Is your antivirus software part of your threat model? Maybe it should be…

Recently we learned that the US Senate was pushing to add language to the National Defense Authorization Act (NDAA) that would prohibit the purchase and use of Kaspersky software anywhere in the DoD.  This is nearly certainly a political move and CyberScoop’s Patrick Howell O’Neill did a great job of covering this story already from a political angle.  It is entirely possible that the Senate’s statements about the NDAA are just political messages meant to rattle the sabers.

But should antivirus be part of your threat model? Perhaps it should.  As Tavis Omandy has shown over the last year, antivirus software is often full of security vulnerabilities.  This is especially concerning because antivirus runs with elevated privileges.  And the elevated privileges make antivirus software so dangerous.

In considering this debate, it is important to consider the types of threats that antivirus software could pose if the vendor were subject to “influence” from a government.  Obviously we are talking about this because of Kaspersky and the NDAA, but it is important to note that this any antivirus company could be subject to the same attacks.  The risk is not only for antivirus companies that could be influenced – any software manufacturer with automatic updates could be used as an attack platform by a government. If one was hacked by an APT group (most likely a nation state), their customers would also be vulnerable (whether the software in question is antivirus or something else).

What threats can be posed by antivirus?

But that leads to the question, what threats truly can be posed by an antivirus manufacturer that has “gone rogue” and is being influenced by a government?  If an antivirus company were compromised by an attacker or influenced by a government, they could pose the following potential threats:

  • Deploy signatures that selectively ignore malware signed by a particular digital certificate (or having some other property).
  • Stealing credentials from selected machines and reporting them back to the AV company. These could then be passed to foreign intelligence and used to laterally move throughout the network.
  • Performing machine surveys to help foreign intelligence services find the ideal machines to exploit and implant. One of the hardest things to do in any network exploitation operation is finding the machines that contain the data you need. But rogue antivirus software could provide this data to foreign CNE operators.
  • Deploy malware through its auto-update functionality.  Because the malware is deployed by the antivirus software, it would obviously not be caught.
  • Temporarily disable machines for some short period of time, offering a window for some other (kinetic or other hacking operation).  The antivirus could lock up the machines for a time.  Most antivirus has uninstall protection to prevent malware from uninstalling it.  Although administrators can normally work around these restrictions with a secret password, the AV could prevent even this from working. This might even be camouflaged as a “software bug” rather than a willful attack.
  • Selectively modifying certain files on selected machines.
  • Wiping certain files on selected machines.
  • Wiping the MBR on selected machines.
  • Searching for specific files to steal and exfiltrating them to a third party.

This list is far from exhaustive.  There are certainly other survey, espionage, and attack operations that antivirus could perform.  But this should paint a picture of some of the threats that antivirus might pose if it was being controlled by a foreign government.  And note again that this isn’t specific to Kaspersky. Any AV software could pose these theoretical risks if its company were to be influenced by a government (or its networks hacked and controlled by the same).

Some will note that Eugene Kaspersky, in the interest of transparency, has offered to have the source code for his product audited. Eugene knows better than most that this is a publicity stunt and will not ensure any true level of security assurance.  Rendition Infosec covered in an earlier post why a code audit wouldn’t help this issue.

It’s important to remember that any software with auto-update functionality could accomplish most of what is listed above. But antivirus (and other security software) is special in that it is seen as a last line of defense against such attacks.  If the antivirus software itself is the source of the intrusion, a serious trust issue arises.  Since any given machine is likely to run only one antivirus (running multiple AV software suites on a given machine is not recommended), a compromise initiated by the antivirus software is likely to remain undetected by the end user.

Closing Thoughts

Rendition Infosec isn’t taking sides in this dispute between Kaspersky and the US Government. In fact, some of our clients use Kaspersky products to secure portions of their networks (Kaspersky code is found in a large variety of products).  A number of clients have asked us if they should migrate away from Kaspersky. We answer by telling them that this is something they have to evaluate as part of their total threat model.  If they plan to leave Kaspersky for another antivirus company, they should perform the same threat evaluation of the new antivirus company.  If the reduction in risk does not result in any obvious benefit, they should not make the move.  At the end of the day, this article should be viewed as a discussion of threats that could be levied by any antivirus vendor (though the obvious impetus for publication is the current NDAA debate regarding Kaspersky).

Tags: ,