Antivirus bods grilled: Do YOU turn a blind eye to government spyware?

AS IF G-men would tell us about state-sponsored badness, scoff AV firms

Analysis Security guru Bruce Schneier has joined with the Electronic Frontier Foundation and 23 other privacy and digital rights activists to call on antivirus firms to publicly state they do not turn a blind eye towards state-sponsored malware.

Antivirus vendors have been given until 15 November to go on the record about detection of state-sponsored malware, with early indictions pointing towards a somewhat weary "of course we detect it" response.

Meanwhile neutral observers of the security software market point out there's no need for spy agencies to ask for their malware to be whitelisted by vendors because defences aren't that strong in the first place.

An open letter (PDF) to the industry from Schneier et al follows recent revelations that the NSA uses malware and exploits to track users of the Tor anonymity service or otherwise monitor the communications of surveillance targets.

The existence of the NSA's Tailored Access Operations (TAO) hacking squad unit has been an open secret for years, but recent revelations have fleshed out the details and revealed that NSA hackers have procedures that mean they generally only resort to malware only in cases where it's unlikely their malicious code will be detected.

Effective security scanners might therefore be a factor when the NSA decides whether or not to run malware-based attacks – even though nobody seriously believes antivirus alone can be relied upon to defend against state-sponsored malware.

"As a manufacturer of antivirus software, your company has a vital position in providing security and maintaining the trust of internet users as they engage in sensitive activities such as electronic banking," the privacy activists and security experts wrote in an open letter to antivirus companies. "Consequently, there should be no doubt that your company's software provides the security needed to maintain this trust."

The letter (extract below) challenges antivirus vendors to be clear about their detection of governmental surveillance-ware, requesting a response by 15 November.

Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?

Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?

Although propelled back into the news by the Snowden revelations, the question of whether or not antivirus vendors avoid detection of state-sponsored malware has been around for years.

Bundestrojaner and Magic Lantern

For instance, two years ago, the discovery of controversial backdoor Trojan used by German officials to eavesdrop on Skype conversations of criminal suspects provoked questions about antivirus detection. Samples of the so-called R2D2 (AKA "0zapftis") Trojan came into the possession of the Chaos Computer Club (CCC), which published an analysis of the code. German federal agencies subsequently insisted the so-called Bundestrojaner was legal.

Eddy Willems, a security evangelist at German firm G Data Security Labs, told El Reg: "This is not a new issue – it has been around for over 10 years – and all players in the AV industry have clearly stated, on several occasions, that no, we do not allow malware created by the state to infect any systems and we do not share any privacy-sensitive information with anyone, not even with police forces or secret services,"

"G Data was asked very often if we allowed these Trojans on systems," Willems said. "The answer was a very clear NO."

Finnish anti-virus firm F-Secure has a similar and equally clear policy of detecting spying programs developed by governments and notifying its customers, regardless of fear or favour. Other antivirus firms likely have similar stances because to act otherwise would be commercial suicide, as previous controversies about the same issue have established.

The Bundestrojaner is just the latest example of a longer running issue. In November 2001, for example, controversy erupted over whether security software firms were deliberately avoiding detection of a Trojan horse program reportedly under development by the FBI.

The keystroke-logging Trojan, dubbed Magic Lantern, reportedly enabled investigators to break PGP-encoded messages sent by suspects under investigation by using malware to capture a suspect's passphrase. Magic Lantern samples were never captured - or at a least never identified as such.

The same issue of security software detection of "patriotic" malware arose in the immediate aftermath of 9/11, and continues to resonate more than 12 years later.

It wouldn't make sense, and here's why...

But Willems argues that for anyone in the industry to ignore state-sponsored malware would be unworkable as the malicious software can be produced by any number of intelligence agencies in any number of countries.

"The cynical receiver of that message might think this is the only viable response in order to keep on selling products to the public," Willems explained, "but it would be quite obvious if there were players that do allow state-made malware through while others do block it. It would show up in detection percentages and it would be obvious from sites like VirusTotal, which compare the detection of certain files amongst different AV-products. The only way this would work is if all AV vendors allowed all state-made malware through, not only that of their own country, but also that of all the other countries."

Warming up to his theory, he continues: "[But] to make that work, all these companies would always need to be made aware of all the samples that are state-made in order for them to whitelist them (because they are intrinsically the same as all other malware, so cannot be recognised as such). That would mean that, for instance, secret services from the US would need to inform the Russian, Romanian, Chinese, German, etc developers of AV software about their state-made malware. Not a very likely scenario," he added.

Not detecting state-sponsored malware is also a bad idea for other reasons, such as the possibility that cybercrooks might get their hands on it and misuse it to steal data, as a blog post on the issue by Sophos explains. "Our customers' protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can't detect, not for us to cripple our software."

Top secret.. or top, top top secret?

Security blogger Kurt Wismer is also dismissive about claims that antivirus vendors are complicit in state-sponsored malware attacks, albeit for different (and seldom aired) reasons. Wismer argues it would be bad operational security practice to tell anyone about your super-secret malware. "If you want to keep something secret, the last thing you want to do is tell dozens of armies of reverse engineers to look the other way," Wismer writes on his Anti-virus Rants blog.

Wismer also points out that there's no need for government ninja types to tell security vendors about their wares in order to be effective in smuggling them past security defences. To believe otherwise would be to credit the idea that well-resourced intelligence agencies are incapable of following a practice common or garden cybercrooks have been successfully following for years.

"There are already well-established techniques for making malware that AV software doesn't currently detect. Commercial malware writers have been honing this craft for years and it seems ridiculous to suggest that a well-funded intelligence agency would be any less capable," Wismer concludes.

Antivirus vendors, while fierce rivals commercially, have always co-operated on a technical level with the exchange of malware samples. Victims' willingness to go along with this process has dried up somewhat in the era of state-sponsored snoopware, according to Willems.

"Whenever a certain state encounters a piece of malware they suspect is written by another state to spy on them, they are very reluctant to ask the AV industry for help in analysing this software. Why this is the case remains a mystery, although my guess goes towards diplomatic relationships between states getting prioritised over cases of cyber espionage," Willems concluded. ®

Other stories you might like

  • Infosys skips government meeting - and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India’s Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a “technical glitch” that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading
  • China’s COVID lockdowns bite e-commerce players
    CEO of e-tail market leader JD perhaps boldly points out wider economic impact of zero-virus stance

    The CEO of China’s top e-commerce company, JD, has pointed out the economic impact of China’s current COVID-19 lockdowns - and the news is not good.

    Speaking on the company’s Q1 2022 earnings call, JD Retail CEO Lei Xu said that the first two years of the COVID-19 pandemic had brought positive effects for many Chinese e-tailers as buyer behaviour shifted to online purchases.

    But Lei said the current lengthy and strict lockdowns in Shanghai and Beijing, plus shorter restrictions in other large cities, have started to bite all online businesses as well as their real-world counterparts.

    Continue reading
  • Foxconn forms JV to build chip fab in Malaysia
    Can't say when, where, nor price tag. Has promised 40k wafers a month at between 28nm and 40nm

    Taiwanese contract manufacturer to the stars Foxconn is to build a chip fabrication plant in Malaysia.

    The planned factory will emit 12-inch wafers, with process nodes ranging from 28 to 40nm, and will have a capacity of 40,000 wafers a month. By way of comparison, semiconductor-centric analyst house IC Insights rates global wafer capacity at 21 million a month, and Taiwanese TSMC’s four “gigafabs” can each crank out 250,000 wafers a month.

    In terms of production volume and technology, this Malaysian facility will not therefore catapult Foxconn into the ranks of leading chipmakers.

    Continue reading
  • NASA's InSight doomed as Mars dust coats solar panels
    The little lander that couldn't (any longer)

    The Martian InSight lander will no longer be able to function within months as dust continues to pile up on its solar panels, starving it of energy, NASA reported on Tuesday.

    Launched from Earth in 2018, the six-metre-wide machine's mission was sent to study the Red Planet below its surface. InSight is armed with a range of instruments, including a robotic arm, seismometer, and a soil temperature sensor. Astronomers figured the data would help them understand how the rocky cores of planets in the Solar System formed and evolved over time.

    "InSight has transformed our understanding of the interiors of rocky planets and set the stage for future missions," Lori Glaze, director of NASA's Planetary Science Division, said in a statement. "We can apply what we've learned about Mars' inner structure to Earth, the Moon, Venus, and even rocky planets in other solar systems."

    Continue reading

Biting the hand that feeds IT © 1998–2022