WikiLeaks recently published thousands of documents that the organization said belongs to the CIA. Among them, there was a document that showed a list of antivirus and other security products that have been exploited and bypassed by the CIA.
The list included the following software products:
- Zemana Antilogger
- Zone Alarm
- Trend Micro
- Panda Security
- Malwarebytes Anti-Malware
- EMET (Enhanced Mitigation Experience Toolkit)
- Microsoft Security Essentials
You probably recognize most, if not all, of the products on that list. The list includes Microsoft’s “Security Essentials” antivirus program, which was later converted into the built-in “Windows Defender” program in Windows 8 and later, as well as EMET, Microsoft’s anti-exploit security tool (mainly for enterprise users).
EMET was recently deprecated by Microsoft (opens in new tab), because the company said that many of EMET’s anti-exploit features such as DEP, ASLR, Control Flow Guard (CFG), as well as other mitigations to bypass the User Account Control (UAC), were already built into Windows 10.
Microsoft said that because the security features are built-in, they should offer better security than the ad-hoc security that EMET tried to provide. The CIA documents released by WikiLeaks date from 2014, before Windows 10 came out. Therefore, we don't know what new capabilities the CIA may have obtained since then, and whether or not the new Windows 10 security features were also bypassed.
Bypassing Antivirus Programs
The leaked documents pertaining to the list of antivirus programs that have been exploited by the CIA seem to have been redacted, likely by WikiLeaks. The organization said that it made over 70,000 redactions in total, mainly to remove harmful code (WikiLeaks has been accused in the past of “hosting malware” because the emails it released contained malware targeted at the recipients of the leaked emails), as well as personal details and IP addresses. However, it’s not clear why the organization removed the technical information about how most of the antivirus programs in the list were exploited.
Only partial information was left about CIA’s exploit capabilities against three antivirus programs: F-Secure, Avira, and AVG.
In OSB's experience, F-Secure has generally been a lower tier product that causes us minimal difficulty. The only annoyance we have observed is that F-Secure has an apparent entropy-based heuristic that flags Trojaned applications or other binaries containing encrypted/compressed payloads. Two defeats are known to exist: On involves using RAR file string tables in the resource section, the other involves cloning a RAR file manifest file – the manifest technique also works against Avira's entropy-based heuristics.
Avira has historically been a popular product among CT targets, but is typically easy to evade. Similar to F-Secure, Avira has an apparent entropy-based heuristic that flags binaries containing encrypted/compressed payloads, but there are two known defeats.
AVG Catches a Payload Dropped to Disk and Launched via Link File Well After Execution (Process Hollowing)
Perhaps the fact that the CIA can bypass most antivirus products should not be that surprising. After all, any sophisticated attacker who wants to develop new malware would also try to find ways to bypass the popular antivirus products. Otherwise, the malware wouldn’t be very effective, and it would be caught too early.
Google’s Project Zero security research team has also shown that antivirus programs can sometimes be some of the most vulnerable programs you may be running on your system. That’s not just because some of the antivirus companies are careless with the code they write, but mainly because the same techniques they use to “make users safer” are what create the vulnerabilities in users’ systems in the first place.
For instance, some of them do man-in-the-middle attacks against users’ browsers in order to analyze the encrypted pages that the users are visiting. However, an attacker could exploit this by taking over the capability and then using it against the users. Therefore, in this case, the antivirus created a vulnerability that perhaps wouldn’t have existed otherwise.
Staying Safe Online
The most common sense ways to stay safe are still to be careful about what you install on your system, use accounts with limited rights by default, and update your operating system and applications on time. This should save you from the vast majority of attacks and malware.
If you want to go the extra mile, you could also browse the web in a Linux virtual machine, or even use a more compartmentalized operating system such as Qubes OS, but these tools may not be for everyone.