June 1, 2012

Why Antivirus Companies Like F-Secure Failed to Catch Flame and Stuxnet

Mikko Hypponen, writing about his company's failure to detect the Stuxnet worm on Wired's Threat Level blog:

"What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general."

It's an interesting read, touching on why every anti-malware company's software failed to warn computer users about the threat.

In a nutshell, the Stuxnet authors were able to forge cryptographic signing techniques that made the Stuxnet code appear benign. Combined with other methods Stuxnet was able to infect over 100,000 computers worldwide after escaping the Natanz nuclear processing facility in Iran.

Perhaps the authors thought the worm would never make it to the wider Internet. That's a bit of ignorance on their part. Any software author knows from experience that code obeys Murphy's Law, too.