Can Antivirus Software Be Used Against You?

Antivirus software permeates our networks, from mission-critical servers to the CEO’s workstation. Ironically, the very software designed to protect our organizations can be used against us.

The Case Against Kaspersky

Recently, a dark cloud of suspicion has hung over the Kaspersky antivirus software. In September, the Department of Homeland Security issued a binding directive that banned the U.S. federal government from using the popular antivirus software. Why? Kaspersky is a Russian company, and federal analysts fear that “broad access to files and elevated privileges on the computers on which the software is installed… can be exploited by malicious cyber actors to compromise those information systems.”

Are federal officials right to be concerned? According to the Wall Street Journal, in 2015 hackers working for the Russian government stole classified documents which were improperly stored on an NSA employee’s home computer. Investigators revealed that Kaspersky antivirus software was installed on the employee’s computer. The antivirus software generated a list of files installed on the computer, which “alerted Russian hackers to the presence of files that may have been taken from the NSA.”

Perfect Distribution Systems… For Malware

Kaspersky is hardly the first cybersecurity software to be linked to state-sponsored attacks. In 2010, the Washington Post reported that antivirus firm Symantec was attacked by a sophisticated state-sponsored hacking group as part of the “Operation Aurora” attacks, which also compromised Google, Adobe and dozens of other IT firms and defense contractors. While Symantec never publicly acknowledged the attack, security professionals feared at the time that critical IT security tools could be turned against them.

In August 2017, the popular browser utility CCleaner was infected and used to distribute malware. Millions of people use the Avast CCleaner tool to protect privacy and improve performance.Cisco’s Talos research team reported that “[f]or a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of Cleaner.” An estimated 2.27 million tainted copies were downloaded before the infection was discovered.

Vetting the Software Supply Chain

The Kaspersky ban once again brings to light the frightening potential of supply chain attacks.  Antivirus software and other enterprise security tools are designed to protect us, but they also represent perfect malware distribution vectors. Wide distribution networks— including highly sensitive systems— combined with frequent automatic updates creates a significant risk.  By compromising antivirus software, criminals could potentially worm their way into the most sensitive areas of corporations and government agencies around the world.

If the idea of infected antivirus software makes you want to crawl under a rock, don’t panic! The best response is to take a risk-based approach. Include software vendors in your enterprise risk assessments. The National Institute of Standards and Technology (NIST) has published a guide “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” which all organizations can use as a reference when vetting vendors.

The bottom line: any third-party software introduces risk, particularly when installed throughout an enterprise. Manage risk by vetting your software vendors as part of your organization’s internal assessment program, and update your risk assessments routinely.