When I wrote the piece, Is the AV industry in bed with the NSA, I concluded that on balance it probably is. I have no evidence. It’s just that I cannot believe that an organization complicit in developing and deploying its own malware, and able to ‘socially engineer’ RSA into doing its bidding, would leave AV untouched.
Obviously I spoke to people in the industry. In private conversation with one contact, while accepting his own protestations of innocence, I asked, “What about McAfee and Symantec?” He paused; but then said, “If I had to question anyone, those are the two names that would come to mind.”
I should say, again, that I have no evidence. It’s just doubts born out of the repetition of hyped-up statistics, frequently used by government to justify its actions, and what appears to be preferential treatment from government.
A couple of months later, the Dutch digital liberty group Bits of Freedom wrote to the leading AV companies for a formal position. One of the questions it asked was, “Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software?”
My understanding is that some, but not all, AV companies replied, in writing, that they do not collaborate with governments.
F-Secure’s Mikko Hyppönen spoke yesterday at the TrustyCon conference. I wasn’t there, so this is from The Register’s report:
A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure’s malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday…
While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed.
Same names. Coincidence? I wonder.
This is a bit worrying:
Guaranteeing security merely means you’re clueless and dangerous. But it’s indicative of the panic around CryptoLocker.
Panic, of course, is a universal life force – it gives living energy to any inanimate object. When you add panic to any story, it gains a life of its own; it grows legs and runs.
Panic has now been added to PrisonLocker (AKA PowerLocker), a new encrypting malware being readied for release by a guy called gyx.
But if you read the original and excellent expose published last week by Malware Must Die, you cannot help but have a few questions. For example, each new announcement says release is imminent, but each new announcement doesn’t seem to bring it any closer.
Nor does the author sound much like the traditional hacker. His command of the written language is pretty good. There are relatively few typos or howling grammatical errors and the syntax is Anglo-Saxon – he’s probably British, or at least not American. He reads like a native English speaker. He spells ‘behaviour’ with a ‘u’ (an American or someone brought up on American-English would not), he writes created by the group “Romanian Antisec”. with the fullstop outside of the quotation marks (an American would put it inside).
So with a few questions of my own, I spoke to Fraser Howard, a security researcher with Sophos. He too was a little puzzled.
“Typically,” he explained, “ransomware falls into one of two camps. The first simply locks the user out; but data and files are not normally modified or encrypted. This is easy to deal with – once the malware is removed, the user is back to normal. It’s more of an annoyance than anything else, scaring the user into paying up.
“The second encrypts the users’ files. The ‘serious’ ransomware families do this, using cryptography correctly to securely encrypt files without leaving the key anywhere accessible. PowerLocker,” he added, “claims to do both lockout and encrypt.”
This is one of the things that puzzles him: why have both? “Seems a bit daft to me – why bother locking them out if you have encrypted their data? The author claims: ‘Even if the user is able to somehow get out of locker screen, files will still be encrypted with practically unbreakable encryption.’
Well, that’s just flawed, illogical thinking.
“It makes me suspicious – it’s indecisive. When I read claims like this, it makes me wonder if the author is actually very capable.” But that’s not all. “Some of the text in the other screenshots [from the Malware Must Die report] make me suspect the author’s skills. Talk about ‘UAC bypass’ and ‘admin privileges’ – well, that’s all very basic stuff used by most malware today.”
My guess is that PrisonLocker was originally intended to be purely locking ransomware. Given the success and publicity surrounding CryptoLocker, gyx decided to add encryption. Not wishing to abandon what he’d already done, he kept the original locking mechanism. But with encryption now perceived as the primary sales incentive, the ‘prison’ epithet was no longer adequate, so he changed the name to ‘power’ locker (crypto locker already being taken).
But there’s one other thing we could consider. gyx is suggesting a purchase price of $100 for his malware. Firstly, he doesn’t seem intent on using it himself. Secondly, that’s remarkably cheap – unless, of course, it’s a ‘loss-leader’ being used to break into a new market.
And that, frankly, is what it seems like to me. A competent and well-educated coder has turned to the dark side, and is using this ‘project’ to get in. He understands software, but he doesn’t necessarily understand malware nor the malware marketplace. He’s selling it rather than planning to use it himself in order to stay one remove from the hacking, infecting and stealing side of malware – he sees himself more as an underworld manager than an underworld foot-soldier.
But saying all that, if PowerLocker is as good (or as bad) as he describes, then it is going to be a dangerous piece of malware. If it’s taken up by some of the better organised criminal groups with access to 0-day exploits, or simply experienced in the use of exploit kits like Magnitude, then PowerLocker could easily become the next PanicLocker.
Is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV?
September 2013 is the month in which the extent of direct government hacking – as opposed to traffic surveillance – became known.
4 September – WikiLeaks releases Spy Files 3, demonstrating increasing use of third-party hacking tools, such as FinFisher.
6 September – Bruce Schneier writes in the Guardian
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
7 September – details of an NSA MITM operation against Google users in Brazil revealed.
12 September – FBI admits that it hacked Freedom Hosting. The implications are that it inserted the malware that monitored visitors, and the almost certainty that the malware was CIPAV.
FinFisher and CIPAV stand out as government operated spyware; but there are others: RCS (DaVinci), Bundestrojaner etcetera – and, of course, Stuxnet and Flame. We’ve known about them for a long time: see
- CIPAV: FBI, CIPAV spyware, and the anti-virus companies (this site, May 2011)
- RCS: Hacking Team’s RCS: hype or horror; fear or FUD? (this site, Nov 2011)
- FinFisher: Use of FinFisher spy kit in Bahrain exposed (Infosecurity Mag, August 2012)
- Bundestrojaner: Chaos Computer Club warns on “German government” communications trojan (Infosecurity Mag, Oct 2011)
This leaves a major question begging: if we’ve known about this malware for such a long time, how come it can still be used? Why doesn’t anti-malware software stop it?
There are two possible reasons that we’ll explore:
- the AV industry, like so many others, is in bed with the NSA
- the AV industry is not as good as the ‘stops 100% of known malware’ claims that it makes – or put another way, virus writers are generally one-step ahead of the AV industry
In bed with the NSA
This has been vehemently denied by every AV company I have spoken to (see the articles on CIPAV and RCS for examples). Bruce Schneier doesn’t believe it is:
I actually believe that AV is less likely to be compromised, because there are different companies in mutually antagonistic countries competing with each other in the marketplace. While the U.S. might be able to convince Symantec to ignore its secret malware, they wouldn’t be able to convince the Russian company Kaspersky to do the same. And likewise, Kaspersky might be convinced to ignore Russian malware but Symantec would not. These differences are likely to show up in product comparisons, which gives both companies an incentive to be honest. But I don’t know.
Explaining the latest NSA revelations – Q&A with internet privacy experts
And yet the possibility lingers. When Flame was ‘discovered’, Mikko Hypponen issued a mea culpa for the industry. Admitting that F-Secure had Flame samples on record for two years, he said,
Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.
What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.
It wasn’t the first time this has happened, either. Stuxnet went undetected for more than a year after it was unleashed in the wild…
Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
Forget the ‘hand on heart’ for a moment, and consider… That’s the two major government-sponsored malware samples known about and ignored by multiple AV companies for several years. Coincidence? Maybe. But to echo Schneier’s last sentence, I don’t know.
Malware writers are one step ahead of the AV industry
If you listen to the AV marketers, this cannot be true. Every month we hear claims that AV products stop 99.9% to 100% of all known viruses (remember that they ‘knew’ about Stuxnet and Flame, but did nothing). I’ve written on my dismay at this sort of advertising elsewhere (for example, Anti Malware Testing Standards Organization: a dissenting view).
However, if you listen to the foot soldier researchers – and sometimes even higher –within the individual companies, you realise that it is absolutely, inherently, and unavoidably true. Luis Corrons, the technical director at PandaLabs, puts it like this:
The effectiveness of any malware sample is directly proportional at the resources spent. When we talk about targeted attacks (and [CIPAV and FinFisher] are developed to perform targeted attacks) the most important part is the ability to be undetected. Bypassing signature detection is trivial, although it is almost useless too, as most anti-malware programs have several different layers of protection which do not rely on signatures.
The attackers probably know which security solution(s) the potential victim is using. Then it is as ‘simple’ as replicating the same scenario (operating system, security solution, etc.) and verifying that the malware is not being detected. As soon as it is flagged they will change it to avoid detection, until they have the final version.
Once they are done, they will infect the victim and will be spying / stealing information out of him until they are detected. This could be a matter of days, months or even years.
Claudio Guarnieri of Rapid7 said very similar:
Since FinFisher, just as any other commercial spyware, is a very targeted and sophisticated (besides expensive) malware, it’s part of Gamma’s development lifecycle to make sure that they tweaked all the different components to avoid antiviruses before shipping the new FinFisher out to the customers.
The developers likely have their own internal systems to do these testings: think of something as a private VirusTotal. Every time they develop a new feature or a new release, they’ll test it against as many antiviruses as possible and if something gets detected, they debug and try to understand why and find a way around it.
The ‘problem’ with this approach is that they rely on the AV industry not knowing and not having access to their malware: whenever that happens AV vendors react pretty effectively and in fact if you look at FinFisher samples discovered 1 year ago they are now largely detected by most antivirus products.
Is the AV industry in bed with the NSA? The simple fact is that we just do not know. The industry itself denies it – but, well, it would, wouldn’t it? Statistically, since almost every other aspect of the security industry collaborates with or has been subverted by the NSA, my suspicion is that it is. At the very least, I suspect it engages in ‘tacit connivance’.
Are malware developers one step ahead of the AV industry? That depends. As Corrons says, it depends on the resources available to the bad guys, whether that’s NSA, FBI, GCHQ or the Russian Business Network. Well-resourced bad guys will always get in. As Schneier puts it, “if the NSA wants in to your computer, it’s in. Period.” But that probably applies to all governments and all seriously organized criminal gangs engaged in targeted hacking.
But one final comment: nothing said here should be taken to suggest that we don’t need the AV industry. It may not be able to stop the NSA, but it can and does stop a million script kiddie wannabe hackers every day.
But it does make you wonder why the West is so concerned about cyberwar when it is clearly the world’s greatest protagonist. Do as you would be done by, I say.
The inclusion of Shamoon is interesting. Does it imply that AlienVault considers it is state-sponsored by Iran? If so, the current cyberwar score seems to be US/Israel 5, China 1, Iran 1.
“Malware ‘was not from factories’, Microsoft says” is today’s headline. “Several outlets, including the BBC, reported that harmful software was being pre-installed on PCs at the manufacturing stage,” admits the BBC. Actually, it had said “Cybercriminals have opened a new front in their battle to infect computers with malware – PC production lines.” It said that because it didn’t bother reading the Microsoft reports.
And we told them they were wrong five days ago in our own reporting: China is a pariah.
Five days to get it right. Is there an agenda here?
Keep up, or fall behind, as they say.
What irony. As I link to my story on over-hyping the China threat, LinkedIn links to a story that over-hypes the same story. This one is from The Independent: “Microsoft admits millions of computers could be infected with malware before they’re even out of the box”. I’m afraid that I missed both the ‘millions’ and ‘before they’re even out of the box’ comments from Microsoft. Oh, no, I didn’t – they’re not there.
You can see it, can’t you: “Your driverless GoogleCar has been disabled by order of the Nevada State Police for speeding/transporting minors across state lines/distributing spam/running a red light in Reno, 04/03/2012 22:03:45/driving with a faulty tail light delete as applicable or all of the above. Your engine will be re-enabled on payment of a $99.00 fine payable…” It’s NGMR – next generation motorised ransomware.
Raj Samani, a great guy and CTO at McAfee, hinted at this in an email:
Wireless devices like web-based vehicle-immobilisation systems that can remotely disable a car could potentially be used maliciously to disable cars belonging to unsuspecting owners. And you won’t know what hit you until the malware strikes. There was a recent situation in Texas where it was reported that 100 vehicles were disabled from a remote disable system. The system had been installed by the car dealership, but was maliciously manipulated by a disgruntled former employee who remotely disabled the cars and wreaked havoc by setting off the car horns.
He was commenting on “news that Nevada has officially issued licenses to Google for driverless cars.” But clearly Google does not think he is such a great guy: it dumped the email into my spam folder:
News stories for Thursday 3 May and Friday 4 May 2012:
OpBayBack announced by Anonymous look-alike: TheWikiBoat
It was only a matter of time before one hacktivist group or another would react to the UK court-ordered ISP block on The Pirate Bay.
04 May 2012
The UK Protection of Freedoms Bill this week; telecommunications surveillance next week?
A major plank of both the Conservative and LibDem election campaigns was to ‘roll back the database state’ and curtail invasive bureaucratic surveillance. But has the Coalition achieved this? And what about the proposed communications monitoring bill?
04 May 2012
Website infection hits Israeli Institute for National Security Studies
Israeli websites frequently come under cyber attack. Now Websense reports that the Israeli Institute for National Security Studies (INSS) has been infected with malicious code ultimately leading to a Poison Ivy variant.
04 May 2012
LOIC DDoS tool – is it ‘safe’ for the user?
The DDoS weapon of choice for Anonymous activists, the Low Orbit Ion Canon (LOIC), was downloaded from the internet 381,961 times during 2011. That number has already been exceeded in 2012, with daily downloads averaging more than 3400.
04 May 2012
SOCA knocked off the web by DDoS – again
The UK’s Serious Organised Crime Agency has today confirmed that a DDoS attack forced it take its website off-line at 22:00 Wednesday. As of writing, 14:30 Thursday, it is still down.
03 May 2012
UK wi-fi connectivity is inadequate
As the UK economy headed into another recession, a UKFast round table of business and technology experts, slated to discuss the digital wallet, inevitably discussed the economy and what government should do about it.
03 May 2012
The evolving role of the CISO – new study by IBM
A study by IBM’s Center for Applied Insights concludes that there are now three ‘types’ of CISO: influencers, protectors and responders. Evolution towards the ‘influencer’ role is necessary, and happening.
03 May 2012
Hackers levy an ‘idiot tax’ on Belgian bank
“While this could be called ‘blackmail,’ we prefer to think of it as an ‘idiot tax’ for leaving confidential data unprotected on a Web server,” announces an unidentified hacker group in a news statement on Pastebin.
03 May 2012
Security and Liberty are opposite ends of the same see-saw. If one end goes up, the other must necessarily go down. The problem is finding the right balance between the two. Unfortunately, those with responsibility over our security will always tip the balance in their own favour, thus reducing our liberty. This is dangerous when it is government, for it is an inevitable road to a police state – and both Europe and the US are already a long way down that road.
But it shows itself at every level. The security industry itself faces this dilemma every day: do they do everything they can to protect their customers, or do they temper their actions and beliefs with civil liberty issues?
Here’s a case in point. Apple’s response to the Flashback trojan is, says Wolfgang Kandek, CTO of Qualys, ‘innovative’. “Apple released today a new, quite innovative version of Java for Mac OS X 10.7 and 10.6. Innovative, because the new version does not fix any vulnerabilities, but instead addresses two of the current Java on Mac landscape problems,” he writes. Firstly, it erases known variants of Flashback; and secondly “it automatically disables Java when it has not been used for the last 35 days.”
Wolfgang is pleased with the latter. “It makes total sense to me: we have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so.” That’s a security man speaking. But my view is the opposite: Apple has no right to arbitrarily mess with my computer.
By taking away my responsibility for myself, by taking control of my security for me, Apple is simultaneously making me less likely to be personally responsible in the future, while also making me more likely to accept the security dictates of government. Already one of government’s standard arguments whenever it proposes some new form of surveillance is “if you haven’t done anything wrong, you don’t have anything to worry about.” And we actually think they have a point because our concept of our own freedom is constantly eroded.
But the reality is this: because I have done nothing wrong, you have no bloody right to spy on me. So whenever a security man, government or industry, says to you, we’ll look after your security, ask yourself at what cost?