Detection of goverment malware

Discussion in 'ESET NOD32 Antivirus' started by lodore, Mar 7, 2012.

Thread Status:
Not open for further replies.
  1. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello,
    Im wondering what the Eset company policy is for detection of goverment malware?
     
  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Since ESET is not likely to know who the author of a particular piece of malware is, it will be processed and detected just like any other piece of malicious code.

    However, as previous noted, ESET does detect Win32/R2D2, which was allegedly written by (or at the behest of) the German government.

    One thing to keep in mind is that ESET uses many technologies such as active heuristics as well as generic signatures to provide detection for previously-unseen threats, so it is entirely possible a detection in some broad family of malware such as Win32/Agent or Win32/Injector or Win32/Kryptik or Win32/TrojanDownloader (et cetera) may, in fact, be triggered by code in a government "sponsored" program.

    That said, I personally think it is very unlikely a government is going to reach out to anti-malware product developers and ask them not to detect something. Doing so leaves a record—not necessarily a public one, but a record, nonetheless—of the casus belli in question, and would greatly weaken governmental responses of "no comment" and plausible deniability if such records ever became public.

    Regards,

    Aryeh Goretsky
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thanks Agoretsky, Eset is now one of the few malware vendors I really trust in this matter. Especially after Stuxnet and Iran and who their vendor was.
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Thanks for the detailed reply
     
  5. get_it

    get_it Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    99
    Well informed reply, thanks Agoretsky.
     
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    I was under the impression that ESET had an official statement about this somewhere but cannot seem to find it. It is a question that does come up from time-to-time, an it has been blogged about, papers have been written, etc. I myself was on a research panel a number of years ago at a partner conference and this was one of topics of discussion.

    Excluding Stuxnet—which has been so heavily discussed that it made it difficult to find other examples—here are some discussions of the matter:
    There have been a few things in the news about the role of government interception of computer/cellular communications during the Arab Spring, most of which involves collecting intelligence at the ISP or mobile operator level, but I did come across an article on the InfoSec Institute's web site, DarkComet Analysis – Understanding the Trojan used in Syrian Uprising, which claimed to have identified a Trojan used by the Syrian government (and, yes, it is detected by ESET).

    I would like to reiterate from my previous post, though, that threat attribution for malware can range from supremely difficult to impossible, and that government intelligence operations rarely come to light, so the likelihood of positively identifying a nation-state as the actor behind a piece of malware is going to be quite low without some extraordinary detective work.


    Regards,

    Aryeh Goretsky

    *This is actually an area that was of particular interest to Craig Johnston, who is now at Sophos. You might want to look around for additional publications from him on governmental malware, as well.
     
  7. get_it

    get_it Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    99
    Thank you for your continued efforts in keeping us informed
     
  8. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Hi
    Thanks for those informative links. It's nice to see something else posted here, for a change, other than the usual topics. :D
     
  9. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Yesterday, ESET announced the discovery of Win32/Spy.Georbot, a botnet used to spy on Georgian* citizens with a command and control server hosted on a Georgian government computer.

    For more information:
    I hope this will make ESET's position clear on the matter.

    Regards,

    Aryeh Goretsky


    *The country is southwest Asia, not the U.S. state.
     
Thread Status:
Not open for further replies.