
Yet Another Government-Sponsored Malware - r0h1n
https://www.schneier.com/blog/archives/2016/08/yet_another_gov.html
======
r721
Recent discussion:
[https://news.ycombinator.com/item?id=12253632](https://news.ycombinator.com/item?id=12253632)

------
Phithagoras
More detailed post from Kaspersky here
[https://securelist.com/analysis/publications/75533/faq-
the-p...](https://securelist.com/analysis/publications/75533/faq-the-
projectsauron-apt/)

------
jcoffland
I find it ridiculous that any time a really well written malware is found it
is assumed that it must have been written by a government. Since when has
government been the example of efficiency and clarity that is requisite to
high quality software? The Open-Source world is full of examples of non-state
programmers writing excellent code that does amazing things.

------
Dolores12
Stoxnet was discovered by Belorussian anti-virus company, Duqu & Project
Sauron were discovered by Kaspersky Lab. Are US-based anti-virus companies
that bad or ...?

~~~
drzaiusapelord
Or what? I'm not following, but I think its clear that state malware
disclosure is political.

If Kaspersky finds a Russian FSB trojan, they won't go to the press. They'll
call their pals at the FSB and ask what to do. In an authoritarian state,
revealing such a thing could be life threatening. In other words, Kaspersky
isn't going to report on Russian state malware, which we certainly know exists
considering the documented attacks on Ukraine, Baltics, Georgia, etc.

The US/EU has a stronger freedom of the press tradition and doesn't often
follow autocratic staples like murdering inconvenient journalists and serving
them polonium tea, but obviously jail-time can be in the cards if laws were
violated. I imagine its just safer to report on Western state sigint compared
to autocratic/authoritarian state sigint, thus we hear about Western sigint
efforts a lot more, especially in the Western press. One of the downsides of
having an open society is that you see the warts and all, but a more closed
autocratic one has better infomation and propaganda control, so the perception
of "those things don't happen here" is easy to sell to low-information
constituents, and special efforts are made to keep them low-information.

Also, I think its clear Russia uses Kaspersky to make western intelligence
look bad. Its more demoralizing to have a AV vendor point this stuff out than
one's own security apparatus and its a good cover for the FSB's own hacking.
Wired has written about the FSB/Kaspersky connection before. Note its almost
always Kaspersky finding Western state malware, not the dozens of other
competent AV firms and thousands of top tier researchers. Funny how that
works.

[http://www.wired.com/2012/07/ff_kaspersky/](http://www.wired.com/2012/07/ff_kaspersky/)

~~~
Dolores12
How is that relevant to my question?

Also, in US you are free to talk about anything unless you are under GAG
order.

[https://en.wikipedia.org/wiki/Gag_order](https://en.wikipedia.org/wiki/Gag_order)

~~~
rev_bird
>I think its clear Russia uses Kaspersky to make western intelligence look
bad. Its more demoralizing to have a AV vendor point this stuff out than one's
own security apparatus and its a good cover for the FSB's own hacking. Wired
has written about the FSB/Kaspersky connection

This seems like the most relevant part -- it's not that Kaspersky is THAT much
better, but that they have a lot of help from the state, which has way more
resources than an anti-virus company. How much of that is true, I have no
idea.

Also, "free" in the way you use it is a pretty shaky concept: In theory,
you're "free" to record police officers acting in the course of their duty,
but that doesn't mean the authorities won't ruin your life because of it. (To
say nothing of how eerily easy it is for the government to issue gag orders.)

------
monkmartinez
I am not a security expert, but it doesn't seem that hard to figure out how
this is being done. Lots of money to an insider/spy/human that has access to
the places one would like to install said malware. Most of these stories seem
to involve good, old fashioned social engineering. Albeit, social engineering
with with lots of money or another kind of leverage.

Or... maybe I am naive. I just tend to look at this stuff with how can we get
this done the easiest way??? Human emotions are much easier to target than
silicon.

------
unsignedqword
Do any consumer AV suites actually try identifying and removing or
quarantining state-actor-level malware?

~~~
dijit
Anti-Virus only finds the very most common virus' and malware.

I think only 30% of malware is detected~ I remember reading about that a while
back and this was after advanced heuristic methods had been around for a
while.

~~~
unsignedqword
That's not really what I meant. I mean in the cases where such 'super-malware'
has been clearly identified and plucked apart by security researchers, could
your average commercial AV kill it? I did some googling and found out for
myself that apparently, they do:

[https://www.symantec.com/security_response/writeup.jsp?docid...](https://www.symantec.com/security_response/writeup.jsp?docid=2011-101814-1119-99)

[https://www.microsoft.com/security/portal/threat/encyclopedi...](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Stuxnet.B)

~~~
dijit
Oh in the case where they're very publicly known they will, even if the US
government wanted to suppress it, they do not have power over all AV
companies. So it would be damaging to those companies.

And in any event, when we find out about nefarious state-sponsored software
it's almost always super old.

------
dguido
Schneier is basically blogspam. Quotes entirely from another article, follows
up with "I don't know what this means???" Why do people keep reading him?

~~~
Zikes
He's a content curator for a particular category of content. Would you prefer
to follow all of the relevant sources and sift through the cruft yourself?

~~~
DanBC
But people should be submitting the original source, not Schneier's link,
unless he adds something useful.

~~~
Zikes
I can agree with that, however his interest in an issue is a primary indicator
of its importance for me.

