A Spook in the Wheel DOBSSNME, DOBSSNSU

English journalist Kevin Townsend asks Is the anti-virus industry in bed with theNSA – why do CIPAV, FinFisher and DaVinci still defeat AV? Since a large proportion of my income is derived from consultancy for the AV industry, you might think I ought to know the answer. (But let’s make it clear from the start that I’m not speaking on behalf of anyone but myself.) In fact, nobody is paying me specifically to talk to journalists, but I know very well that media consultants advise those who are to be circumspect in answering any question that resembles ‘are you still beating your wife?’ Kevin didn’t actually ask about anybody’s wife, but there is an assumption in the very question he did ask that begs another question about his readiness to assume failure – in this respect – on the part of the anti-malware industry. But I’ll come back to that.
Actually, I don’t know the answer to his question – the one about the NSA, that is. (Shock! Horror!) Or to be more precise, no AV researcher I’ve ever spoken to – and after nearly 25 years in security, I’ve got to know more AV researchers than most journalists – has admitted that a government agency might have asked them to turn a blind eye to government trojans. It’s possible, of course, that even security researchers don’t tell the whole truth the whole time. And it’s also possible, as a well-known European conspiracy theorist once assured me, that these deals are made at C-level, not with researchers and developers. I can’t say it’s impossible that once in a while some security company C*O rings down to someone on the shop-floor and says ‘please remove detection for a file with the following characteristics….’, but I have to wonder what communication channels exist for exerting that kind of pressure on a security company.
Is there someone at the NSA whose job is to monitor whether government trojans are currently detected by AV software? Do they have a lab, or are they just submitting the hashes to VirusTotal ? Do they have a list of C*O phone numbers and use the threat of CIA black ops to enforce their requests? Do they have a mutual arrangement with the FBI so that CIPAV comes under the same umbrella? Do they also have a mutual agreement with foreign agencies and providers like the German police (Bundestrojaner) and Gamma International (FinFisher) so that they can apply the same pressure? If I want to avoid being monitored by the NSA, should I perhaps consider a Chinese AV product?
Well, there’s a serious point here. (Actually, I wasn’t being altogether flippant in the previous paragraph, either: it’s quite likely that AV detection of ‘government trojans’ are periodically if not continuously checked by those who write them.)
Speculation about this alleged alliance seems to be based on the assumption that the ‘AV Industry’ – we really ought to be talking about the ‘anti-malware’ industry at this point, though – is a single monolithic entity, or at least readily accessible via a single pressure point. On the basis of which of his own articles Kevin cites, I suspect that he might be thinking that AMTSO or the WildList Organization might be such a pressure point, but AMTSO is not WLO, and neither AMTSO nor WLO is the anti-malware industry incarnate. In fact, there are a great many security vendors whose products are focused on malware detection and/or blocking who aren’t represented in one or both, which in any case have a very specific focus, and neither is some generic mouthpiece for the security industry.
To get back to a question of my own that I hinted at earlier: why does he assume that these programs do defeat AV? Perhaps because Bruce Schneier says ‘…anti-virus software won’t detect them…’ Bruce Almighty is a very clever man, and the security landscape would be that much duller without him, but his understanding of anti-malware technology is not always perfect. He may well know more about the tools used by the NSA than I do, but at least two of the tools cited by Townsend are or have been detected by at least one anti-malware company: the Bundestrojaner (Win32/R2D2.A) and FinFisher (Win32/Belesak.D). (Of course, I very much doubt whether ESET was the only company to detect those two examples.) I can’t, of course, guarantee that there aren’t later samples of those or anything else that aren’t detected. And in fact, I’m pretty sure that Luis Corrons and Claudio Guarnieri, as quoted in Kevin’s article, are right in suggesting that the makers of such products (commercial or in-house) will adjust their products in order to avoid detection: that’s probably a continuous process for them just as it is for the gangs behind unequivocal malware.
I do think Schneier is pretty much on the money when he suggests that geopolitical differences between companies would make some products more susceptible to pressure than others. Political pressure, at any rate, though I suspect that non-US companies with a toe in the US market could be targeted for indirect commercial pressure. That’s an approach that could easily backfire, though. Kevin doesn’t seem convinced though. He cites Mikko Hypponen’s apologetic article for Wired , referring to the fact that the industry missed Stuxnet and Flame for so long, and hints that ‘two major government-sponsored malware samples known about and ignored by multiple AV companies for several years’ may not be coincidence.
Well, in PR terms it was certainly, as Mikko described it, a ‘spectacular failure’. In real life, though?
Nowadays, anti-malware labs process hundreds of thousands of samples a day: failure to realize the significance of a vanishingly small set of stealthy, low-prevalence samples is hardly describable as a success, but it’s not exactly a spectacular failure in statistical terms. Of course, if they were the only such failures over a period of years, that might be seen as a clear indication of a sinister conspiracy. But they aren’t. They are significant – and linked in Mikko’s article – because they’re conspicuous (and related) failures of automated preliminary analysis, but there are many such failures that no-one writes about.  To argue malfeasance from two instances sounds pretty weak to me, or at best based on a misunderstanding of lab processes.  No lab I know of has the resources to perform manual analysis on several hundred thousand samples per day, so they must to some extent rely on automated analysis to flag those samples as requiring further investigation. That automated analysis can’t be expected to be infallible. So, yes, once again security technology failed once again to provide 100% protection.
But Kevin’s article also asserts that if ‘the AV industry’ is not ‘in bed with the NSA’, it must be because ‘the AV industry is not as good as the “stops 100% of known malware” claims that it makes.” So the innuendo about complicity with the NSA is not really the point at all: the real target is an AV marketing claim. You may find it a little confusing if you’re not familiar with some of his other writing: surely anti-malware ought to detect everything it knows about? What he’s referring to, though, is – I imagine, seeing that he included a link to this article – the use of WildList testing as a measurement of AV effectiveness. I talked about the declining usefulness of WildList testing at some length here , but I’ll reproduce the relevant text here anyway. (I was referring to his blog here , by the way, not the blog about AMTSO.)
Or, indeed, as catching everything known. A single company might at any point detect all the malware it knows about for which detection isn’t still in process. But it doesn’t mean that all companies detect it. (If it did, there wouldn’t be much point to comparative detection testing.)
Sorry, but I’m going to quote another of my own blogs (again, not an ESET blog).
David Harley CITP FBCS CISSPSmall Blue-Green WorldESET Senior Research Fellow