What the Kaspersky breach tells us about the state of antivirus

Yesterday, Kaspersky announced that some of its internal systems had been breached. While this may have created a sense of Schadenfreude in some parts of the security community, Kaspersky has handled the situation quite well.  Instead of other companies that have suffered a breach, Kaspersky worked straight from the crisis management playbook — full disclosure, plenty of information and a plan. Kudos.

As Graham Clulely says: “In short, it handled what could have been a corporate crisis well – and reassured customers and partners that their data was safe, and the integrity of its security products had not been compromised.”

(Although one can’t help but wonder at the timing. According to the press release, the malware was found in “early spring 2015”, but the announcement is coming on June 10th — just a few weeks away from the official start of summer…)

Kaspersky is being up-front, but they are also spinning this as a research item. And that’s okay, because it is some fascinating research. This is a very interesting new malware variant, and quite sophisticated, quite likely tied to state-sponsored activities.

But they just can’t help being Kasperskyish:

From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.

(Yeah, that explains the Schadenfreude part.)

Anyway, the bigger story is the state of the antivirus detections on the day following Kaspersky’s announcement.

Considering that most antivirus vendors practice what I call “hash-whoring”, where hash detections from VirusTotal or internal scans are dumped wholesale into their databases (explaining the massive size of today’s antivirus engine), the poor detection state of this variant is surprising. (Incidentally, I’m not condemning this practice — it’s a very useful stop-gap until a detection team can make a good detection — nevertheless, it’s abused way too much, especially by poorer quality, also-ran engines.)

We know what this piece of malware looks like, because Kaspersk published the complete Indicators of Compromise (IOCs). So, we can just go to VirusTotal and check the detection status:

Vt1

Vt2

Vt4

Vt5

 

And so on.

So, just for fun, I’ve published the hashes below, hyperlinked to VirusTotal.  You can click on them as the week progresses to see the state of detection of your antivirus product.

Action loaders:

089a14f69a31ea5e9a5b375dc0c46e45
16ed790940a701c813e0943b5a27c6c1
26c48a03a5f3218b4a10f2d3d9420b97
a6dcae1c11c0d4dd146937368050f655
acbf2d1f8a419528814b2efa9284ea8b
c04724afdb6063b640499b52623f09b5
e8eaec1f021a564b82b824af1dbe6c4d
10e16e36fe459f6f2899a8cea1303f06
48fb0166c5e2248b665f480deac9f5e1
520cd9ee4395ee85ccbe073a00649602
7699d7e0c7d6b2822992ad485caacb3e
84c2e7ff26e6dd500ec007d6d5d2255e
856752482c29bd93a5c2b62ff50df2f0
85f5feeed15b75cacb63f9935331cf4e
8783ac3cc0168ebaef9c448fbe7e937f
966953034b7d7501906d8b4cd3f90f6b
a14a6fb62d7efc114b99138a80b6dc7d
a6b2ac3ee683be6fbbbab0fa12d88f73
cc68fcc0a4fab798763632f9515b3f92

Cores:

3f52ea949f2bd98f1e6ee4ea1320e80d
c7c647a14cb1b8bc141b089775130834

(And, also remember to blacklist the C&C IPs: 182.253.220.29 and 186.226.56.103.)

Is this blog post another tired rant against antivirus? Absolutely not. AV isn’t dead. It’s part of a valid belt-and-suspenders approach to security.

But, a day later, and we still see poor detection? Yeah, that part sucks.

Leave a Reply