Antiviruses and other software, Russian and beyond

(This is a rather old post translated to English by a friend, so keep it in mind while reading.)

Another wave of public discussions of Kapersky participation in Russian intelligence operations is emerging, in particularly in the context of stealing US classified documents and NSA software tools, which later got to “Shadow Brokers”, and eventually played role in WannaCry and NotPetya outbreaks.

My opinion on that is consistent: willingly or not, Kaspersky Lab was and is an asset of Russian intelligence. But I’d like to underline a different thing today. Regardless if Kaspersky was or wasn’t a part of their own government’s APT ops, using an antivirus for cyber-attacks and international espionage is awesome.

Firstly, technically this channel is super powerful. As I often told previously, running a process on a computer with unlimited permissions is a very doubtful idea from security architecture point of view. It can have access to any file or memory contents. Moreover, this process must digest a lot of different file formats. For those who don’t know what fuzzing is or why .pdf = Penetration Document Format I will simply tell that a lot of breaches happen because of errors in complex datatype parsers. So, we can only dream that after installing and antivirus the overall system security level will increase at all. (Those, for whom it is still not obvious, should subscribe for Tavis Ormandy on Twitter and to Google Project Zero blog). So what should we do, if we find out that people having access to antivirus updates and vulnerabilities are our enemies?

Secondly, antivirus functionality is complicated and its interaction with the operating system is even more complicated, and we never know for sure, which data they pass to their developers. Therefore, using antivirus for espionage opens enormous opportunities to deny involvement and defend against any accusation. This is a Plausible Deniability apogee. KAV caught some NSA tools on laptop and passed them to Moscow? But they looked like malware! (Which they in fact are). KAV did a keyword search on hard drive? But these words were part of “malware” samples! And so on, and so forth. Until Eugene puts his hands up and claims that he was hacked by GRU or FSB and he is also a victims of cyber espionage. Not taouching an old tradition of Russian special forces to have people on key positions in private companies. In this way they can deny anything and claim that particular employees were recruited directly, whilst the Board and the Management knew nothing.

What are the conclusions?

Simple and radical. You can’t use software and information tools provided by your enemy, created on the territory, controlled by your enemy, or by companies, employing people based on the territory controlled by your enemy. Therefore, rebranding of Laboratory of Kaspersky to Kaspersky Lab with fictitious migration of headquarters doesn’t change anything. Migration from Kaspersky products to products of other companies (Belarusian, Kazakh, Slovakian etc.) with “strong cultural connections” with Russian Federation, again, doesn’t change anything. Only full ban of information products, even intuitively traceable to the enemy, can decrease the risk.

However, even if you get rid of Kaspersky, uninstall 1C, delete account in Vkontakte and will not watch Kurazh Bambey voice overs, residual risk is inevitable. Because, last time I checked, all your friends and business partners used 1C, visited VK, and other Russian web sites.

Stay safe.