Now is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning. Apologies to Winston Churchill, but recent events make this quote seem quite appropriate. Despite the initial hype, Flamer does not indicate the end of the world is upon us. Flamer actually indicates the end of the beginning.
It is the end of ignoring the risk of malware stealing your information. Hopefully. Flamer is completely over the top in how it steals information. But it’s certainly not the first piece of malware designed to steal information. There are thousands of them. Flamer is unlikely to be targeted at you. But one of those other ones probably is.
It is the end of antivirus alone being a complete security solution. Is AV dead? No, it’s just not a complete solution anymore. If you go to an electronics store and tell them you want to be able to receive text messages they sell you a smart phone. AV is part of a complete solution. Doesn’t it seem weird to see someone still using a pager? I feel the same way when I see someone still using just AV to protect them.
It is the end of being able to say that this really doesn’t affect me. If cyber-attacks become an extension of war then clearly this will affect us all. But even if things remain at the level of cyber-sabotage and cyber-espionage these threats could affect us all. Call it the law of unintended consequences. Or maybe just collateral damage.
The authors of Stuxnet knew that they might only have one chance of hitting their target. It had to be extremely well tested before it was released. The threat is relatively harmless when it is on a machine that does not control uranium enrichment cylinders. That said, despite many functions that worked to prevent Stuxnet from being widely spread, it still infected 1000s of computers. The authors of Flamer were very successful at limiting the spread of the malware. But despite all the design and planning that went into that threat, with seemingly unlimited functionality built in, once the malware was discovered, the authors didn’t have all the removal functionality they needed.
What happens when other malware authors, less-resourced for planning and testing or less concerned about all the consequences of their creation, start attempting malware as complex as Stuxnet and Flamer? This week we saw a perfect example of the risk.
We wrote about W32.Printlove last week. It is not a targeted attack and its purpose is not cyber-espionage. And in no way does it reach the levels of sophistication that Flamer and Stuxnet do. But it’s complex and ambitious. It’s a step above most of today’s malware whose functionality doesn’t go much beyond copying things off your computer or running an animation pretending to be a virus scan. Most threats are not that ambitious. Trojan.Milicenso is. And that complexity and ambition comes with unintended consequences.
Milicenso places a binary file in the print spooler directory of a Windows system. If you have ever mistakenly printed a binary file you know what happens next. It spews sheets of gobbly-gook out of your printer. Trojan.Milicenso only does this for certain configurations of a Windows machine. Undoubtedly whatever testing done by the malware author did not include machines configured this way.
You can argue the seriousness of a piece of malware “killing a few trees.” But the real point is that while we may not be the target of an attack, it does not mean we will not suffer the consequences, intended or not. And it may not be just paper the next time.
For up-to-date information on the current threat landscape, please see the Symantec Security Response blog at http://bit.ly/KImWtr