How Flame virus has changed everything for online security firms
Here’s a question: if you connect an unprotected Windows computer to the internet, how long will it take before it is infected by malicious software? The answer is: much more quickly than most lay users think. In 2003, the average time was 40 minutes. A year later it was 20 minutes. By 2008 an unpatched computer running Microsoft Windows XP could only expect five to 16 minutes of freedom. The Internet Storm Centre (ISC) provides a useful chart of what it calls “survival time” for Windows machines. It suggests that a PC currently can expect between 40 and 200 minutes of freedom before an automated probe reaches it to determine whether it can be penetrated. The numbers for other operating systems (such as Unix and Linux) are better (from 400 to 1,400 minutes), but the moral is the same: the only way to have an absolutely secure computer is not to connect it to the net.
On the back of statistics like this, a huge global industry has grown up – the PC “security” business – dominated by companies such as Norton, Symantec, Sophos and Kaspersky. They offer software tools for blocking computer viruses, worms and Trojans (programs that look innocuous but compromise the computer in some way, rendering it controllable by an external agent).
The PC security business does offer a degree of protection from the evils of malware, but suffers from one structural problem: its products are, by definition, reactive. When a particular piece of malicious software appears, it is analysed in order to determine its distinctive “signature”, which will enable it to be detected when it arrives at your machine. Then a remedy is devised and an update or “patch” issued – which is why your PC is forever inviting you to download updates – and why IT support people always look pityingly at you when you explain sheepishly that you failed to perform the aforementioned downloads.
So the security companies are always playing catch-up, profitably slamming stable doors after the horses have bolted. Until recently, the industry has tactfully refrained from emphasising this point, and most of its customers have been too clueless to notice.
This cosy arrangement was too good to last, and a few weeks ago the industry’s cover was finally blown. What happened is that computer security labs in Iran, Russia and Hungary announced the discovery of a virus called Flame, which one researcher has called “the most complex malware ever found”. For at least two years Flame has been copying documents and recording audio, keystrokes, network traffic and Skype calls, as well as taking screenshots from infected computers. And passing all the information it harvested to command-and-control servers operated by its creators. And here’s the really startling bit: in all that time, no security software raised the alarm. It bypassed the “signatures” databases of all the PC security companies.
Nobody knows who wrote Flame, but the consensus in the industry is that it was an expensive high-end creation in the same league as the Stuxnet worm that attacked the Iranian nuclear programme. The odds are, therefore, that it was a product of the security agencies of the US, UK or Israel, or some combination thereof. But because the malware incorporated a “kill switch” that can wipe out all traces of it from an infected machine, and that switch has reportedly been activated, we may never know for sure.
What we can be sure of, though, is that we’ve crossed the threshold into a different world. The old signature-based, reactive approach of the anti-virus industry is not up to this new game. We’re going to need radically different approaches if our societies – and our industries – are going to be able to protect themselves from the imitators and successors of Flame. And for that we’re going to need new metaphors and models. The current anti-virus approach is a bit like playing whack-a-mole, and it’s run its course.
In thinking about this, some companies and researchers are looking to natural systems for inspiration. The human body’s immune response system, for example, is pretty impressive in detecting and dealing with intruders and IBM has used it as a metaphor for its “Digital Immune System for Cyberspace”. The company claims that its system can automatically detect viral activity at a very early stage as well as develop a cure and distribute it across the internet faster than the virus spreads. No doubt other researchers are working on similar ideas. If so, then perhaps we won’t have wasted the crisis triggered by Flame.