Government-built malware running out of control, F-Secure claims

What if antivirus companies are whitelisting state malware...

15 Reg comments Got Tips?

TrustyCon A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure's malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday.

"Governments writing viruses: today we sort of take that for granted but 10 years ago that would have been science fiction," he told the public conference. "If someone had come to me ten years ago and told me that by 2014 it will be commonplace for democratic Western governments to write viruses and actively deploy them against other governments, even friendly governments, I would have thought it was a movie plot. But that's exactly where we are today."

The US is leading the way in this, he said, having initiated the Stuxnet malware against Iran's nuclear enrichment facilities, although the actions against the Iranians were part of a much larger program, Operation Olympic Games, which was initiated by the then-President Bush and carried on by Obama.

Hyppönen said that he had investigated a Stuxnet sample to see if it could be modified to attack other targets and found that it could, up to a point. The specific control code to interfere with the industrial SCADA control systems used by the Iranians was very difficult to reshape, but the malware could be reconfigured to introduce random controls to be sent to an infected industrial plant that could cause havoc.

Later parts of Operation Olympic Games were even more worrying, he said, particularly the Flame malware which spread using a false Windows Update system. Normally the Windows operating system refuses updates from code that isn't properly cryptographically signed, but in this case the writers appeared to have used a large team of crackers and a supercomputer to spoof Microsoft's signing key.

But it's not just the Americans, he said. China has long been fingered as using state-sponsored malware, and last June US President Obama and the Chinese premier were due to have a White House summit on the issue. Unfortunately Edward Snowden started leaking the NSA's documents four days before the meeting and the crucial topic was abandoned.

In Europe, German police and customs officials have access to a bespoke computer Trojan called R2D2 which is used to track and collect data on targets. The Russians are also major players, and even the Swedes are in on the game; Hyppönen showed the audience leaked documents showed Swedish officials had had meetings with the NSA and were setting up their own malware program.

New state actors are also piling in. Hyppönen highlighted the birth of a new malware family, called Careto (Spanish for "the mask"), which popped up in February. That software nasty, which has cropped up in 31 countries, belongs to a yet unknown Spanish-speaking country and is spreading fast.

Hyppönen also wondered out loud whether some antivirus companies had overlooked government-crafted malware. A Dutch campaign group called Bits of Freedom sent a letter to all the major antivirus vendors asking them to confirm that they weren't being asked to whitelist some kinds of malware being produced by government.

"The question was answered by our CEO saying 'No, we haven't', we have never whitelisted any government malware since the source doesn’t come into play – we simply protect all our customers," he said. "We've had this policy for 13 years."

While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

From Russia, with love

FBI, NSA to hackers: Let us be blunt. Weed need your help. We'll hire you even if you've smoked a little pot in the past

Black Hat Now that's what we call a joint task force: Uncle Sam chills out, relaxes recruitment rules on drugs

FYI: FBI raiding NSA's global wiretap database to probe US peeps is probably illegal, unconstitutional, court says

Analysis A data silo we didn't know existed until a certain IT admin went rogue

Made-up murder claims, threats to kill Twitter, rants about NSA spying – anything but mention 100,000 US virus deaths, right, Mr President?

Opinion Trump's throwing everything at the social wall to see what will stick

NSA warns that mobile device location services constantly compromise snoops and soldiers

It might be best not to ask how the NSA knows this and why it advises most mitigations don’t help

Snowden was right: US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway

Privacy campaigners cheer ruling 7 years in the making

After blowing $100m to snoop on Americans' phone call logs for four years, what did the NSA get? Just one lead

Section 215 more useless than we suspected yet they still want to keep it

It's not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously

GRU crew actively exploit hole – but you patched it months ago, right?

Biting the hand that feeds IT © 1998–2020