Analysis Security guru Bruce Schneier has joined with the Electronic Frontier Foundation and 23 other privacy and digital rights activists to call on antivirus firms to publicly state they do not turn a blind eye towards state-sponsored malware.
Antivirus vendors have been given until 15 November to go on the record about detection of state-sponsored malware, with early indictions pointing towards a somewhat weary "of course we detect it" response.
Meanwhile neutral observers of the security software market point out there's no need for spy agencies to ask for their malware to be whitelisted by vendors because defences aren't that strong in the first place.
An open letter (PDF) to the industry from Schneier et al follows recent revelations that the NSA uses malware and exploits to track users of the Tor anonymity service or otherwise monitor the communications of surveillance targets.
The existence of the NSA's Tailored Access Operations (TAO) hacking squad unit has been an open secret for years, but recent revelations have fleshed out the details and revealed that NSA hackers have procedures that mean they generally only resort to malware only in cases where it's unlikely their malicious code will be detected.
Effective security scanners might therefore be a factor when the NSA decides whether or not to run malware-based attacks – even though nobody seriously believes antivirus alone can be relied upon to defend against state-sponsored malware.
"As a manufacturer of antivirus software, your company has a vital position in providing security and maintaining the trust of internet users as they engage in sensitive activities such as electronic banking," the privacy activists and security experts wrote in an open letter to antivirus companies. "Consequently, there should be no doubt that your company's software provides the security needed to maintain this trust."
The letter (extract below) challenges antivirus vendors to be clear about their detection of governmental surveillance-ware, requesting a response by 15 November.
Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?
Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?
Although propelled back into the news by the Snowden revelations, the question of whether or not antivirus vendors avoid detection of state-sponsored malware has been around for years.
Bundestrojaner and Magic Lantern
For instance, two years ago, the discovery of controversial backdoor Trojan used by German officials to eavesdrop on Skype conversations of criminal suspects provoked questions about antivirus detection. Samples of the so-called R2D2 (AKA "0zapftis") Trojan came into the possession of the Chaos Computer Club (CCC), which published an analysis of the code. German federal agencies subsequently insisted the so-called Bundestrojaner was legal.
Eddy Willems, a security evangelist at German firm G Data Security Labs, told El Reg: "This is not a new issue – it has been around for over 10 years – and all players in the AV industry have clearly stated, on several occasions, that no, we do not allow malware created by the state to infect any systems and we do not share any privacy-sensitive information with anyone, not even with police forces or secret services,"
"G Data was asked very often if we allowed these Trojans on systems," Willems said. "The answer was a very clear NO."
Finnish anti-virus firm F-Secure has a similar and equally clear policy of detecting spying programs developed by governments and notifying its customers, regardless of fear or favour. Other antivirus firms likely have similar stances because to act otherwise would be commercial suicide, as previous controversies about the same issue have established.
The Bundestrojaner is just the latest example of a longer running issue. In November 2001, for example, controversy erupted over whether security software firms were deliberately avoiding detection of a Trojan horse program reportedly under development by the FBI.
The keystroke-logging Trojan, dubbed Magic Lantern, reportedly enabled investigators to break PGP-encoded messages sent by suspects under investigation by using malware to capture a suspect's passphrase. Magic Lantern samples were never captured - or at a least never identified as such.
The same issue of security software detection of "patriotic" malware arose in the immediate aftermath of 9/11, and continues to resonate more than 12 years later.
It wouldn't make sense, and here's why...
But Willems argues that for anyone in the industry to ignore state-sponsored malware would be unworkable as the malicious software can be produced by any number of intelligence agencies in any number of countries.
"The cynical receiver of that message might think this is the only viable response in order to keep on selling products to the public," Willems explained, "but it would be quite obvious if there were players that do allow state-made malware through while others do block it. It would show up in detection percentages and it would be obvious from sites like VirusTotal, which compare the detection of certain files amongst different AV-products. The only way this would work is if all AV vendors allowed all state-made malware through, not only that of their own country, but also that of all the other countries."
Warming up to his theory, he continues: "[But] to make that work, all these companies would always need to be made aware of all the samples that are state-made in order for them to whitelist them (because they are intrinsically the same as all other malware, so cannot be recognised as such). That would mean that, for instance, secret services from the US would need to inform the Russian, Romanian, Chinese, German, etc developers of AV software about their state-made malware. Not a very likely scenario," he added.
Not detecting state-sponsored malware is also a bad idea for other reasons, such as the possibility that cybercrooks might get their hands on it and misuse it to steal data, as a blog post on the issue by Sophos explains. "Our customers' protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can't detect, not for us to cripple our software."
Top secret.. or top, top top secret?
Security blogger Kurt Wismer is also dismissive about claims that antivirus vendors are complicit in state-sponsored malware attacks, albeit for different (and seldom aired) reasons. Wismer argues it would be bad operational security practice to tell anyone about your super-secret malware. "If you want to keep something secret, the last thing you want to do is tell dozens of armies of reverse engineers to look the other way," Wismer writes on his Anti-virus Rants blog.
Wismer also points out that there's no need for government ninja types to tell security vendors about their wares in order to be effective in smuggling them past security defences. To believe otherwise would be to credit the idea that well-resourced intelligence agencies are incapable of following a practice common or garden cybercrooks have been successfully following for years.
"There are already well-established techniques for making malware that AV software doesn't currently detect. Commercial malware writers have been honing this craft for years and it seems ridiculous to suggest that a well-funded intelligence agency would be any less capable," Wismer concludes.
Antivirus vendors, while fierce rivals commercially, have always co-operated on a technical level with the exchange of malware samples. Victims' willingness to go along with this process has dried up somewhat in the era of state-sponsored snoopware, according to Willems.
"Whenever a certain state encounters a piece of malware they suspect is written by another state to spy on them, they are very reluctant to ask the AV industry for help in analysing this software. Why this is the case remains a mystery, although my guess goes towards diplomatic relationships between states getting prioritised over cases of cyber espionage," Willems concluded. ®