Kaspersky publishes the results of internal investigation

Nov

16

2017

Kaspersky publishes the results of the internal investigation of the source code incident of the APA
In early October, the Wall Street Journal reported that a Kaspersky Lab antivirus program had been used to download confidential data from a US National Security Agency computer.

In response to the report, the leading Russian company in the field of information security said that it “dealt with these allegations very seriously and conducted a comprehensive internal investigation to collect the facts on this matter and address any concerns arising from it.”

The preliminary findings of the investigation were released on October 25, and the report highlighted the company’s overall findings in search of any evidence related to the alleged incident in the media.

Today, Kaspersky published a new report that said it confirms the preliminary results and provides additional information and insights into the analysis of the measurement mechanism adopted by the Kaspersky Lab software package related to the incident. The measurement mechanism for this suspicious activity recorded on the computer in question is described within the timeframe of the incident in 2014.

According to the new report, on 11 September 2014, Kaspersky Lab, downloaded on a US-based computer, reported that the device was infected with what appeared to be a new and different type of malware used by the Equation Group , Advanced electronic attacks, whose activities and practices have been under investigation since March 2014.

The company said it appeared that the user later downloaded and installed a pirated software on the device, specifically the Microsoft Office ISO file, and the illegal Microsoft Office 2013 activation tool (known as the “keygen”). To install the pirated version of the Office 2013 package, it appears that the user has stopped Kaspersky Lab on his computer because the pirated activation tool can not be run while the antivirus program is running.

Kaspersky added that the illegal activation tool included in the Office 2013 program included malicious software, and thus infected the user of this malicious software for an indefinite period of time, during which the operation of Kaspersky Lab was stopped. This malicious code contained hidden and open loopholes that allowed other third parties to access the user’s device.

When restarted, the company said Kaspersky Lab has detected malicious software that carries Backdoor.Win32.Mokes.hvl, and blocked it to prevent any connection to the command and control server. The first monitoring of the malicious setup was on 4 October 2014.

In addition, the antivirus program also revealed new and previously known forms of the famous malware program Equation APT. One of the files discovered by the program was a new and different version of the malicious software Equation APT, a compressed archive file named 7zip, was sent to Kaspersky Virus Testing Laboratories for further analysis in accordance with the End User Agreement and the Kaspersky Security Network License.

The analysis found that the archive file contained several files, including a set of known and unknown tools for the Equation group, source code, and confidential documents. So the analyst told the chief executive of the incident. Based on the Chief Executive’s directives, the archive file, source code and any confidential data were deleted within days of all company systems. However, Kaspersky Lab’s binary malicious software files are retained. The archive file was not shared with any third party.

The reasons that Kaspersky Lab prepared to delete these files and delete them for all similar files in the future are based, according to the company, twofold, the first that the company only needs binary malware to improve the level of protection, and the second there are concerns related to the possibility of dealing with files Secrecy.

Because of this incident, Kaspersky Lab has introduced a new policy for all malware analysts, namely, that any files that can be classified by mistake should be deleted in the course of anti-malware research. The investigation did not reveal any other similar incidents in 2015, 2016, or 2017. So far, no third-party intervention has been detected except for Duqu 2.0 within Kaspersky Lab networks.

To achieve a higher level of objectivity on the issue of internal investigation, Kaspersky Lab has sought to use many analysts, including analysts of non-Russian origin, working outside Russia to avoid any possible charges of interfering in the investigation.

The main findings of the investigation revealed that the computer was infected with the back-to-back malware , which allows hackers to access the device remotely. As part of the investigation, Kaspersky Lab’s experts conducted a deeper analysis of this hidden software and other non-Equation indicators associated with this threat, which were sent from the computer.

Mokes backdoor malware (also known as Smoke Bot or Smoke Loader) is known to have appeared on the Russian forums on the hidden Internet, where it was put up for purchase in 2011. Kaspersky Lab’s research showed that between September and November 2014, Malware and malware command servers are registered with a possible Chinese entity named Zhou Lou. The results of the in-depth analysis by Kaspersky Lab showed that malicious backdoor malware may not be the only malware that infected the computer at the time of the incident, as other keygens were detected illegally on the same device.

Over two months, the program reported 121 alerts related to malicious software not belonging to the Equation Group, including backdoors, fraud exploits, Trojans, and AdWare. All these alerts, along with a limited number of remote surveys, indicate that when the program monitors these malware and threats, it is impossible to determine whether they have started operating during the period in which the program was stopped.

Kaspersky Lab continues to research and study other malware samples, which will publish more results once analysis is complete.

The general findings of the investigation to date include that the program worked as expected, advising the company’s experts and analysts on alerts based on the approved version, and detecting the malware of the Equation APT group, which had been under investigation for six months. All this according to the description of the declared product function, scenarios, and legal documents approved by the user before installing the software.

Potentially confidential data was also withdrawn as it was included in the archive file, which was published with a signal from malicious Equation APT software. In addition to malware, the archive file also contained what appears to be the source code of the malicious Equation APT software, with four “Word” text files classified as “confidential”. Kaspersky Lab does not have information about the content of these files, it was deleted within days.

Kaspersky Lab can not assess whether the data has been “properly handled” (in accordance with US government standards and standards), where the company’s experts and analysts have not been trained to deal with confidential information about the United States, nor are they responsible for Have a legal responsibility or obligation to do so. Information is not shared with any third party.

Contrary to a number of media outlets, there was no evidence of Kaspersky Lab’s experts and researchers ever trying to issue “inactive” licenses to search for Word files containing words such as “confidential” Highly “,” secret “, and other similar words.

Mocks, malware, and the possibility of infection with other non-Equation malware may leak user data to an unknown number of third parties as a result of remote access to the computer.

Based on Kaspersky Lab’s clear policy of transparency, Kaspersky Lab is ready to provide further details on the responsible investigation of relevant government bodies and related clients on newly published media reports.

Viewing:-75

In: Technology & Gadgets Asked By: [17595 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »