Jump to content
Sign in to follow this  
okru

Kaspersky Anti-Virus puts users at risk

Recommended Posts

okru

Kasper-Spy: Kaspersky Anti-Virus puts users at risk

TRENDS & NEWS | C'T DISCOVERS

 Ronald Eikenberg

 15.08.2019

 IT-Security, JavaScript, Kaspersky, Kaspersky Antivirus, Privacy, Windows

Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.

-------------------

A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.

The following weeks and months seemed to offer little excitement – the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:

<script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js" charset="UTF-8"></script>

Obviously, an external JavaScript script named main.js was being loaded from a Kaspersky domain. This is not uncommon, since a website nowadays hardly works without external JavaScript resources. However, when I checked the HTML source of other websites displayed in my browser, I found the strange code on each and every page. Without exception, even on the website of my bank, a script from Kaspersky was introduced. So I had an inkling that the Kaspersky software might have something to do with it.

Kaspersky advertises the protection of privacy. However, the data leak discovered by c't caused the opposite effect.(Bild: Kaspersky.com)

To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?

My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:

https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js

The part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable. But who or what can be identified using the Kaspersky ID?

I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on those other systems. However, I discovered a crucial difference: The UUID in the source address was different on each system. The IDs were persistent and did not change, even several days later. So it was clear that each computer had it's own permanently assigned ID.

 

The suspicious ID

I was further irritated by the location of the ID: The Kaspersky software injected it directly into the HTML source code of each website. That's a remarkably bad idea. Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.

In other words, any website can read the user's Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used. If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser. Worse yet, the super tracking can even overcome the browser's incognito mode.

The data leak allowed websites to unnoticeably read the individual ID of Kaspersky users. This made extensive tracking possible - even in incognito mode.

But could a company that has been dedicated to the security and privacy of its customers for over twenty years have overlooked such an obvious problem? I decided to put it to the test. Half an hour later, I had created a simple website that would automatically read and save the visitors' Kaspersky ID.

I'm afraid it worked like charm. After I had collected the IDs of several test computers, I also stored the names of the colleagues who owned those computers in the code of my demonstration page. From that moment on, my testpage greeted them personally whenever they opened the site – no matter which browser they used or how often they deleted cookies. Even the incognito mode did not offer any protection against my Kaspersky-infused tracking. At this point, it was clear that this was a serious security issue.

 

Making contact

At c't magazine, we strive to avoid putting users at risk. So, first, I informed Kaspersky about my findings. The company's research department replied swiftly. They would look into the matter. About two weeks later, the headquarters in Moscow, Russia, had analysed the case. The problem I discovered was determined to be real. It affected all consumer versions of Kaspersky software for Windows, from the free version to Kaspersky Internet Security to Total Security. Additionally, the Small Office Security flavour was affected as well. Several million users must have been exposed.

My inquiries revealed that the leak was introduced with Kaspersky's "2016" editions, released in the Autumn of 2015. And the UUID wasn't hidden. If I was able to find it by happenstance, various people, from eager marketers to malicious attackers may have been exploiting it for almost four years.According to Kaspersky, "such an attack is too complex and not profitable for cybercriminals, and therefore unlikely to happen". I beg to differ: If I was able to create a website in a short period of time that reads and saves the IDs, why couldn't others have done it at some point in the last four years? Numerous companies specialize in spying on website visitors in as much detail hat cat is out of t

as possible. This would be a boon for their spying efforts.

 

That cat is out of the bag

Since Kaspersky had apparently recognized the seriousness of the situation and promised me a patch, I waited. In June, the "Patch F" was indeed distributed, and last month, Kaspersky published a security advisory. It describes the problem and its solution. Upon my request, the manufacturer also assigned the vulnerability a "CVE" number, which is a globally valid identification number for security vulnerabilities. Thus, the leak has a proper name: CVE-2019-8286.

The Kaspersky Advisory and the CVE registration have brought the problem to the attention of security authorities. For example, the German CERT-Bund has issued a warning entry in the National Vulnerability Database of the US-CERT regarding the information leak. Furthermore, there is an entry in the National Vulnerability Database of the US-CERT.

After Kaspersky distributed the patch, I did not hesitate to repeat my experiments. The software still smuggles a script with an ID into each webpage – but the ID is now identical for all users of a specific Kaspersky edition: FD126C42-EBFA-4E12-B309-BB3FDD723AC1. A website can no longer recognize individual users. However, that means it is still possible to find out if a visitor has installed Kaspersky software on their system and how old that software is.

That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page. Imagine something along the lines of "Your Kaspersky license has expired. Please enter your credit card number to renew your subscription". Of course I have reported this problem to Kaspersky as well.

To be on the safe side, you can disable the relevant function in Kaspersky's software: Click the cogwheel icon in the bottom left corner of the main window, then click Additional/Network. Finally, uncheck the "Inject script into web traffic to interact with web pages" option under "Traffic processing". (rei)

 

Source:  https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html

Edited by okru
"fine tuning"

Share this post


Link to post
Share on other sites
steven36

Antivirus are easy to bypass 1990s early 2000s outdated technology ,only works for generic  threats that are no longer 0days . You got some who say you may as well use Windows Defender instead.But it can be bypassed ,trickbot  malware can even shut it down and no antivirus can detect 0days and the USA Government has access to anything you upload to Microsoft  so all your virus belong to  Uncle Sam its the law it's called the Cloud Act.  :tooth: I use Linux and I've not use a Anti Virus in real time in 3 years . I just use open source ClamAV to scan PDF, Flash, and file archives such as ZIP and RAR, as well as Unix-based ELF executable files. Giving  and antivirus root over your machine is asking for trouble. If windows was not so vulnerable were it requires little to no permissions for malware to get in the root of your system people would not need and Anti malware program  and really they not going to protect you in every case..

 

If you was infected with  a 0 day that was designed to bypass and Antivirus you could be infected for years and never know it. EternalBlue the NSA used it for years it once was one there most valuable and useful tools. Only reason Microsoft ever patched it or it became detected is The Shadow Brokers leaked it to the public .

 

While the original malware blackhats used it in wantacry has been patched the virus is still very active in newer malware and this is a virus we know about

https://www.cnet.com/news/stolen-nsa-hacking-tool-now-victimizing-us-cities-report-says/.

 

All real virus is made by finding a hole in windows and it attack it  if it never found and Antivirus can't detect it and prevent it  and the only way to really stop is for the software to be patched against it.. Software Cracking is the same it finds a weakness in the software and attacks it. If the method is made public and the vendor cares about there program being used for free they will patch against it .Lazy devs will just update there exe and dll  if it just a byte patch and play cat and mouse .But if dev really cares they will add hidden checks were the software is never really cracked  . They fool pirates like this all the time but when someone really tries to use the software  it fails to work , this just shows many pirates install lots of  stuff they never really use. I done testing many times on some software posted on this site and found it to not be working but it do no good to tell pirates it not work they are easily fooled by cosmetics in the about box. :hehe:

 

Edited by steven36

Share this post


Link to post
Share on other sites
steven36

Every antivirus  do things you don't like back when testing Windows 10 ,  Windows defender didn't like me using  Windows 10 firewall control using both programs it brought my PC to halt after i disable it  and installed  NOD32  it ran OK . NOD32 if you don't disable it  intercepting HTTPS traffic it weakens security

 

Antivirus Software Weakens HTTPS Security

https://www.securityweek.com/antivirus-software-has-negative-impact-https-security-researcher

 

What is better about 3rd party vendors such as Esset  and Kaspersky  they give you full control over what there software does .

 

All you have to do

 

GkzmUV6.jpg

You can disable the relevant function in Kaspersky's software: Click the cogwheel icon in the bottom left corner of the main window, then click Additional/Network. Finally, uncheck the "Inject script into web traffic to interact with web pages" option under "Traffic processing".

 

While on the other hand when you use most free Antivirus they give you very little control  over there software and windows defender behaves like malware itself.they deliberately make it hard to disable.

 

Quote

Microsoft make it deliberately hard to disable even when you finally can, whatever settings you used may well have changed when MS updates. And when they do update, it gets re-enabled.

One of many instances where MS takes the "I know best" approach. You want to write a good anti-malware program, try not behaving like malware.

 

 

 

Stop being a noob !  Don't  use programs that control you and learn how to use programs that give you control so they can't spy on you. Or be like the masses and let big tech control you but if you use windows 10 you already have way worse problems than and Antivirus spying on you .:lmao:

-------------

I have tried bruteforcing an uninstall, I have tried disabling it in at least 3 different ways, I have tried and failed to disable notifications from it. This is my last resort. I do not want, nor do I need, Windows Defender. Half of the warnings it gives are for software I intentionally downloaded, the other half are false positives. It is useless software and it gives me no less than 20 false positive notifications every day that I ignore only for them to keep coming. So I want an official list from microsoft of every way possible to disable or remove Windows Defender or to completely disable the notification system (which is equally useless). At this point, I would label Windows Defender as non-malicious malware. It's been designed to remove control from the user over what software is running on their pc and actively interrupts the user with notifications and "warnings" of non-existent viruses.

 

https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-sucks/bfcf8df6-32db-4870-aedb-6e6fccf5be4b

 

'

 

Edited by steven36

Share this post


Link to post
Share on other sites
plb4333
On 8/16/2019 at 1:58 AM, dfortunsan said:

I don't trust these programs, because they can spy me.

You should also not surf the web since Google spies more than anybody else. Plus all the cookies you no doubt allow. Spying is done whether you realize it or not. Anti-Virus or Anti-Malware programs help keep you safe. Without those, most of us would be re-installing the OS..Spying is even done by the NSA and there's absolutely nothing we can do about it, when it comes to our Routers, cellphones, ISP's, even computer chips

Share this post


Link to post
Share on other sites
nghiabros
3 hours ago, plb4333 said:

You should also not surf the web since Google spies more than anybody else. Plus all the cookies you no doubt allow. Spying is done whether you realize it or not. Anti-Virus or Anti-Malware programs help keep you safe. Without those, most of us would be re-installing the OS..Spying is even done by the NSA and there's absolutely nothing we can do about it, when it comes to our Routers, cellphones, ISP's, even computer chips

 

I am using Firefox with Duckduckgo as my search engine. We can against completely Google spying but we can do that partially.

Share this post


Link to post
Share on other sites
nghiabros

In the modern life, I think we can't against spying. Both Microsoft, Google, any Browser, ...  do that. Since Intel said some sercurity vulnerability with their hardware (meldown; spectre;...) I have never trusted my information can be keep closed completely.

Share this post


Link to post
Share on other sites
Kalju
On 8/16/2019 at 11:58 AM, dfortunsan said:

I don't trust these programs, because they can spy me.

 They not only can spy, but they just have been doing that for more than 10 years already, or more precisely, since the time when the so-called cloud-based scanning and uploading of files for verification purposes came.

It is really very unfortunate that people still do not understand it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...