For at least two years, Flame has been copying documents and recording audio, keystrokes, network traffic, and Skype calls, and taking screenshots from infected computers. That information was passed along to one of several command-and-control servers operated by its creators. In all that time, no security software raised the alarm.
Flame is just the latest in a series of incidents that suggest that conventional antivirus software is an outmoded way of protecting computers against malware. “Flame was a failure for the antivirus industry,” Mikko Hypponen, the founder and chief research officer of antivirus firm F-Secure, wrote last week. “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
The programs that are the lynchpin of computer security for businesses, governments, and consumers alike operate like the antivirus software on consumer PCs. Threats are detected by comparing the code of software programs and their activity against a database of “signatures” for known malware. Security companies such as F-Secure and McAfee constantly research reports of new malware and update their lists of signatures accordingly. The result is supposed to be an impenetrable wall that keeps the bad guys out.
However, in recent years, high-profile attacks on not just the Iranian government but also the U.S. government have taken place using software that, like Flame, was able to waltz straight past signature-based software. Many technically sophisticated U.S. companies—including Google and the computer security firm RSA—have been targeted in similar ways, albeit with less expensive malware, for their corporate secrets. Smaller companies are also routinely compromised, experts say.
Some experts and companies now say it’s time to demote antivirus-style protection. “It’s still an integral part [of malware defense], but it’s not going to be the only thing,” says Nicolas Christin, a researcher at Carnegie Mellon University. “We need to move away from trying to build Maginot lines that look bulletproof but are actually easy to get around.”
Both Christin and several leading security startups are working on new defense strategies to make attacks more difficult, and even enable those who are targeted to fight back.
“The industry has been wrong to focus on the tools of the attackers, the exploits, which are very changeable,” says Dmitri Alperovitch, chief technology officer and cofounder of CrowdStrike, a startup in California founded by veterans of the antivirus industry that has received $26 million in investment funding. “We need to focus on the shooter, not the gun—the tactics, the human parts of the operation, are the least scalable.”
CrowdStrike isn’t ready to go public with details of its technology, but Alperovitch says the company plans to offer a kind of intelligent warning system that can spot even completely novel attacks and trace their origins.
This type of approach is possible, says Alperovitch, because, although an attacker could easily tweak the code of a virus like Flame to evade antivirus scanners once more, he or she would still have the same goal: to access and extract valuable data. The company says its technology will rest on “big data,” possibly meaning it will analyze large amounts of data related to many traces of activity on a customer’s system to figure out which could be from an infiltrator.
Christin, of Carnegie Mellon, who has recently been investigating the economic motivations and business models of cyber attackers, says that makes sense. “The human costs of these sophisticated attacks are the one of the largest,” he says. Foiling an attack is no longer a matter of neutralizing a chunk of code from a lone genius, but of defeating skilled groups of people. “You need experts in their field that can also collaborate with others, and they are rare,” says Christin. Defense software that can close off the most common tactics makes it even harder for attackers, he says.
Other companies have begun talking in similar terms. “It goes back to that ’80s law enforcement slogan: ‘Crime doesn’t pay,’ ” says Sumit Agarwal, a cofounder of Shape Security, another startup in California that recently came out of stealth mode. The company has $6 million in funding from ex-Google CEO Eric Schmidt, among others. Agarwal’s company is also keeping quiet about its technology, but it aims to raise the cost of a cyber assault relative to the economic payoff, thus making it not worth the trouble to carry out.
A company with a similar approach is Mykonos Software, which developed technology that helps protect websites by wasting hackers’ time to skew the economics of an attack. Mykonos was bought by networking company Juniper earlier this year.
Antivirus companies have been quick to point out that Flame was no ordinary computer virus. It came from the well-resourced world of international espionage. But such cyberweapons cause collateral damage (the Stuxnet worm targeted at the Iranian nuclear program actually infected an estimated 100,000 computers), and features of their designs are being adopted by criminals and less-resourced groups.
“Never have so many billions of dollars of defense technology flowed into the public domain,” says Agarwal of Shape Security. While the U.S. military goes to extreme lengths to prevent aircraft or submarines from falling into the hands of others, military malware such as Flame or Stuxnet is out there for anyone to inspect, he says.
Agarwal and Alperovitch of CrowdStrike both say the result is a new class of malware being used against U.S. companies of all sizes. Alperovitch claims to know of relatively small law firms being attacked by larger competitors, and green technology companies with less than 100 employees having secrets targeted.
Alperovitch says his company will enable victims to fight back, within the bounds of the law, by also identifying the source of attacks. “Hacking back would be illegal, but there are measures you can take against people benefiting from your data that raise the business costs of the attackers,” he says. Those include asking the government to raise a case with the World Trade Organization, or going public with what happened to shame perpetrators of industrial espionage, he says.
Research by Christin and other academics has shown that chokepoints do exist that could allow relatively simple legal action to neutralize cybercrime operations. Christin and colleagues looked into scams that manipulate search results to promote illicit pharmacies and concluded that most could be stopped by clamping down on just a handful of services that redirect visitors from one Web page to another. And researchers at the University of California, San Diego, showed last year that income from most of the world’s spam passes through just three banks. “The most effective intervention against spam would be to shut down those banks, or introduce new regulation,” says Christin. “These complex systems often have concentrated points on which you can focus and make it very expensive to carry out these attacks.”
But Agarwal warns that even retribution within the law can be ill-judged: “Imagine you’re a large company and accidentally swim into the path of the Russian mafia. You can stir up a larger problem than you intended.”