May 30, 2012

How Flame Evaded Antivirus

Currently, most estimates think that Flame has been around for 2-8 years.  Using either end of the scale:  How could it have gone undetected for so long?

Mikko Hypponen CRO at F-Secure summarized it nicely:  “The worst part of Flame? It has been spreading for years. 

Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed. All of these cases were spreading undetected for extended periods of time.”

How did they do it?  Flame drops binaries with the .OCX extension, as they are often not scanned by AV. If it finds McAfee on the system it uses the .TMP extension because McAfee also scans .OCX by default.  Worse, according to one Twitter statement, Kaspersky knew about Flamer within a month and didn't even add signature to their AV till few days ago.  If true, this is another black eye for the AV industry.

It’s no secret that there is a huge industry devoted to bypassing AV.  Flame, we hope, will help serve as a key event that compels organizations to rethink their security spend.  More and more, we see enterprises assuming they’ve been compromised and taking the approach we detailed here.

Turns out the UN is warning member states about Flame.  Let's hope "updating your antivirus" isn't one of the recommendations.


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.