It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.
Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There’s good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.
By downloading security software, consumers also run the risk that an untrustworthy antivirus maker — or hacker or spy with a foothold in its systems — could abuse that deep access to track customers’ every digital movement.
“In the battle against malicious code, antivirus products are a staple,” said Patrick Wardle, chief research officer at Digita Security, a security company. “Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect.”
Patrick Wardle, a security researcher, demonstrates how he was able to use a vulnerability in Microsoft’s Windows software to manipulate Kaspersky antivirus software.
Sure enough, as soon as the Winnie the Pooh text was saved to his machine, Kaspersky’s antivirus software flagged and quarantined the document. When he added the same TS/SCI marker to another document containing the text “The quick brown fox jumps over the lazy dog,” it, too, was flagged and quarantined by Kaspersky’s tweaked antivirus program.
“Not a whole lot of surprise that this worked,” Mr. Wardle said, “but still neat to confirm that an antivirus product can be trivially, yet surreptitiously, used to detect classified documents.”
The next question was: What happens to these files once they are flagged? Mr. Wardle stopped short of hacking into Kaspersky’s cloud servers, where suspicious files are routinely uploaded.
However, he noted that antivirus customers, including Kaspersky’s, agreed by default to allow security vendors to send anything from their machine back to vendors’ servers for further investigation.
There are legitimate reasons for this: By uploading these items to Kaspersky’s cloud, security analysts can evaluate whether they pose a threat, and update their signatures as a result.