How did everyone miss Flame?

The most "complex malware ever found" — Flame — has taken the information security world by surprise. Given that it is said to have been around for years, how did everyone miss it?
Written by Michael Lee, Contributor

analysis The most "complex malware ever found" — Flame — has taken the information security world by surprise. Given that it is said to have been around for years, how did everyone miss it?

Several security research firms, including Symantec, Kaspersky and McAfee have been hard at work analysing a specific piece of malware in the past few days after the Iranian Computer Emergency Response Team posted an alert about malicious code designed to steal and exfiltrate information from infected computers back to a network of at least 10 command and control servers.

However, as Budapest University's Laboratory of Cryptography and System Security (CrySyS) reported in its analysis of the malware, it "may have been active for as long as five to eight years". CrySyS also reported that the malware's footprint is massive — some 20MB — in stark contrast to traditional malware, which attempts to keep as low a profile as possible to avoid detection. Furthermore, the malware also appears to regularly send out information to command and control servers, which should have raised the concerns of a discerning network administrator.

But despite these apparent red flags, the Flame war didn't heat up until just recently.

Stratsec manager for threat research and analysis Sergei Shevchenko told ZDNet Australia that it was possible that Flame had not been in the wild as long as initially reported. CrySyS' five-to-eight-year estimate relies on anecdotal evidence submitted by the Webroot community in 2007.

"The samples in those firstly reported cases happened to share the same filenames as Flame's own components, and could either have belonged to Flame family, or not ... could have been detected under different threat names and by different products, or not," Shevchenko said.

Kaspersky, McAfee and Symantec all believe that Flame has been around for two years, after detecting some of its components running back to 2010. So the issue wasn't necessarily that antivirus products weren't detecting Flame, but rather that they just didn't know what they were looking at until now.

Yet, Pure Hacking CTO Ty Miller believed it was simply a case of malware authors being a step ahead of antivirus companies.

"Malware detection is a tricky industry, as the hackers and the antivirus companies are both constantly racing for better bypass and detection techniques, respectively. Unfortunately, antivirus companies are behind the eight ball since it is easier to bypass known security controls, than it is to detect unknown threats," Miller said.

A well-trained network administrator could have been expected to detect the regular communications sent from the infected machines using intrusion detection/prevention systems (IPS/IDS). However, Miller notes there is a chicken-and-egg situation whereby IPS signatures are often only created once the malware is known. In addition, Flame's creators appear to have taken precautionary measures against network forensics. Flame uses SSL encryption, similar to that used to secure communications during online banking.

"The malicious network traffic is transferred over SSL and SSH tunnels, which are generally encrypted from end to end. This means that network-based intrusion prevention systems would not be able to detect rogue activities," Miller said.

Shevchenko agreed, stating that even if the traffic seemed odd, it would be impossible to decrypt without the right key to determine what was going on.

"Without knowing what algorithm the traffic is encrypted with and what keys were used to encrypt it, no security solution would be able to classify such traffic as malicious, without increasing the risk of false positive detections that may potentially block legitimate traffic," he said.

CrySiS' report also revealed that more than 50 domain names and over 15 distinct IP addresses were cycled to reduce and suspicious trends in activity that might be picked up by a network administrator.

Flame's larger file size didn't raise any flags; in fact, Kaspersky Labs security researcher Alexander Gostev noted that its large size was precisely why it wasn't discovered for so long — it simply didn't fit the profile.

Shevchenko said that the larger size of the malware points to a set of careless malware authors — who prefer to use high-level languages — or professional programmers that prefer to use third-party components and libraries that had evolved over time into highly reliable time-tested tools.

"This complacency might be explained with the fact the recently [hired] professional developers simply continued to work the way they used to ... developing lower-level components might sound like a nightmare idea to them," he said.

Editorial standards