Tom Brewster investigates whether governments and the antivirus industry colluded to allow surveillance software through their defences
Imagine a world in which security vendors allowed specific strains of malware through on the say-so of governments. If exposed, it would surely ruin them: the industry has to maintain trust with customers to survive. But latent suspicion of collusion between antivirus vendors and governments was awakened in November 2014, by revelations surrounding a highly sophisticated piece of malware called Regin.
According to The Intercept, one such attack involved Belgian ISP Belgacom. Dutch security firm Fox-IT helped to remove the malware, and it later emerged, thanks to a tweet from one of its employees, that the malware may have been crafted by GCHQ and NSA snoops.
The malware was used to target individuals of interest, including noted cryptographer Jean-Jacques Quisquater, who told us that he believes other security academics were targeted by Western intelligence agencies. Quisquater even admitted that, if he'd been in charge of the surveillance operations, he'd also have targeted encryption experts to uncover “state-of-the-art” security technology in advance of its wider release.
Rush to publish
Antivirus firms, in their rush to push out technical analyses of Regin, opened themselves up for criticism. It was apparent they had detected the malware well ahead of their disclosure of it, so why take so long to publish their research?
Technical staff at The Intercept told us that antivirus firms got wind of its own report and sought to go public ahead of publication as part of a PR exercise. This was the first failure of the security companies: they didn't see any value in talking about Regin until the media was ready to expose it.(Above: Kaspersky Lab has now published its research into Regin, including this guide to how the malware stays hidden)
Curiously, most were blocking parts of Regin at least five years ago. Symantec had been thwarting components of the malware in 2010, and both F-Secure and Kaspersky Lab were doing the same in 2009. By March 2011, Microsoft's antivirus software was detecting and identifying Regin by name. So it's evident that security firms were aware of Regin; they just weren't talking about it.
This raises a pertinent question: were security companies told to keep quiet by GCHQ and the NSA, or did they keep quiet simply to keep Western governments happy? Neither scenario inspires confidence.
"Security companies didn't see value in talking about Regin until the media was ready to expose it"
Such concerns aren't the preserve of tin foil hat wearers. F-Secure admitted it had been asked by a customer – not from the public sector – to stay silent about Regin, for fear of exposing it as a victim. Kaspersky has been asked – through what it describes as “informal” channels – not to detect “law-enforcement malware”, but has explicitly said it would never accept such a request.
Exactly how many other companies have been approached with such “informal” requests, and perhaps have a juicy government contract just waiting to be signed, is something over which we can only speculate.
Slow to question
Justin Clarke, co-founder of security-services firm Gotham Digital Science, believes the industry was simply slow putting the puzzle together. “I wouldn't expect antivirus firms to be sitting on Regin for no reason,” said Clarke. “It's probably more that they hadn't recognised what it was until they had enough information.”
Their silence is also symptomatic of an industry that doesn't share. Kaspersky Lab was the only vendor to give a full explanation for the delay, comparing the time-consuming work that goes into threat reports to palaeontology: “Everyone may have a bone, but nobody has the full skeleton.”(Above: Regin has a remarkable, modular structure, with multiple stages of execution that are each hidden and encrypted)
There remains another doubt, however. According to The Intercept's report, the malware may well date back to 2003, leaving a six-year period in which no antivirus system had detected Regin or its components.
“Historically, antivirus companies have focused on protecting users against widespread threats that have been seen before. As such, they're useful for protection against generic malware that steals banking information, online gaming credentials and so on,” said Morgan Marquis-Boire, a former Google security professional now responsible for protecting First Look Media, the publisher of The Intercept.
“They're less effective against custom surveillance implants that aren't seen in quantity. This includes boutique toolkits such as Regin that are developed in-house at large intelligence agencies, but also commercially sold 'lawful intercept' tools such as Hacking Team's Remote Control System and FinFisher's FinSpy.”
Collusion or incompetence?
Indeed, antivirus software's very failings may give security companies a plausible defence against accusations of a conspiracy. “Given that antivirus is poor at detecting targeted malware, it would be difficult to determine whether a company was failing to detect something due to collusion,” Marquis-Boire said.
But to suggest that Regin has exposed antivirus software as the enemy would be an overreaction, notes Bruce Schneier, cryptography expert and CTO of Co3 Systems, who campaigned in 2013 for security firms to reveal whether they had ever whitelisted malware at the request of a government entity. To eschew antivirus would be akin to foregoing door locks on your house, Schneier suggests.
Despite its manifold failures, antivirus is still a necessary technology. But questions remain over the industry's response to Regin: even if the number of people and companies being attacked was small, the public warnings should have been louder.