Feeds

Government-built malware running out of control, F-Secure claims

What if antivirus companies are whitelisting state malware...

The Essential Guide to IT Transformation

TrustyCon A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure's malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday.

"Governments writing viruses: today we sort of take that for granted but 10 years ago that would have been science fiction," he told the public conference. "If someone had come to me ten years ago and told me that by 2014 it will be commonplace for democratic Western governments to write viruses and actively deploy them against other governments, even friendly governments, I would have thought it was a movie plot. But that's exactly where we are today."

The US is leading the way in this, he said, having initiated the Stuxnet malware against Iran's nuclear enrichment facilities, although the actions against the Iranians were part of a much larger program, Operation Olympic Games, which was initiated by the then-President Bush and carried on by Obama.

Hyppönen said that he had investigated a Stuxnet sample to see if it could be modified to attack other targets and found that it could, up to a point. The specific control code to interfere with the industrial SCADA control systems used by the Iranians was very difficult to reshape, but the malware could be reconfigured to introduce random controls to be sent to an infected industrial plant that could cause havoc.

Later parts of Operation Olympic Games were even more worrying, he said, particularly the Flame malware which spread using a false Windows Update system. Normally the Windows operating system refuses updates from code that isn't properly cryptographically signed, but in this case the writers appeared to have used a large team of crackers and a supercomputer to spoof Microsoft's signing key.

But it's not just the Americans, he said. China has long been fingered as using state-sponsored malware, and last June US President Obama and the Chinese premier were due to have a White House summit on the issue. Unfortunately Edward Snowden started leaking the NSA's documents four days before the meeting and the crucial topic was abandoned.

In Europe, German police and customs officials have access to a bespoke computer Trojan called R2D2 which is used to track and collect data on targets. The Russians are also major players, and even the Swedes are in on the game; Hyppönen showed the audience leaked documents showed Swedish officials had had meetings with the NSA and were setting up their own malware program.

New state actors are also piling in. Hyppönen highlighted the birth of a new malware family, called Careto (Spanish for "the mask"), which popped up in February. That software nasty, which has cropped up in 31 countries, belongs to a yet unknown Spanish-speaking country and is spreading fast.

Hyppönen also wondered out loud whether some antivirus companies had overlooked government-crafted malware. A Dutch campaign group called Bits of Freedom sent a letter to all the major antivirus vendors asking them to confirm that they weren't being asked to whitelist some kinds of malware being produced by government.

"The question was answered by our CEO saying 'No, we haven't', we have never whitelisted any government malware since the source doesn’t come into play – we simply protect all our customers," he said. "We've had this policy for 13 years."

While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.