at F-Secure summarized it nicely: “The worst part of Flame? It has been spreading for years. Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed. All of these cases were spreading undetected for extended periods of time.”
How did they do it? Flame drops binaries with the .OCX extension, as they are often not scanned by AV. If it finds McAfee on the system it uses the .TMP extension because McAfee also scans .OCX by default. Worse, according to one Twitter statement, Kaspersky knew about Flamer within a month and didn't even add signature to their AV till few days ago. If true, this is another black eye for the AV industry.
It’s no secret that there is a huge industry devoted to bypassing AV. Flame, we hope, will help serve as a key event that compels organizations to rethink their security spend. More and more, we see enterprises assuming they’ve been compromised and taking the approach we detailed here.
Turns out the UN is warning member states about Flame. Let's hope "updating your antivirus" isn't one of the recommendations.
Authors & Topics: