Countries Rushing to Cyber Weapons: First Stuxnet, Now Advanced Iran W32/Flame, Flamer or SkyWiper
May 29, 2012
By Roger Thompson

The Other Shoe Just Dropped
Over the weekend, multiple reports appeared about a new piece of cyber malware, named, W32/Flame, Flamer or SkyWiper. I’ll stick with the official CARO name of W32/Flame.A.

Been around for a least a couple of years, undetected
Just as with Stuxnet and DuQu, it is a huge piece of incredibly complex malware, and all that is really known about it at the moment is that it is an information gatherer, at a minimum, (although it could probably do just about anything) and has quite likely been around for a least a couple of years, undetected.

In other words, it’s been trolling its victim systems for probably two years, gathering whatever it was told to gather, by its unidentified masters.

Victims
It seems likely, but not certain, that the majority of victims were in Iran, or in other areas of the Middle East, although a good chunk of victims were found in Hungary, of all places. Why Hungary would be a target is not clear to me at this point. It might have been simply collateral damage, but I tend to dislike coincidences.

Highly Skilled
This portends ill for its victims, as one of the tenets of computer security is that if a skilled hacker is in your networks for long enough, you can never get them out again, because they know more about your network than you do, and these hackers , were skilled… highly skilled.

The Worst Hack?
Remember, the worst hack is the one you don’t know about.

What Does It Mean To You?
Firstly, it means that we have to assume that every country is trying to do exactly the same thing… create cyber weapons. If they weren’t doing it prior to the disclosure of Stuxnet/DuQu, they began right after, and W32/Flame. A is now vigorously fanning the flames, so as to speak.

How Do You Defend Against This?

It turns out that there are only three ways to detect malware.

     (1)    The first is a signature scanner, which is what most of the world uses to detect malware. This     works great, if the malware is known, but misses everything      new, until it gets an update.     Unfortunately, the Bad Guys know this, and simply create new malware every day. They know that     within a few days to a week, every signature scanner will have been updated to detect them, but     they don’t care, because they’ll have created a new version every day.  

     (2)    The second way is integrity checking/whitelisting. This is where you know what your system     looks like, and you only allow whitelisted applications to run. This works extremely well, but     is not popular because it requires discipline on the part of the user/administrator, and     requires a high degree of user knowledge when it comes time to install something new. 

     (3)    The third way is behavior monitoring. This is where you watch for malicious behavior. Simple     examples would be something that modified another program, or something that installed itself     so that it would survive a reboot.

The nice thing about behavior monitoring is that all modern antiviruses do it to one degree or another, but the problem is that it is generally regarded as a second string line of defense, behind various types of signature scanning.

The Needed Paradigm Shift: Behavior Monitoring
In my opinion, it is time for antivirus developers to begin focusing on behavior monitoring as the principal line of defense.

When an attacker knows that he has only to bypass a signature scanner, it means he has only to come up with something new. In other words, any new bit of malware will probably bypass all the world’s scanners, for at least a few days to a week, or until they all catch up.

If, however, every antivirus developer starts to focus on their behavior layer, an attacker is faced with trying to bypass multiple and different behavior strategies. Put another way, each antivirus developer will have their own set of rules and nuances for what constitutes malicious behavior, and this in turn will make the attacker’s job some orders of magnitude harder.

There have always been these three ways to detect viruses and malware, but in the early 90’s, customers voted with their wallets for signature based detection. A signature scanner says something is bad, or it says nothing, and no one has to think.

Each day, every antivirus lab gets between 30,000 and 70,000 new and unique samples.

Folks, it’s time to focus on behavior blocking. Do you agree?

 

 

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.