Antivirus Software Can be Turned Into a Powerful Spy Tool

Antivirus has fulfilled a useful role in removing malware, but it’s also quite overrated. Often better is installing security updates and using more robust software more generally. I have long used the highly secure Qubes operating system much of the time myself, and there isn’t any need to use antivirus in it.

It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.

Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There’s good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.

By downloading security software, consumers also run the risk that an untrustworthy antivirus maker — or hacker or spy with a foothold in its systems — could abuse that deep access to track customers’ every digital movement.

“In the battle against malicious code, antivirus products are a staple,” said Patrick Wardle, chief research officer at Digita Security, a security company. “Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect.”

Mr. Wardle would know. A former hacker at the National Security Agency, Mr. Wardle recently succeeded in subverting antivirus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents.

Mr. Wardle’s curiosity was piqued by recent news that Russian spies had used Kaspersky antivirus products to siphon classified documents off the home computer of an N.S.A. developer, and may have played a critical role in broader Russian intelligence gathering.

[…]

For years, intelligence agencies suspected that Kaspersky Lab’s security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward J. Snowden, the former National Security Agency contractor, described a top-secret, N.S.A. effort in 2008 that concluded that Kaspersky’s software collected sensitive information off customers’ machines.

The documents showed Kaspersky was not the N.S.A.’s only target. Future targets included nearly two dozen other foreign antivirus makers, including Checkpoint in Israel and Avast in the Czech Republic.

At the N.S.A., analysts were barred from using Kaspersky antivirus software because of the risk it would give the Kremlin broad access to their machines and data. But excluding N.S.A. headquarters at Fort Meade, Kaspersky still managed to secure contracts with nearly two dozen American government agencies over the last few years.

[…]

But, as Mr. Wardle’s research demonstrated, an untrustworthy vendor, or hacker or spy with access to that vendor’s systems, can abuse its deep access to turn antivirus software into a dynamic search tool, not unlike Google, to scan customers’ computers for documents that contain certain keywords.

serveimage

This picture above here is still fairly relevant even though it’s based on research that I would have done differently a few years ago.