How Antivirus Companies Handle State-Sponsored Malware

Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus companies have previously done this for corporate malware.)

My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies. So while the NSA could certainly pressure McAfee or Symantec -- both Silicon Valley companies -- to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech). And the governments of Russia, Finland, and the Czech Republic will have comparable problems.

Even so, I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.

Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.

Posted on December 2, 2013 at 6:05 AM • 72 Comments

Comments

JeremyDecember 2, 2013 6:27 AM

But what about silent signatures? What about Microsoft (they do helpdesk and security solutions too)?

Nicholas WeaverDecember 2, 2013 7:04 AM

There is also another problem: In order for malcode to be whitelisted by an AV program, there must be a way of describing it to some AV vendors in order to whitelist it.

If you can describe what to whitelist, you run the risk of the non-cooperative AV companies discovering that aspect for their blacklist.

Far easier to just use the ton of evasive tricks available to disguise malcode.

Vadim LebedevDecember 2, 2013 7:08 AM

Another question comes to mind: Given NSA's efforts to intercept everything, one obvious method to achieve this goal, is to
pressure CA's for copies of their private keys (in the same style as FBI pressured Lavabit). I'm in great doubt that an outfit like Verisign will follow Lavabit's example and prefer ceasing operations to surrendering their private keys.
So the question is basically: Should we consider all certificates signed by US based CA's as compromised and prone to MITM attack?

Larry SeltzerDecember 2, 2013 7:18 AM

I suggest that the sheer number of credible players in the antivirus market is a meaningful impediment to any meaningful attempt to subvert them.

AdamDecember 2, 2013 7:29 AM

But how can they "not comply"? If a secret court order compels them to remove or break detection of a certain kind of software, then what choice do they have? I doubt they'd fall on their own sword like some email providers did.

ZenoDecember 2, 2013 7:34 AM

Unfortunately there's always the possibility to buy a company, so that it becomes US-based and has therefore to bend to pressures of NSA.
Seen with Skype and Nokia just to mention a few.
I wouldn't be surprised to see Kaspersky Labs, F-Secure and Avast bought by some US company soon.

AspieDecember 2, 2013 7:38 AM

Does third-party AV software audit OS vendor code as well?

@Vadim
I agree, Verisign has made some bad calls in the past but they're probably "too big/crucial to fail" so they'll likely toe any govt. line they're given.

I think others have mentioned this but cannot individuals issue their own certs and upload them to an impartial central server?

AutolykosDecember 2, 2013 7:52 AM

I wouldn't assume the AV vendors are lying. It is in the best interest of secret services to limit the distribution of their tools as not to burn the precious exploits they've used. AV vendors are pretty much the very last people they'd like to know of these exploits. Even if they won't publish it, they will use the knowledge gained in their product, and others will learn from this (if only by employees getting hired by a competitor).

Bob S.December 2, 2013 8:10 AM

Define: Malware.

IF the AV company defines anything from a major corporation as "goodware" that leaves a door wide open.

Also, if the AV or firewall program logs all your connections (and who knows what else?) and reports them back to the mother ship every ten minutes is that malware or just SOP good code?

We all know some big name corporations out there whose products are very invasive, yet they pass the AV membrane with ease.

wtpayneDecember 2, 2013 8:13 AM

I used to work for Sophos (a number of years ago).

From what I know (which is admittedly both limited and outdated) there is no conceivable way that they would have collaborated with a government-sponsored malware program.

Sophos put an extraordinary premium on their credibility with their customers, and placed a huge store of value on their reputation and professionalism.

Playing silly buggers like this would risk throwing their entire business away, so I cannot imagine *anything* short of a literal gun to the head that would persuade them to collaborate in such a dubious enterprise.

Robert FritzDecember 2, 2013 8:30 AM

From 2001: An interesting instance of FBI-sourced malware. Largely AV companies said "no" they wouldn't make an exception.

Perhaps one exception:
Here's a quote from an AP article: "Bridis reported that Network Associates (maker of McAfee anti-virus products), had contacted the FBI following the press reports about Magic Lantern to ensure their anti-virus software would not detect the program.[9] Network Associates issued a denial, fueling speculation as to which anti-virus products might or might not detect government trojans."

Man in BlackDecember 2, 2013 8:31 AM

It's interesting to see that those American AV companies have yet to reply ...

John CampbellDecember 2, 2013 8:56 AM

@wtpayne ("Sophos put an extraordinary premium on their credibility with their customers, and placed a huge store of value on their reputation and professionalism.")

What about their share-holders? Most corporations these days are more interested in pleasing their share-holders (which, frankly, is less likely to work when institutional investors get above a currently undetermined percentage of ownership) rather than their customers (think "IBM", Verizon and others).

Bob S.December 2, 2013 9:09 AM

@MiB

re:"American AV companies have yet to reply..."

True and suspicious for certain.

SO, if offshore AVs pick up a malware that USA code does not that would be the smoking gun.

No?

HJohnDecember 2, 2013 9:19 AM

Perhaps a reasonable countermeasure would be to use multiple antivirus programs. One domestic, one foreign.

Running two real time protection programs would be overkill, and could lead to conflict. But running periodic scans with an anti-virus program other than the real time protection program may not be a bad idea. Would give a bonus benefit of detecting if the real time protection is missing threats.

Who knows, this may be a way to detect NSA snoopware. If programs are, hypothetically, consistently caught by AVAST but not by McAfee.

Man in BlackDecember 2, 2013 9:21 AM

@Bob S.

Too many secrets and no one can be honest anymore. Thwey're probably not going to answer because of their trust model. "We never said we didn't ..."

If I have multiple computers in a test lab, I'd want to diversify my AV in there to see if something hits my network, do only American AV products not pick it up?

kurt wismerDecember 2, 2013 9:25 AM

not only have the questions being asked now already been answered long ago, to my mind they're also the wrong questions to be asking.

complicity doesn't have to take the obvious form. try being a little more creative. (and while we're at it, note that mcafee is in bed with a company that has written government malware)

here's something i wrote a month ago examining the question of AV's complicity in government spying.
http://anti-virus-rants.blogspot.com/2013/11/av-complicity-explained.html

Gerhard ZieglerDecember 2, 2013 9:25 AM

Maybe the AV companies will not do anything evil.
But what about employees of whom the NSA knows all their little dirty secrets, their love affairs and here and there smoking pot, what so ever.

This is not a perfect world: most people can be blackmailed in varying degrees. And this is the core of this infamous mass surveillance. You will always find an insider which can be blackmailed and forced to deliver secrets, which will extend the reach of surveillance and the power to do harm

And I don't think any company can protect their data completely against insiders.

Not even the NSA.

jonesDecember 2, 2013 9:30 AM

This has been addressed before with respect to the FBI's Magic Lantern:

"In this article on Declan McCullagh's Politech, Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.'"

http://slashdot.org/story/01/11/28/173201/symantec-will-not-detect-magic-lantern

The Slashdot article links to this:

"Symantec pledges to acquiese to FBI backdoor demands"

http://www.politechbot.com/p-02851.html

which links to this article (which is no longer online):

https://web.archive.org/web/20011129060308/http://www.theregister.co.uk/content/55/23057.html

MSNBC quotes unnamed sources who says that Magic Lantern could be sent to a target by email or planted on a suspect's PC by exploiting common operating system vulnerabilities.

Although unconfirmed, the reports are been taken seriously in the security community, and are consistent with the admitted use of key-logging software in the investigation of suspected mobster Nicodemo Scarfo. In that case, FBI agents obtained a warrant to enter Scarfo's office and install keystroke logging software on his machine.

...

"If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it - we wouldn't detect it," said Chien. "However we would detect modified versions that might be used by hackers."

BPDecember 2, 2013 9:33 AM

Well, I've been griping for a while. But I just added on a noscript addon to chrome. So it noted that you need to put a password in your google profile and told you how to get your profile. So I put the profile into the google browser bar and it took me to Google's competitor's website, Blekko and there wasn't anything much on the page, but it did note Ashburn Va. So naturally, I have to question why my Chrome profile to me to Google's competitor's site Blekko and what in blazes was this profile taking me anywhere but to my own. Then up popped the Bing Toolbar with a term I've never used "The Arrowhead murder". Naturally, my mind wants to connect all these dots, but isn't Arrowhead one of those spy programs.
Actually it's quite humorous because the blekko page shut down pretty fast and then all I got was a OOPS we're working on the problem from the gekko page. I never heard of Blekko until today.

unusedRabbitDecember 2, 2013 10:08 AM

F-Secure sold F-Prot to Commtouch, supposedly based in Iceland, in 2012. No mention of F-Prot or Commtouch on the list, perhaps in any future exercise they could be added. Sorry if I'm mistaken or misreading.

EsurnirDecember 2, 2013 10:12 AM

If you were the NSA wouldn't you run your malware passed every single commercial anti virus anyway to check if they are able to detect it?

Non detection is likely part of the requirement before it leaves the lab anyway, no government would be dumb enough to let a virus out that could be detected in half a second.

Aol-loveDecember 2, 2013 10:33 AM

Maybe this is too obvious or paranoid, but it seems more likely that antivirus programs themselves would carry malware or back doors to enable their host government spy agencies to use them for their purposes.

Bill McGonigleDecember 2, 2013 10:51 AM

What's the distribution of AV in the marketplace? Especially given Microsoft Security Essentials, but also Symantec and McAfee - I'd guess the US companies own greater than half of the market, and presume that it's more like three quarters. Would the NSA give up an opportunity to target two thirds of desktops worldwide? Especially with their spearfishing attacks they don't need broad coverage.

kurt wismerDecember 2, 2013 11:08 AM

@unusedRabbit

f-secure never sold f-prot. it wasn't theirs to sell. they used to license scanning technology from f-prot a long time ago, but that's as close as the relationship got.

@Bill McGonigle

if they don't get agreement from everyone then they risk a niche AV vendor making a big PR splash when they spot it and alert the world. not unlike what happened with stuxnet.

NobodySpecialDecember 2, 2013 11:16 AM

So the conclusion is that if you are an American concerned about their constitutionally guaranteed freedom make sure you buy your anti-virus from the Russians !

Chris GreenDecember 2, 2013 11:18 AM

Non-Detection doesn't seem to be a huge issue in the criminal world. I would expect it to be much less of an issue in the state-sponsored world due to smaller deployments.

I would strongly suspect they are more likely to target AV product implementations. Software that opens a large number of obscure formats for analysis is a good target.

CallMeLateForSupperDecember 2, 2013 11:56 AM

I see here a lot of discussion centered on detecting/not detecting, and in the OP's quote, "...never received a request to not detect".

But maybe the wrong question was asked/answered. What if those companies are free to DETECT said malware as long as they don't REPORT detecting it? I'm thinking of the old trick that every politician knows: If you don't like the question that was asked then answer a different question.

Repeat after me: "Words matter."

CraigDecember 2, 2013 12:30 PM

For all your crypto credentials Bruce, you seem ludicrously naive when it comes to the practicalities of security and software.

BuckDecember 2, 2013 12:34 PM

Poorly... complicit or otherwise.

http://www.symantec.com/connect/blogs/symantec-investigates-possible-leak-norton-antivirus-source-code
(January 9, 2012)

A.V. products would be prime targets for state-sponsored and big-basement attackers alike. Depending on the jurisdiction, the approach may be altered a little bit, but I'd imagine for companies doing business in the U.S., a simple secret court order demanding source code in the name of national security should suffice.

I feel like many of these tech companies are setting some dangerous precedents by being so compliant with such broad orders. Traditional notions of trade secrets & subpoenas for 'business records' are being shattered right before our eyes.

Whiskers in MenloDecember 2, 2013 12:50 PM

Where does a man on the middle attack sit in this. We all see AV updates, is the update a true update? All it has to do is fiddle with IP addresses to fetch false AV software updates. It can proxy a side door.

Time to burn some tools on a DVD set.

GeeksBargainDecember 2, 2013 1:02 PM

Gee, I wonder if Comodo Internet Security is govt-malware friendly.
And what if corporations like RedHat or Canonical agreed on co-op with govts they belong to..?
Ubuntu is getting more privacy-unfriendly, though, which makes me sad. It could be turned into huge rootkit soon, if community won't fight back.

Clive RobinsonDecember 2, 2013 1:22 PM

As we know the likes of the NSA have "signed updates" with supplier signing keys, it's reasonable to assume that they can do the same with AV updates as well...

So the NSA don't have to ask the AV companies, they just have to know how each AV companies product works, or doesn't.

Long before Ed Snowden released some of his trove of NSA /GCHQ documents people knew that AV was ineffective as a solution to Malware and were sayaing so. Likewise people had highlighted the weaknesses in "code signing".

Basicaly why give the likes of the NSA credit for others stupidity?

jdgaltDecember 2, 2013 1:29 PM

I would be surprised if the chip makers haven't been building back doors into CPUs for decades. It would be easy enough to do -- those mask designs are both astronomically complex and company confidential, and I don't know of any potential peer reviewer who can't also be bullied by the agency involved.

Jesse JamesDecember 2, 2013 2:14 PM

I do not think NSA has to worry that much about anti-virus software. They have probably worked with Microsoft et al to use the platforms themselves (their OOB services and such) to help facilitate their eavesdropping.

Brandioch ConnerDecember 2, 2013 2:23 PM

@Esurnir

If you were the NSA wouldn't you run your malware passed every single commercial anti virus anyway to check if they are able to detect it?
That was my thought as well. Remember that we're talking about an agency with, literally, millions of dollars to spend. Buying a few copies of of the various products is probably not beyond their budget.

Also, if it were up to me I'd be trying to find ways so that the anti-virus app appears to be running and updating but is really referencing an outdated virus signature file.

Or, in stand-alone implementations, replace it completely except for the icon.

The key question is how do YOU really KNOW that your anti-virus is running correctly and updating correctly?

Then you can ask whether the updates include virus signatures for governmental/commercial/other "malware".

That's why I prefer a completely different approach.

SimonDecember 2, 2013 2:43 PM

@BP Assuming you're not a troll, you seem to be suffering from paranoia. Whilst a healthy amount of paranoia can be a good thing in security, I get the impression you have crossed that line into the realm of mental health issues. You should seek professional help.

NobodySpecialDecember 2, 2013 3:06 PM

@Brandioch Conner - except this is the government so they probably approached Kapersky labs with a 50page official government supplier application before they bought the software.

anonDecember 2, 2013 3:13 PM

Regarding Sophos,
They are very coy about having a "lawful intercept" company within the Sophos Group.
http://en.wikipedia.org/wiki/Sophos
"In July 2009, Sophos completed integration of Utimaco Safeware AG."

https://hsm.utimaco.com/en/ Not on the webpage, but in the source code:
Utimaco: A member of the Sophos Group
http://lims.utimaco.com/fileadmin/assets/brochures_datasheets_whitepapers/UTIMACO_LIMS_DATASHEET_EN.pdf

I'd say there was a conflict of interest.

Take Mcaffee and Symantec, both (and some others) have a "report back every url you visit" feature - potentially gifting all your browsing to who knows. Many A/V vendors offer a toolbar which just happens to do a similar thing. This is on the paid versions, not just the free offerings and tend to be installed on a "default" install - which most users tend to do.


Ian FarquharDecember 2, 2013 3:26 PM

Good to see reminders about Magic Lantern and Symantec and McAfee's (craven) public statements at the time.

I think Bruce's analysis misses the fact that US providers of AV software are disproportionately used by US individuals and corporations. Consequently, there would still be value in leveraging those companies for malware used in domestic surveillance.

I think we all need to start asking questions about the rational basis for trust in any product from any commercial organization. We need to start doing what the spooks themselves do: assuming the red threading of equipment, and building defence in depth architectures from multiple national blocs to defeat them.

The key to this would be minimizing the possibility for covert channels, but rational risk management is better than blind faith.

Dirk PraetDecember 2, 2013 5:30 PM

I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government.

What would also really help is that companies issuing RFQ's or RFP's for such software demand that their vendors/distributors sign a very strong and unequivocal statement contained in the RFQ/RFP that they are not doing, have not done or ever will do anything of the kind, even if they are asked or coerced by law to do so. Failing to do so excludes the vendor from bidding or undeniable proof to the contrary at whatever time voids the contract and carries with it heavy penalties.

This practice makes total sense and since June is slowly taking off all over EMEA and other non-US regions, not only for software but also for (cloud) services and hardware products. The only way to force companies to fight back against their government and IC community is by directly impacting their revenue baseline and upsetting their shareholders. And it is already happening as we speak, judging from Cisco's serious revenue drop in emerging countries over the last quarter.

Nick PDecember 2, 2013 6:21 PM

@ Brandioch Conner, Esurnir

I agree. Standard practice for malware developers for years has been to test their wares on many AV software before deployment. At one point this was done with VirusTotal for convienence until they said they were turning over their samples to all the AV companies they work with. Early on, there were even "warez" (illegal) copies of most AV software and some of their signature updates. One way or another, a certain amount of testing could happen if anyone wanted to be sure of stealth/effectiveness.

So, would the NSA be doing that? Well, NSA's success without much notice pre-Snowden indicates they're quite professional and careful. So, I'm sure enough that they do AV tests to near certainty b/c we'd be catching their malware (plus 0-days) left and right otherwise. I expect the establishment also has internal copies of common OS deployments to ensure the results of tests are similar to field deployments. Quality assurance activities are as beneficial in underground activities as they are in more legit work.

@ NobodySpecial Re Kaspersky

They're Russian and Eugene Kaspersky is suspected of being close to Russian intelligence/police. So, Russians are the main concern if you're using *that* product.

NobodySpecialDecember 2, 2013 9:49 PM

@Nick P - exactly my point. You have to decide if you are more concerned about the IRS or KGB2 having access to your machine.

If you are a typical American it is unlikely the Kremlin is all that interested in your online gambling or undeclared out-of-state Amazon purchases.

PaulDecember 2, 2013 10:28 PM

It seems to me more likely that the government would research advanced AV evasion techniques. Would it be possible to create an app that recompiled itself continuously to always look different?

65535December 3, 2013 1:02 AM

This post is interesting. But, it brings up more questions than answers. I initially agreed with Bruce:

“My reasoning [that antivirus companies do not collude with the NSA] is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies... the NSA could certainly pressure McAfee or Symantec -- both Silicon Valley companies -- to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech).”

But reading the comments I am not so sure. The NSA is huge and powerful. There are inexplicable items which don’t reconcile with the above conclusion.

1. VirusTotal indicates that there are about 47 antivirus (AV) scanners. Yet, Bits of Freedom queried approximately 17 companies. Why not query the total universe of AV companies?

I do realize that VirusTotal doubles up on scanners such As McAfee and McAfee-GW-Edition causing a larger sample. But, I don’t see the reconciliation of the 17 companies queried by Bits of Freedom and the 47 total AV scanners on the market (17/47 = 36% of total scanners). What is reason?

2. If the 17 companies queried by Bits of Freedom represent the majority of AV companies it would appear the universe of AV companies is quite small and could be influenced by a huge organization such as NSA. Worse, it appears that only six companies responded – mostly being foreign companies. None, of the American companies – except Trend Micro – responded. The lack of response of the American companies brings suspicion upon them.

3. These seventeen companies seem to be heavily weighted toward NATO countries. These companies could be influenced by NATO security agreements, trade agreements, and a host of import, tax, and law enforcement regulations. The non-NATO companies such Kaspersky are to some degree influenced by said regulations. In essence these 17 companies could be manipulated.

4. The word game seems to have creped into the picture. Any software maker of “legal law enforcement interception” software could be deemed as legitimate software (i.e., CALEA software).

Take a careful look at ESET response and you will see it is cleverly worded to acknowledge finding government spyware but doesnt say how quickly it cleaned it up or how they knew it was from the government - and hinges on the term “malware” instead of “lawful” interception software:

[ESET]

“There are instances where we know we detected malware alleged to be used by government agencies, since after the fact it becomes known that this was the purpose, for example the W32/R2D2.A Trojan mentioned in the links…”

That is a broad confusing statement. It leaves a lot of wiggle room. I note that ESET only commented directly on one piece of malware – but what about the rest?

@ Adam
“But how can they "not comply"? If a secret court order compels them to remove or break detection of a certain kind of software, then what choice do they have?”

Good question. With the FISA court and the CALEA law I don’t see how AV companies can reveal so called “legal law enforcement” requests. The officers of a company like Microsoft (a maker of AV software) can be held in contempt of court and jailed. The same is true of AV manufactures within USA jurisdiction.

@ Zeno
“Unfortunately there's always the possibility to buy a company, so that it becomes US-based and has therefore to bend to pressures of NSA. Seen with Skype and Nokia just to mention a few.”

I agree. These companies could be partially owned by the NSA and manipulated. Or, the many laws regarding taxation, importation, munitions laws, “lawful interception” and so on could be used to influence them.

@ Aspie
“Does third-party AV software audit OS vendor code as well? @Vadim I agree, Verisign has made some bad calls in the past but they're probably "too big/crucial to fail" so they'll likely toe any govt. line they're given.”

That is an unpleasant thought – although it may be true. The AV software touches about every file upon the user's system. Next, the OS has control of most files on the system. The last big piece of software is the User Agent (or browser) and it controls a huge amount of information in and out of the individual box.

@ Bob S.
“Define: Malware.”

Exactly! The average user would define it as anything that spies or interferes with his/her machine or is used in a hostile manner against the user. The NSA and the CALEA laws would say that software made to “lawfully intercept, key log or help prevent crime” is legitimate software. That is the word game or labeling problem.

@ Man in Black
“It's interesting to see that those American AV companies have yet to reply.”

Yes, it draws suspicion upon American companies – except Trend Micro who did respond.

@ jones. Your post shows that deception by AV makers does happen. The real question is how frequently.

@ CallMeLateForSupper. Yes, it’s the word game or labeling issue that can cause a huge disconnect between reality.

@ Buck
“Poorly... complicit or otherwise… I feel like many of these tech companies are setting some dangerous precedents by being so compliant with such broad orders.”

Yes, and Symantec AV is offer’d by major cable companies, for free, to their customers. Many cable customers only use Symantec. That is a lot of data mining.

@ anon
“I'd say there was a conflict of interest [between Utimaco and Sophos].”

That is a good example of a bad example. Utimaco is a know maker “legal interception” software who has paired with AV maker Sophos. Although, Utimaco has been sold I have seen cases where the sale doesn’t completely disconnect the owner from the company sold for years. The company sold may keep their customer list for a long time.

@ Dirk Praet
“What would also really help is that companies issuing RFQ's or RFP's for such software demand that their vendors/distributors sign a very strong and unequivocal statement contained in the RFQ/RFP that they are not doing, have not done or ever will do anything of the kind, even if they are asked or coerced by law to do so. Failing to do so excludes the vendor from bidding or undeniable proof to the contrary at whatever time voids the contract and carries with it heavy penalties.”

Good point. Bits for Freedom are doing a good service and I commend them. But, why hasn’t Bits for Freedom queried those companies who are known to make so called "lawful spyware" as to the number of RFQ’s or RFP’s for said software. Next, ask those same 'lawful spyware" companies the number of “lawful eavesdropping” software they have manufactured and distributed for the government? I praise Bits of Freedom for asking Microsoft about “malware” but how about CALEA style “lawful” software?

@ Nick P
"...Standard practice for malware developers for years has been to test their wares on many AV software before deployment. At one point this was done with VirusTotal for convienence until they said they were turning over their samples to all the AV companies they work with."

That’s an interesting point. Let’s take it one step further and ask VirusTotal if they have had sample spyware sent to them by any government intelligence agency - or may be just a known government intelligence contractors.

I would guess VirusTotal knows the IPs of the NSA and other governmental intelligence agencies. They may be in the position to out governmental spyware makers (assuming VirusTotal has not been pwnd).

@ Clive Robinson
“As we know the likes of the NSA have "signed updates" with supplier signing keys, it's reasonable to assume that they can do the same with AV updates as well...”

That is a nasty though – but it could be possible. If the CA’s the AV makers and OS makers (Microsoft and Apple) are in bed with the NSA and GCHQ anything is possible.

Say, a “legal” spyware kit is dropped a customer's machine by a AV up-date and then the OS is pwnd by an fake up-date with a “valid” signature by the government. At this point I would say the game is thoroughly rigged.

@BP
Chrome is disliked by a number of people. I had a client school district in the largest state in the country with multiple firewalls, deep-packet inspection and a powerful intrusion detection/filtering engine – yet their policy was to disallow Google Chrome, Google docs and about every other Google service except Google’s search engine. The reason was student confidentiality.

The amount of individual data that Google gathered was above their policy limit. You can read Google’s 10K reports and see that Google has been involved in a number of privacy lawsuits including government investigations.


FigureitoutDecember 3, 2013 1:30 AM

Who can even verify that the software got correctly installed or it really is that software if it is from the internet? People who pay for AV are suckers, no?

Would you trust them if they could? I seriously think we live in an unprecedented period of little to no trust. We haven't had nearly enough time to evolve so all our systems are totally out of whack.

AnonymousCowardDecember 3, 2013 2:42 AM

All the AV vendors are sourcing data from so called malware feed providers. That's were I'd place my whitelist.

RonKDecember 3, 2013 3:00 AM

@ Vadim Lebedev

The SSL CA infrastructure was never intended to be secure against national level protagonists. But never mind the NSA and their ilk... ever since the fiasco with DigiNotar I've run Certificate Patrol, since it seemed obvious to me that the DigiNotar attack could well have been accomplished by individual criminals or organized crime.

IngmarDecember 3, 2013 4:35 AM

I was baffled to find that Symantec Endpoint Protection (version 11 at least) had separate settings for mysterious things called "commercial keyloggers". My memory may fail me but I think the default actions were to ignore them. I resisted the urge to write them and ask what is the difference between good and bad keyloggers. I couldn't find such options in a later version, which kind of suggests that now the commercial stuff is simply ignored without even asking the user.

AutolykosDecember 3, 2013 5:01 AM

@Nobody Special:
Another point is the power behind those agencies, and what they feel they can get away with. Even in "neutral" countries, you're probably more likely to be V& by the CIA than by the FSB (if you piss them off sufficiently), and also much more likely to draw interest from the former (if you, for example, happen to be Muslim and have the wrong friends). The Russians aren't inherently more trustworthy, but they are probably much less dangerous.

Alain from SwitzerlandDecember 3, 2013 5:49 AM

@NobodySpecial
So the conclusion is that if you are an American concerned about their constitutionally guaranteed freedom make sure you buy your anti-virus from the Russians !

Somewhere in this long video that has been linked here before, Eugene Kaspersky says also, if my memory is correct, that Kaspersky AV for the US market is built from source inside the US by US employees...

AspieDecember 3, 2013 6:06 AM

@Figureitout

I agree about the questionable value of AV software. After all it was originally a retroactive patch to attenuate poor system design. It clearly gained a lot of trust - unaccountably - which is why it's a useful target to cloak further mischief.

Clearly as complexity of a thing increases the number of people capable of evaluating its fitness for purpose drops, probably logarithmically. Either we become teams of experts in specific aspects of the machines we use and collaborate to cross-validate or we have to rely on trust.

As for hardware tampering - that's even less pleasant to think about. The only way to be personally sure there is to build your own system from parts that are simple enough that they aren't worth tampering with. This is why I'm working on a simple but very scalable hardware solution that's cheap - easy to extend and simple to audit.

One of the modern problems is interdependance. So many applications rely on little bits of this and a dash of that and the result is a labyrinth that has so many provenances it's hard to know where to start to evaluate it, or if indeed it's worth the effort.

saucymugwumpDecember 3, 2013 11:33 AM

Transparency International ranks Finland as #1 or thereabouts on its list of honest countries. AV-Test and AV-Comparatives have ranked F-Secure in the top three for a long time. And F-Secure announced back in 2001 that it is immune to influence from government and/or organized crime (see URL below). For that reason, F-Secure is my choice of vendor.

http://www.f-secure.com/en/web/labs_global/policies

Dirk PraetDecember 3, 2013 7:06 PM

@ 65535

I praise Bits of Freedom for asking Microsoft about “malware” but how about CALEA style “lawful” software?

It's a good thing that organisations like EFF, BoF and the like do their part in raising awareness about what's going on and what we can do against it, but ultimately it's the consumer who has to act on it. If a CSO based on a business impact analysis or other form of risk assessment decides that it is not in the organisations interest to have backdoored software, hardware or services, then one of the things he can do is to have this explicitly reflected in RFP's, RFQ's and the like.

However much certain nation states hide behind their own laws to claim that their spying on world plus dog is completely legal, they cannot impose their domestic laws on the rest of the world. Folks like Napoleon and Hitler eventually learned that lesson too. A Belgian or Mongolian company or government organisation is perfectly within its right to ask a foreign vendor to comply with its demands and criteria for a product/service. If these demands conflict with legal obligations imposed upon vendor by his government, then that's his problem, not the potential customer's. If the vendor suffers sufficient revenue loss from this catch 22, then he will have to choose between solving the problem or exiting the (foreign) market.

Huawei has recently opted for the latter in deciding to exit the US market. It would seem that their chairman has had it with years of accusations about cyberspying and has given up. I can easily see that quite some folks in Congress will be very happy with this, but it should also send them a stiff warning that sooner or later the same can happen to US companies in EMEA or APAC regions.

Clive RobinsonDecember 3, 2013 11:11 PM

@ Dirk Praet,

It appears that all is not 'hunky doory' in the States with regards the NSA and it's unlawfull behaviour. And thus some are planning to use State legislation to deny the NSA or for that matter any fedaral organisation "services" to federal facilities in their State by restrictive legislation,

http://www.usnews.com/news/articles/2013/12/03/some-nsa-opponents-want-to-nullify-surveillance-with-state-law

Whilst I doubt it will go anywhere (most places want the tax Dollar infusion such facilities bring) it does show that currently, atleast there is a level of domestic kick back against the NSA. Which in turn is going to cause headaches in Washington for all Federal government departments, which will no doubt cause issues for the NSA such is the joy and nature of turf wars.

But also it draws an unwelcome light on the fact that all major facilities have major security "achillies heals" when it comes to services. And that these can be exploited one way or another politicaly even by actavists.

History shows through "water rights wars" what can happen and within living memory the examples of the Berlin Air Lift, the British expulsion from Hong Kong and what the Russian's are currently doing with energy and China is doing with raw resources such as rare earth metals.

As any successfull military commander knows "securing your supply lines" is actually more important than actually fighting the enemy, and you cannot successfully advance without doing so. But importantly "the conduct of the troops under your command" can turn alies into enemies overnight so it's best not to carry out conduct that will upset those you have to rely on...

FigureitoutDecember 3, 2013 11:14 PM

Aspie
--Modern manufacturing techniques give me chills about even simple connectors, let alone any electronic device. Even the "simple" components have much complexity if you read any book about just transistors; a motherboard has all the components. This needs to slow down and get it right, it shouldn't be hard to detect malicious behavior. If you use a smartphone, you're contributing to the problem in my view; way too much tech and it's out of control.

Software production seems to me to even messier and programmers won't have time to fully understand the code w/ a middle-manager breathing down their neck, nested loops and if-statement conditions w/ pointers adding a counter to a linked list take time to physically follow by hand.

Too much subversion everywhere, you can't even easily get a device to begin developing a secure computer, it's already compromised.

BryanDecember 4, 2013 12:02 AM

On complexity of devices. Complexity can be managed. The thing is it takes building the system from the ground up in a manner that each component is able to be fully audited, and collections of components can be audited. Making reusable components will help allot with this. Yes, I'm thinking of object libraries and ALUs as components. At another level, a sort routine is also a component.

Clive RobinsonDecember 4, 2013 1:34 AM

@ Bryan,

    The thing is it takes building the system from the ground up in a manner that each component is able to be fully audited, and collections of components can be audited.

It's one method but it's fraught with problems.

The more traditional, reliable and easier EmSec / TEMPEST solution is to break a system into functional blocks and segregate and encapsulate the blocks and audit the interfaces betweeen segregated blocks.

The downside of such an aproach is it's clearly not "efficient", and people belive (incorectly) that you can use auditing and end up with a more efficient result.

The reality is in most cases that the audit due to complexity is defficient and only considers a tiny proportion of what should be covered. An example of this is time based covert / side channels as demonstrated by AES implementations. The algorithm was audited by the experts and found to be acceptable. However the rules of the competition did not give rise to implementations being audited for anything other than correctly funcioning speed or minimum gate count. The result of this speed optiimisation was cache hits created time bassed side channles that could be easily exploited to leak key information. And nearly all implementations of AES on systems with cache were suseptable to this problem.

It's the reason I say in most cases it's "Efficiency -v- Security" in the same way we talk about "Usability -v- Security".

They Want You 24/7December 5, 2013 7:06 AM

#BADBIOS - You Were Warned About This For Years!
http://slexy.org/view/s2BLnoBPxn

State sponsored rootkits and the failure of malware scanners
http://slexy.org/view/s2otvoDuKW

TL;DR: most antimalware programs are proprietary pieces of shit you can't see the code, but they can read (sorry, I meant scan, *cough*) all of your private files and some use the cloud so kiss your privacy goodbye.

Bob RobertsonDecember 10, 2013 8:38 AM

I wonder about the use of the word "asked". A government order is not "asking", it's "telling".

Tom Mullen January 3, 2014 2:25 PM

The post identifies AV vendors having "responded" to your questions. I'm interested in knowing what other AV vendors were "asked" and how were they "asked"?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..