AV just doesn’t work for targeted attacks: Schneier

F-Secure’s Mikko Hypponen partially agrees.

Antivirus vendors missed Flame, Stuxnet and Duqu because they never considered them a priority, not because the attackers were superior, says security technologist Bruce Schneier.

Schneier takes a shot at F-Secure’s Mikko Hypponen, who recently explained the AV industry’s failure to detect military-grade malware samples was because the contest between attacker and defender was “unfair”.

Hypponen argued while AV can protect against “run-of-the-mill” malware, the better-resourced attackers likely went to great lengths “to make sure that the malware wouldn’t be detected”.

“They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons,” wrote Hypponen.

The problem Schneier has with the argument is that every day crooks that write viruses, worm and spam have been doing this for decades.

AV vendors admitted when Flame first made it on their radar that they had samples of it, but Schneier says “they just didn’t do anything about them”.

The real reason why AV vendors missed all three high profile threats is that it was “never a priority to understand”.

“[T]he difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily,” wrote Schneier.

Hypponen doesn’t disagree with Schneier's assessment.

“Bruce is right, too. We had copies of Flame sent to us via automated systems in 2010. We had categorised them as clean, because that's what the files looked like,” he told

“And since there were so few reports, we never went back to re-categorise them until 2012 when we finally realised how important they were.”

But if, as Hypponen said, missing the malware was a "spectacular failure" of the entire industry, it just suffered another one last week.

The spying trojan Symantec labelled Naid, that was used against visitors to Amnesty International’s Hong Kong website was on its records back in January 2010 but no vendor added a signature until last week after it was associated with an attack that exploited the IE zero day flaw Microsoft patched last week.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.