GCHQ spies have been hacking anti-virus software

News by Tom Reeve

Britain's Government Communication Headquarters (GCHQ) is actively engaged in reverse engineering anti-virus software to identify exploitable vulnerabilities.

Or at least it was in 2008 when an unnamed GCHQ staff member wrote to the Home Secretary requesting renewal of a warrant to authorise the modification of commercial software.

The top-secret request was published by The Intercept from documents leaked by NSA whistleblower Edward Snowden.

“GCHQ seek a renewal of warrant GPW/1160 issued under section 5 of the Intelligence Services Act 1994 in respect of interference with computer software in breach of copyright and licensing agreements,” reads item one on the memo which accompanied the request.

Under section five of the Intelligence Services Act 1994 (ISA), warrants can be issued to enable MI5, SIS and GCHQ to enter into and interfere with property, or interfere with wireless telegraphy, in pursuit of their statutory functions. Warrants are valid for six months but can be renewed by the authority of a government minister.

According to the memo itself, this use of Section five was unprecedented. According to the Intelligence Commissioner's website, “A section five warrant might be used to authorise entry to a property and concealment of a listening device within it.”

However, the memo said: “However, the Intelligence Services Commissioner was consulted in 2005 on the applicability of a warrant in these circumstances and he was content that section five could be used to remove such liability.”

The author of the memo, whose name has been redacted, described how GCHQ has reverse engineered several popular anti-virus products, the majority “in support of CNE [computer network exploitation] operations” but some in support of CESG's Information Assurance programme.

“In each case it was necessary to use this warrant as the product licence explicitly forbade reverse engineering,” the memo said.

Analysed products included vBulletin and Invision Power Board, said to be widely used to run terrorist web forums, and successful reverse engineering enabled GCHQ to recover user credentials, find more vulnerabilities and investigate methods for using the forums as an attack vector against targets.

Tinkering with PostfixAdmin software, which was being used by an ISP, allowed modification of their site and facilitated an attempt to deliver an implant.

In-country attacks included establishing a presence on the Pakistan Internet Exchange which gave GCHQ access to virtually any internet user in Pakistan as well as the ability to route traffic to GCHQ's passive collection systems.

Kaspersky Lab comes in for special mention in the memo. “Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ's CNE capability and SRE is essential in order to be able to exploit such software and to prevent detection of our activities,” it said.

Two weeks ago, Eugene Kaspersky, founder of Kaspersky Lab, revealed that his company had been hacked by a very sophisticated intruder. He said the attacker didn't expect to be found as they had engineered their malware so it left almost no traces in the system, leading him to speculate that it might have been the work of a nation state.

  • Watch our video interview with Eugene Kaspersky about the next-generation hack attack 

In further justification of the request, the memo cites the work of CESG Information Assurance, which analysed the security of Microsoft's Mobile Data Manager and an unnamed product used by GCHQ for electronic data records management – the analysis of which contributed to the development of protection against electronic attack. And it said it had assisted law enforcement agencies in gaining access to encrypted data related to a child-abuse investigation.

Remaining out of view of the software owners was important to GCHQ. “The risk of any interference such as that described in paragraph four becoming apparent to the owner of copyright or licensing rights is negligible,” it said.

Ben Johnson, Chief Security Strategist for Bit9 + Carbon Black, was not surprised by the news. “Is it really a surprise that intelligence agencies try to circumvent technologies that might prevent them from collecting information? Or test these technologies for weaknesses? Not really. 

“As is common in the hacker world – as well as the military world – before conducting any operation it is vital to test offensive tools against defensive capabilities, in order to gain assurance that it won't be easily detected.”

He did suggest that the days of anti-virus software as a means to ward off attackers might be numbered. “However, it does highlight the inherent security risk with relying on blacklisting to protect endpoints,” he said. “AV tools can be bought and pulled apart by anyone – once a hacker has access to the blacklist, they have the key to avoiding any tripwires and tweak their code in order to evade detection. This is why we have seen such a rise in polymorphic malware, or ‘zero day' attacks – if an attack has never been seen, it is not a known threat, and so it cannot exist on an AV blacklist. This is why organisations need to move away from blacklisting and start white listing instead. By customising your own defences according to your business needs, you can ensure that even if your vendor is compromised, you are not exposed alongside them.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews