Security Experts:

How Antivirus Software Can be the Perfect Spying Tool

Your antivirus product could be spying on you without you having a clue. It might be intentional but legitimate behavior, yet (malicious) intent is the one step separating antivirus software from a cyber-espionage tool. A perfect one, experts argue.

Because we trust the antivirus to keep us safe from malware, we let it look at all of our files, no questions asked. Regardless of whether personal files or work documents, the antivirus has access to them all, which allows it to work as needed.

We do expect a security product to work in this manner, as most of them have been designed to scan all files on the system to detect any possible threats, and we accept this behavior as being part of our computer’s protection mechanism.

What if the very same features that are meant to protect us from threats become the threats themselves? Would it be possible for an antivirus application to be used as a spying tool, to flag documents of interest and exfiltrate them instead of keeping our files safe? The answer appears to be “Yes!”

"In order for AV to work correctly, it has to be plumbed into the system in such a way that it can basically see and control anything the system can do.  Memory allocation, disk reads and writes, communication, etc...  This means that it is essentially in the middle of all transactions within the OS.  Therefore, it makes a pretty good candidate for take over and compromise,” Jason Kent, CTO at AsTech, told SecurityWeek via email.

In some cases, the data exfiltration, which is legitimate behavior, could result in unintended leakage, as would be the case with security programs that upload binaries to cloud-based multiscanners like Google’s VirusTotal. In an attempt to better assess whether files are malicious or not, these security tools end up leaking data if the analyzed files are accessible to the multiscanner’s subscribers.

But what if your antivirus was intentionally turned into a tool that could spy on you? Would that be possible without modifying the program itself? According to security researcher Patrick Wardle, it is possible.

To prove this and using the "Antivirus Hacker's Handbook" (Joxean Koret) as base for an experiment, he tampered with the virus signatures for Kaspersky Lab’s Internet Security for macOS and modified one of the signatures to automatically detect classified documents and mark them for collection. By modifying signatures instead of the antivirus engine, he didn’t alter the security application’s main purpose.

Wardle conducted his experiment on a Kaspersky product for an obvious reason: last year, reports suggested that the Russian-based security company’s software had been used to steal classified documents from a National Security Agency (NSA) contractor’s computer. The contractor took home sensitive data, including NSA exploits, and was apparently targeted by hackers after a Kaspersky product on his home computer flagged the files as malicious and sent them to the company’s server for further analysis.

In December 2017, the NSA contractor, Vietnam-born Nghia Hoang Pho, agreed to plead guilty to removing and retaining top-secret documents from the agency. Last week, another NSA contractor agreed to plead guilty after being accused of hoarding around 50 terabytes of NSA data and documents in his home and car over a 20-year period.

In September 2017, the United States Department of Homeland Security (DHS) ordered government departments and agencies to stop using Kaspersky products due to concerns regarding the company’s ties to Russian intelligence. Last month, Lithuania said it would ban Kaspersky Lab's products from computers managing key energy, finance and transport systems due to security concerns.

The anti-virus maker has continually denied any connections to the Russian government and even launched a new transparency initiative to clear its name. In December, the company sued the U.S. government over the product ban.

So far, no evenidence has been presented that shows any inappropriate connections between Kaspersky Lab and the Russian government.

In a technical analysis published last year, Kaspersky suggested the report might be referring to a 2014 incident where its antivirus worked as intended by flagging what appeared to be suspected Equation malware source code on a personal computer. The company said it had deleted the files from its servers but couldn’t confirm the NSA contractor was involved in the incident.

What Wardle decided to do was to find out whether the Moscow-based security company’s products can indeed be used to flag and exfiltrate classified documents. He successfully managed to modify a signature for his security product, despite the complex process Kaspersky employs for updating and deploying virus signatures onto the users’ computers.

And while he made the modifications locally, his experiment demonstrated that it is indeed possible to abuse anti-virus programs to spy on users. By modifying their signatures, antivirus programs can become “the absolute perfect cyber-espionage collection” tools. And this isn’t true about Kaspersky’s products only.

“Of course if an anti-virus company wanted to (or was forced to) they'd simply deploy a new signature likely to select clients (targets), in order to persistently detect such documents […]. I am confident without a doubt that any anti-virus product with collection capabilities could arbitrarily collect (exfiltrate) files flagged by their product,” Wardle noted.

The file collection capability is, of course, designed to support legitimate functionality of the product. Thus, for an antivirus product to become a spying tool, it would have to have an actor with malicious intent behind it.

“A malicious or willing insider within any anti-virus company, who could tactically deploy such a signature, would likely remain undetected. And of course, in a hypothetical scenario; any anti-virus company that is coerced to, or is willing to work with a larger entity (such as a government) would equally be able to stealthily leverage their product to detect and exfilitrate any files of interest,” Wardle concluded.

The researcher’s findings aren’t surprising and Kaspersky themselves said last week that “any malicious actor who gains administrative access to a computer could theoretically engage in file searching activity on the computer or subvert almost any application running on it (which is the type of activity that Kaspersky Lab products are designed to detect and prevent).”

SecurityWeek contacted Kaspersky for comment, but they redirected us to last week’s statement, saying that that is their official position.

Security experts contacted by SecurityWeek for perspective agree that antivirus products could potentially be used for nefarious purposes, if a malicious actor was involved. While the general consensus is that users wouldn’t even know if their antivirus was spying on them, it doesn’t mean that antivirus companies engage in such practices. Only that it would be possible to use their products in such a manner.

“AV vendors must be very careful to ensure they are never compromised. Imagine if I could control all of the AV installations at an enterprise. It would be possible to make all of those machines participate in a botnet or use the AV system to load additional code, such as Ransomware. This is conceptually possible as the engine and signatures are designed to be changed via an update process. Compromise there would be a very interesting thing for sure,” Kent told us.

Chris Morales, head of security analytics at San Jose, California-based Vectra Networks, agrees that antivirus products could be manipulated to find and exfiltrate sensitive documents. He also agrees that this could be the act of a malicious or willing insider at any antivirus company.

“AV vendors, as do many security vendors who perform malware scanning on the network and endpoint, have administrative level access to systems to scan files for malicious code. This scanning engine could be manipulated to look for sensitive documents and then upload them to the cloud analysis engine. This would most likely be someone at the vendor with malicious intent,” Morales told SecurityWeek in an emailed comment.

“Security vendors who perform cloud based analysis have to walk a very thin line and it is important that these vendors implement the proper controls to ensure they do not create the security hole for customers. I would say most vendors do a very good job of ensuring their processes are secure and would not cause a problem for the client. This does mean there is a level of trust in security vendors that clients need to validate and should be asking for a description of how their detection processes work,” Morales continued.

Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based threat protection firm, told SecurityWeek that it is a known fact that “Kaspersky is not the only tool that’s built into enterprises to be used against themselves for the fortunes of malicious intent.” Over the past couple of years, several endpoint detection tools have been revealed to have issues identifying problems and to include management techniques that can be turned against enterprises.

“So, yes, Kaspersky software can be used against the intended targets, we have established that. The mechanism is there, however, the INTENT is the issue. The analysis into IS it being used against organizations is the factor that is obviously in dispute. Late last year, the UK took the step to warn all agencies against deploying Kaspersky. The US has already taken that step, but in all honesty, IF we were to look at the plethora of endpoint detection/manipulation/management tools out there, we’d better remove 50% of them for the same insecurities and inabilities to protect the very end-users we’re trying to save,” Roberts says.

He also points out that most security software out there requires access to everything stored on a computer, not only one single product. “The others all being carefully kept out of the news in the hope we don’t all suddenly wake up and realize that everything designed to keep us safe is also designed to access our darkest secrets… and scour them for whatever we hope it’s meant to be finding… or what it WANTS to find,” Roberts continued.

Of course, there’s no proof that an antivirus program has been used for malicious intent, although it is clear that they could be used in such a manner. As Wardle puts it: “Please avoid jumping to the conclusion that this [is] something Kaspersky, or any other anti-virus company actually did!”

Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise. Unfortunately, for the Moscow-based security company, this is a result of the effect of geopolitics on cybersecurity.

view counter