Hacker News new | past | comments | ask | show | jobs | submit login

If we assume Kaspersky is highly popular in Russia it might have been a way to avoid spreading the malware inside Russia (while keeping the behaviour non-obvious). jaclaz notes in another comment that it is easy to recover from this "vendetta".

While it may be a reasonable conclusion, such assumptions aren't supported by some rudimentary survey evidence, as per AV-Comparatives.org [1]

The Kaspersky condition in Petya is indeed unusual, but I would agree with the initial blog post that right now there isn't enough information to make even an educated guess. Kaspersky isn't just popular in Russia, it's consistently a top 3 world-wide, both for individual users and for businesses.

While I appreciate and even sometimes enjoy speculation such as this for fun, I agree with the F-Secure blog post that it is not useful in the current situation as there just isn't enough evidence to develop anything more than wild guesses.

[1] https://www.av-comparatives.org/wp-content/uploads/2017/01/s...

"Kaspersky isn't just popular in Russia, it's consistently a top 3 world-wide, both for individual users and for businesses."

But it is also banned in Ukraine, where most targets were.

And I'd assume the reason it's is banned in Ukraine is likely due to the persistant rumors that Kaspersky is tied to the Russian FSB.

Anti-virus would be a brilliant way to gain access to millions of machines, send back "sample" files via specific user targeted updates...

If so (and again I'm starting this sentence with IF), being lenient on Kaspersky would have dual benefits of focusing the target Ukraine, provide a "cure" for any critical machines hit in Russia, and allow existing Kaspersky users to recover once the cure is known.

The Interesting thing here is if this was a trial run, I don't think you get another one. If there is another bit of malware that treads lightly on Kaspersky machines, or "accidentally" fails to activate on them then the gig is up.

Still speculation, but will be interesting to follow.

Problem: user files are still being encrypted regardless of what happens to MBR so you end up doing MBR recovery only to boot a system without your data.

No, the Kaspersky check is done before encrypting any files.

Source: https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-...

It seems checks are done early but MBR destruction only at the end:

During malware initialization phase, this malware maintains a global variable that dictates its behavior. It alters its behavior based on the presence of processes related to certain antivirus applications running in the system.

Specifically, it looks for names of processes belonging to Kaspersky Antivirus and Symantec Antivirus and alters its behavior if it finds them.

Information controlling threats behavior is stored in a global variable (gConfig in the screenshots), which is then used to check during MBR modification.

If Kaspersky Antivirus process is found in the system or if the MBR infection is unsuccessful, the malware then proceeds to destroy the first 10 sectors of the hard drive.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact