Is Kaspersky “inappropriately removing” files?

In a Reuters article yesterday, former FBI employees commented on the case investigating Kaspersky and reported a serious allegation against the Russian antivirus giant. According to the article:

Two former employees and a person briefed on the FBI case told Reuters that Kaspersky software has at times inappropriately inspected and removed files from users’ machines in its hunt for alleged cyber criminals, even when those files were not corrupted by viruses.

What does it mean to “remove files”

There are two plausible explanations for the statement that Kaspersky “removed files from users’ machines.”  The first is that they deleted them inappropriately and the second is that they sent copies of the files to Kaspersky HQ.  Of course a combination of these two is also possible – e.g. that Kaspersky both removed the file from the user machine but also sent it to HQ for analysis.

In the first case where files are inappropriately deleted from a user’s machine, this would be classified as a denial of service (DoS).  This wouldn’t necessarily be a malicious act.  Earlier this year, Webroot began inappropriately deleting Windows files, causing denial of service.  Last year, ESET marked the entire Internet as too risky to browse (which in hindsight might not be too bad). There are countless other examples of various antivirus engines inappropriately blocking access to files, none of which triggered investigations from the FBI.

What about the possibility that Kaspersky is inappropriately copying files from user machines and sending them to HQ for analysis?  The implied malicious act is that Kaspersky would use its ability to scan every file on a machine to send some sensitive files to HQ (and presumably share them with foreign intelligence).  Kaspersky holds a top two position in the antivirus market globally (PDF).  If their antivirus platform can be tasked by Russian intelligence to collect files of interest from any machine where it is installed, then Kaspersky would likely be the largest intelligence collection system on the planet.

Hold on, did you say Kaspersky is the largest intelligence collection system on the planet?

Simmer down now, Rendition Infosec is obviously not making that claim.  Rendition is simply responding to the allegation that Kaspersky “removed files from users’ machines.”  If we are meant to interpret the statement as meaning “exfiltrated data for foreign intelligence” then we can logically conclude that Kaspersky can perform such actions at scale. As in our previous analyses of the Kaspersky debate, it is important to reiterate that ANY antivirus company has the same capability in this regard.  The only reason we single out Kaspersky here is because of accusations by the US Government.

Are there other ways to interpret your “evidence?”

But is there any evidence that Kaspersky is actually collecting files “inappropriately” from machines?  If one takes the pragmatic approach and assumes that nobody at the FBI made this up, then they must have observed something to support the claim.  At Rendition, we examined the claim and consider it entirely probable that the FBI did actually observe the exfiltration of files by Kaspersky.  But that doesn’t back the assertion that Kaspersky was doing anything malicious.

Occam is betting on silent signatures

It is widely believed that antivirus companies deploy silent signatures for the purposes of telemetry.  So-called silent signatures allow antivirus companies to test new signatures in the wild without worrying about false positives causing denial of service conditions.  They also allow antivirus companies to perform stealthy investigations of APT related malware.

Once the antivirus company finds an APT malware sample, they can cast a wide net looking for other variants of that sample in the wild.  When those variants are discovered, antivirus retrieves those samples and sends them to HQ for analysis.   Organizations agree to this in the software EULA.  And yes, sometimes those samples probably include office documents that might contain sensitive data.

Considering that organizations are not notified when their documents are shipped to HQ for analysis, it is easy to see how documents being shipped out might appear to be malicious. When combined with the suggestion that the Russian government might be influencing Kaspersky, one can make the easy leap to espionage, especially if they didn’t know about silent signatures.

Closing thoughts 

While the Reuters article gives some of the public the first “details” of the activity alleged to have been performed by Kaspersky (if you can call these details).  Like everything in the Kaspersky debate, it is helpful to frame the information properly.  Silent signatures are an equally plausible explanation for the behavior claimed by the unnamed persons associated with the FBI investigation.  Again, we ask for greater transparency into the claims against Kaspersky so organizations can build accurate threat models. These statements by FBI insiders are incomplete and confusing at best, intentionally misleading and nefarious at worst.