Former NSA hacker to expose how to subvert the Kaspersky Lab antivirus and turn it into a powerful search tool for classified documents

by do son · Published January 4, 2018 · Updated October 10, 2021

According to Kaspersky’s case, security software can be used by intelligence agencies as a formidable spy tool. Patrick Wardle, chief research officer at Digita Security, and former NSA hacker confirmed this by subverting Kaspersky Lab antivirus software and turning it into a powerful confidential document search tool.

In an interview with The New York Times, Patrick Wardle said: “Antivirus products are the first choice for fighting malicious code.” Ironically, however, these products have much in common with advanced cyber espionage tools. “From a technical point of view, if an anti-virus maker can for some reason, such as being forced, hacked, etc., create a signature that marks a confidential file?

Last December, U.S. President Trump signed a bill banning the use of Kaspersky Lab products and services in federal agencies. According to a leaked top-secret report by Edward J. Snowden, the NSA has targeted anti-virus software (Checkpoint and Avast) since at least 2008 to gather sensitive information stored on the target machines.

Wardle reverse-engineered Kaspersky Lab antivirus software to explore the possibility of using it for intelligence purposes. The goal is to be able to write a signature that will detect confidential documents. Wardle found the code to be very complex. Unlike traditional antivirus software, Kaspersky’s malware signatures are easy to update. Researchers think this feature can be tuned to automatically scan victims’ machines and steal confidential documents.

“Modern anti-virus products are very complex software and Kaspersky is probably the most complicated one, so getting just a sound understanding of its signatures and scanning logic is a challenging task.” Kaspersky’s anti-virus The engine periodically checks for and automatically installs any new signatures. When a new signature is available, the signature will be downloaded by the Kaspersky update server’s kav daemon.

Antivirus scan may be used for cyber espionage

Wardle said officials often classified top secret documents and “TS / SCI” (“Top Secret / Sensitive Area Information”) and Wardle added a rule to Kaspersky’s antivirus program to mark any document containing “TS / SCI “document. To test the new rules, researchers edited a file on his computer containing the text of the Winnie the Pooh children’s book series with the addition of the “TS / SC” tag. Once the document is saved on his machine, Kaspersky Anti-Virus marks and quarantines the document.

The next phase of the Wardle test was to find out how to manage the marked documents, but the anti-virus software sent the data back to the company for further analysis to find it normal.

However, Kaspersky said in a statement that Wardle’s research is not correct because Kaspersky Lab can not provide specific signatures or updates to specific users in a certain secret manner, and all signatures are always made public to all users And updates are digitally signed and can not be further forged.

However, Wardle’s research shows that hacker vendors’ platforms can use anti-virus software as a search tool.

The experts concluded, “However, if a malicious or conscious insider inside any antivirus company can strategically deploy such a signature, then whenever possible, anything that is forced or willing to cooperate with a powerful agency like the government Antivirus companies are equally able to quietly use their products to detect and utilize any files of interest. ”