Yesterday, Kaspersky announced that some of its internal systems had been breached. While this may have created a sense of Schadenfreude in some parts of the security community, Kaspersky has handled the situation quite well. Instead of other companies that have suffered a breach, Kaspersky worked straight from the crisis management playbook — full disclosure, plenty of information and a plan. Kudos.
As Graham Clulely says: “In short, it handled what could have been a corporate crisis well – and reassured customers and partners that their data was safe, and the integrity of its security products had not been compromised.”
(Although one can’t help but wonder at the timing. According to the press release, the malware was found in “early spring 2015”, but the announcement is coming on June 10th — just a few weeks away from the official start of summer…)
Kaspersky is being up-front, but they are also spinning this as a research item. And that’s okay, because it is some fascinating research. This is a very interesting new malware variant, and quite sophisticated, quite likely tied to state-sponsored activities.
But they just can’t help being Kasperskyish:
From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.
(Yeah, that explains the Schadenfreude part.)
Anyway, the bigger story is the state of the antivirus detections on the day following Kaspersky’s announcement.
Considering that most antivirus vendors practice what I call “hash-whoring”, where hash detections from VirusTotal or internal scans are dumped wholesale into their databases (explaining the massive size of today’s antivirus engine), the poor detection state of this variant is surprising. (Incidentally, I’m not condemning this practice — it’s a very useful stop-gap until a detection team can make a good detection — nevertheless, it’s abused way too much, especially by poorer quality, also-ran engines.)
And so on.
So, just for fun, I’ve published the hashes below, hyperlinked to VirusTotal. You can click on them as the week progresses to see the state of detection of your antivirus product.
(And, also remember to blacklist the C&C IPs: 220.127.116.11 and 18.104.22.168.)
Is this blog post another tired rant against antivirus? Absolutely not. AV isn’t dead. It’s part of a valid belt-and-suspenders approach to security.
But, a day later, and we still see poor detection? Yeah, that part sucks.