‘British secret service reverse engineered Kaspersky antivirus’
The US secret service NSA and the British GCHQ have attempted to undercut antivirus software in order to keep their homemade spy software invisible. The GCHQ, among other things, examined software from Kaspersky for vulnerabilities by means of reverse engineering.
The Intercept reports this on the basis of documents from whistleblower Edward Snowden. GCHQ has mainly focused on the antivirus software of the Russian-based Kaspersky Lab. This is apparent from an application for an extension of a warrant from 2008. In it, the secret service requests permission to reverse engineer Kaspersky software. The British secret service agreed with this request, because the use of reverse engineering is illegal and GCHQ therefore wanted a formal exemption for its activities.
GCHQ would view the Russian company’s antivirus software as an obstruction to its spying activities. By reverse engineering Kaspersky products, the British Secret Service hoped to find vulnerabilities. For example, the British service would like to prevent Kaspersky from noticing GCHQ’s spy software. It is unclear whether GCHQ has actually found and exploited holes in the software. The so-called warrant renewal application also contained many other software packages that the British service by means of reverse engineering naploos.
The NSA is also said to have specifically targeted antivirus software from Kaspersky Lab. For example, the US Secret Service discovered that the company’s software sent user-agent strings back to Kaspersky’s servers that could be traced back to users of the antivirus software. Kaspersky denies sending information that can be traced back to users, but among other things, tests by The Intercept with Kaspersky Small Business Security 4 would show that the software sends detailed information about the hardware used unencrypted.
The NSA also focused on intercepting emails in which antivirus companies inform each other about new malware they have discovered that has slipped through the cracks of antivirus software. This information or the malware in question can be used by the secret services to keep their malicious software invisible. In addition, a presentation was published in which the NSA lists 23 antivirus companies as interesting targets. The American antivirus brands McAfee and Symantec and the British Sophos are missing from that list.
Kaspersky Lab announced on June 10 that the company’s network had been infiltrated. A new virus was also injected into the network. According to Kaspersky Lab, it concerns the makers of the Duqu virus. They may have used three zero-days, vulnerabilities for which no patch is yet available. A stolen Foxconn certificate was also used.