Discussion in 'ESET NOD32 Antivirus' started by lodore, Mar 7, 2012.
Im wondering what the Eset company policy is for detection of goverment malware?
Since ESET is not likely to know who the author of a particular piece of malware is, it will be processed and detected just like any other piece of malicious code.
However, as previous noted, ESET does detect Win32/R2D2, which was allegedly written by (or at the behest of) the German government.
One thing to keep in mind is that ESET uses many technologies such as active heuristics as well as generic signatures to provide detection for previously-unseen threats, so it is entirely possible a detection in some broad family of malware such as Win32/Agent or Win32/Injector or Win32/Kryptik or Win32/TrojanDownloader (et cetera) may, in fact, be triggered by code in a government "sponsored" program.
That said, I personally think it is very unlikely a government is going to reach out to anti-malware product developers and ask them not to detect something. Doing so leaves a record—not necessarily a public one, but a record, nonetheless—of the casus belli in question, and would greatly weaken governmental responses of "no comment" and plausible deniability if such records ever became public.
thanks Agoretsky, Eset is now one of the few malware vendors I really trust in this matter. Especially after Stuxnet and Iran and who their vendor was.
Thanks for the detailed reply
Well informed reply, thanks Agoretsky.
I was under the impression that ESET had an official statement about this somewhere but cannot seem to find it. It is a question that does come up from time-to-time, an it has been blogged about, papers have been written, etc. I myself was on a research panel a number of years ago at a partner conference and this was one of topics of discussion.
Excluding Stuxnet—which has been so heavily discussed that it made it difficult to find other examples—here are some discussions of the matter:
CIPAV Spyware: Hiding in Plain Sight? - ESET Threat Blog article by David Harley discussing a tool used by the FBI.
Government, Public Interest and Trojans - Another ESET Threat Blog article by David Harley, discussing Win32/R2D2, the German "Bundestrojaner," and the need (or lack, thereof) for lawful interception of communications.
German Policeware: Use the Farce…er, Force…Luke - An article in the ESET Threat Blog by malware researcher Robert Lipovsky sharing some of the technical details on how Win32/R2D2 worked.
Please Police Me [direct link, PDF] - A white paper by Craig Johnston* and David Harley written for AVAR 2009 discussing main of the issues around government-written/sponsored/distributed malware.
There have been a few things in the news about the role of government interception of computer/cellular communications during the Arab Spring, most of which involves collecting intelligence at the ISP or mobile operator level, but I did come across an article on the InfoSec Institute's web site, DarkComet Analysis – Understanding the Trojan used in Syrian Uprising, which claimed to have identified a Trojan used by the Syrian government (and, yes, it is detected by ESET).
I would like to reiterate from my previous post, though, that threat attribution for malware can range from supremely difficult to impossible, and that government intelligence operations rarely come to light, so the likelihood of positively identifying a nation-state as the actor behind a piece of malware is going to be quite low without some extraordinary detective work.
*This is actually an area that was of particular interest to Craig Johnston, who is now at Sophos. You might want to look around for additional publications from him on governmental malware, as well.
Thank you for your continued efforts in keeping us informed
Thanks for those informative links. It's nice to see something else posted here, for a change, other than the usual topics.
Yesterday, ESET announced the discovery of Win32/Spy.Georbot, a botnet used to spy on Georgian* citizens with a command and control server hosted on a Georgian government computer.
For more information:
ESET Threat Blog: From Georgia With Love: Win32/Georbot information stealing trojan and botnet
White Paper: From Georgia, With Love: Win32/Georbot [PDF, 3.5MB]I hope this will make ESET's position clear on the matter.
*The country is southwest Asia, not the U.S. state.
Separate names with a comma.