15 comments

[ 3.3 ms ] story [ 45.2 ms ] thread
>>ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher; they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply.

Glad to here we're safe.

I remember the BMG Sony rootkit scandal vividly (http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...)

Most of all I remember that the only company not willing to sit tight was FSecure. They contacted BMG Sony and where about to go public, when Mark Russinovich publicized this atrocity. At least that's how I recall it.

It's since then that I have zero faith in security software vendors.

NSA doesn't need to ask anti-virus companies to ignore certain malware, as long as Microsoft is handing them lists of fresh Windows vulnerabilities months before they even begin working on fixing them.

http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-t...

Until that policy changes at Microsoft, at least 90 percent of the PC users will never be truly safe.

Microsoft does that publicly all the time. I work for a large enterprise organization, and we get notifications from Microsoft of vulnerabilities that have not been patched yet. The point is that we can mitigate the risk while waiting for the patch.

We're not running out to exploit the vulnerability in our competitor's system. The NSA or other malicious actors may be, sure, but I have doubts that this is what Microsoft wants to have happen. The goal is to mitigate the risk while a patch is being made. Microsoft doesn't want their software to be exploited, period.

That program is MAPP (Microsoft Active Protections Program). [1] All governments (except Iran, Syria, etc.) are part of it, as well as hundreds of private companies internationally. Of course, vulnerabilities are routinely leaked. [2] Other programs include the SSI (Shared Source Initiative) [3] by which governments get access to the Windows source code, and the GSP (Government Security Program) [3] which helps governments find vulnerabilities in said source code.

Not to mention COFEE [4] -- I wonder how many antivirus detect that, especially since its source code was leaked...

[1] http://technet.microsoft.com/en-us/security/dn467918

[2] http://www.zdnet.com/blog/security/microsoft-kicks-chinese-c...

[3] https://www.microsoft.com/en-us/sharedsource/default.aspx

[4] https://wikileaks.org/wiki/Microsoft_COFEE_(Computer_Online_...

I bet that if you had asked AT&T and the like - before they got caught - if they gave the NSA warrant-less access to U.S. citizens' communications, they would have also said "no."
>> My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies.

this sounds more like an assumption than reasoning. given all we know to date about the operations of the NSA and the CIA (they collaborate closely at times), we should not be so hasty in dismissing such an important topic.

>> Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.

well.. they wouldn't, would they.

Isn't the more telling part the cos. that haven't responded till now? Notably US ones Symantec and McAfee.
I always assumed the handled it through Accounts Receivable.
There are now some companies which provide non-signature based anti-virus detection to potentially detect zero-day malware. Most of them work by spinning up a vm, run or open the file to check, and verify any changes to the system. Check out http://www.fireeye.com/ (funded by the CIA's startup incubator In-Q-Tel) http://www.fidelissecurity.com/ (from General Dynamics) and Northrop Grumman is releasing one soon too.

Not sure if I'd trust these companies more or less than the signature based companies.

I deployed Fireeye over a year ago, and can confirm it's very good a spotting malware that most AV vendors don't. I can't, however, confirm it doesn't have back doors so that three-letter agencies can't tell it not to detect something they don't want it to.
I enjoyed the article, but explicitly asking anti-virus companies if they have complied with such a government request seems silly.

It's like asking a politician, "Have you ever been unfaithful to your wife?"

"What's that? No? Okay, well you heard the man. Time to move on."

Agreed. This sounds like a debate that could be settled by testing different antivirus products (and their old versions) against state-sponsored malware.
I'm not sure that's a good test; any publicly known example of state-sponsored is almost certainly in current antivirus software. Since they're publicly known, there's no advantage to continuing to be sneaky about it — it would certainly tip people off that the companies were under the thumb of a government. And testing older version probably won't help, because you can't prove that the company knew about them before the rest of us did.
I doubt the NSA needs to co-opt antivirus companies, they are already worthless. Besides, Kaspersky for one is lying. His company works closely with the FSB:

We have very good relations with both the FSB cybersecurity department and the Moscow police department. They know us. They know us as people who support them when they need it.

http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/

(edit:) and the FBI:

Даже США: мы периодически консультируем ФБР.

http://www.rusrep.ru/2008/32/interview_kasperskiy