Slashdot Mirror
Kaspersky Source Code In the Wild
mvar writes "The source code of an older version of 'Kaspersky Internet Security' has been circulated on the internet. The code was created in late 2007 and was probably stolen in early 2008. Names contained in the source indicate that the stolen code was probably a beta version of the 2008 software package – the current release is Kaspersky Internet Security 2011. According to a Russian language report by CNews (Google translation), the code was copied by a disgruntled ex-employee. The thief has reportedly been trying to sell the code on the black market for some time, and Kaspersky says that the code archive already appeared in various private forums last November."
Code to a 4 year old anti virus app, whats that going to be worth? Kaspersky was great until a few years ago. Then one release made my parents older p4 system near unusable. It went from firefox loading in a few seconds to close to 30 seconds. Forums were filled with the same complaints and no real fixes. I changed to Avast and its been great.
Only the State obtains its revenue by coercion. - Murray Rothbard
Another disgruntled employee. I wonder why he is disgruntled...
I wish them luck recovering it so they don't have to rewrite it from scratch.
(Copyright infringement is not theft.)
In general, it is safe and legal to kill your children. -- POSIX Programmer's Guide
This probably comes as news to you (you're not a developer, are you?) but when you build new software, you basically build upon older code. So yes, even the extreme scenario you talk about, would cause some headaches to Microsoft.
Actually MSFT releasing the Win9X source would be WONDERFUL news, because if you haven't tried it Win9X can make a great embedded OS with better driver support and lower specs than pretty much any embedded OS out there.
And as for why anyone would care about TFA, that's simple: Often you don't "throw the baby out with the bathwater" and significant portions of the code will be reused. This means the black hats pretty much have a roadmap to use to trash Kaspersky AV. Even if they didn't use much of the previous code it most likely will allow them to see how the Kaspersky AV team treats PC resources like memory, giving them a good idea of where the weak spots are. Bad news for Kaspersky users I'd say.
ACs don't waste your time replying, your posts are never seen by me.
Here's the thing.
The people who write malware already have this code. They might not have the C source, but they've got a good handle on the IO flow and undoubtedly have it in assembly. Is this a game-changer for the malware writers? Not even remotely. Even if this was the source code for the latest version from 2011, it wouldn't change anything.
"They" have access to the exact same software that we have. They can download Avast! or AVG or Kaspersky or MSE and write the malware to be untraceable under those security suites. Hell, if they really wanted it they could find disgruntled employees or cleaning crews and get access to the repositories for cash monies.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
That won't work. The source for Ubuntu has already leaked.
It's a very good start. Brain 1.0 is still the best virus scanner out there.
Still, there are threats that can't be defeated that way. Scenario: Exploit in a major flash application that affects all possible plugins (since they are essentially the same with different interfaces to the browser), an iframe hidden in a webpage on a, say, hotel homepage you happen to visit because you are planning your vacation, infection complete. If you happen to dislike plugins, browsers themselves can have their loopholes (IIRC the MHTML hole already made it to /. today), not to mention that browsers do also rely on APIs in the end, which are the same, no matter what browser you use.
I'm not saying get a AV tool. All I say is that there are still vectors you cannot defeat just by being careful. A system's security is the minimum of the user's and the system's ability. Not the average.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Dammit, now Linux is hellish insecure!
Why didn't anyone inform the community? That's so irresponsible!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Drop an executable in ~, change ~/.profile and ~/.bashrc to put those directories first, pwned.
Easy to clean, true, but if you're not looking for it, it's not there. Also defeatable by mounting home noexec but how many user installs do that?
Linux is not inherently more secure. Why would it be?
You might notice now and then that an exploit gets discovered in a Linux program. BIND and sendmail have for some time been the poster child for "yet another Linux security hole". Even BIND 9 has its issues. Now, why BIND and sendmail? Are they so horribly insecure compared to the rest of the system?
No. But compromising them is profitable. Simple as that.
Likewise, finding security holes in Windows is profitable. The average Windows user is less clued than the average Linux user. And that's not up for discussion. Not because Linux would need more knowledge, simply because to use Linux you'd first of all have to know it exists, something the average Joe Randombrowser doesn't even know, or he mistakes Linux for some sort of odd interface that runs on top of Windows.
Porting all those Joes to Linux now does not solve the problem. Because the problem stays the same: As long as users allow everything, disable all security and hand over root credentials to any program in exchange for Dancing Pigs, the system is powerless to defend against this.
And THIS is the core problem of security today. Not a hole in the technical security, it's a hole in the user's ability and awareness of security.
If you now move all those Joes to Linux, all that will change is that the same kind of malware crap we see today for Windows will start to pop up for Linux. The only reason why there is not more malware for Linux is simply that the market is too small. It's a bit like the game market. Why is there not more games for Linux? Simple: More money in making games for Windows. Simply because it's a bigger market.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
But that's not what an AV is for, despite the industry trying to market it as such. Antivirus software is reactionary. The company has to receive an unknown virus and analyze it before they can put the virus in the next definition file update. And any heuristics module included is typically useless against all but the most basic attacks.
AV is at best a catch-all for uncontrolled or uncontrollable situations. Office computers, shared family home machines, etc. that are subject to illogical users' whims would benefit from AV. But AV cannot stop zero-day exploits, cannot prevent malicious JS, and is completely useless against a determined attacker with physical access to a machine.
Proper computer security addresses each attack vector separately. A properly-configured software firewall will take care of most of the threats though the network. In fact, hiding behind a NAT will take care of 99% of the zero-day threats; whitelisting outbound traffic is just good security practice. Noscript and safe surfing habits will guard against anything coming in through the browser. Obviously, preventing unauthorized physical access to the system requires physical security.
All AV will do is maybe stop that infected autorun from your kid's buddy's flash drive, or delete that exe file you accidentially downloaded from a questionable site you were surfing. But that's what's it's really there for:all the cases you don't really know or expect to have to guard against.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
I visited some of these forums today, and fair enough.. the source code is there. Here is what I found:
#include <stdio.h>
#include <kaspersky.h>
char make_prog_look_big[1600000];
main()
{
if (detect_cache())
disable_cache();
if (fast_cpu())
set_wait_states(lots);
set_mouse(speed, very_slow);
set_mouse(action, jumpy);
set_mouse(reaction, sometimes);
printf("Please wait, Kaspersky is scanning your computah)\n");
if (system_ok())
crash(to_dos_prompt);
else
system_memory = open("a:\swp0001.swp", O_CREATE);
while(1) {
sleep(5);
scan_a_single_file();
sleep(5);
update_progress_bar();
sleep(5);
if (rand() < 0.9)
crash(complete_system);
}
return(unrecoverable_system);
}
}
This means the black hats pretty much have a roadmap to use to trash Kaspersky AV. Even if they didn't use much of the previous code it most likely will allow them to see how the Kaspersky AV team treats PC resources like memory, giving them a good idea of where the weak spots are. Bad news for Kaspersky users I'd say.
The moment you give someone your binary you've given them your code, just in a harder to read format. Any black-hat that cares will merely read the disassembly. Original source code not required.
-Malloc
___________________ I want to be free()!