Around a̵ ̵w̵e̵e̵k̵ ̵a̵g̵o̵ ̵(̵?̵)̵ a couple days ago someone made a post on /̵r̵/̵c̵y̵b̵e̵r̵s̵e̵c̵u̵r̵i̵t̵y̵ /r/hacking where he made a scraper and analyzed all the malware he could find. The repo amount was in the ~1000s repos that he shared in a spreadsheet. Github as a domain is feasible as a malware dropper domain due to it being allow listed by Microsoft. The attackers seem to use bots to use the releases section of other repositories, the code is there, too, but incomplete.
They were also targeting many popular games like Fortnite, Valorant, CS2 and others with their cheats that contained the malware. It was kind of interesting to see because they used a lot of screenshots in the README files that seemingly were enough to convince gamers to install the malware.
The dropper/stealer samples that I took a look at were python obfuscated bundles targeting Win11 and lots of different browser cookie storages, password managers, and even replaced the MetaMask extension inside the browser profile with another one after stealing all the session cookies and passwords. As an exfil technique they used discord, and you could see lots of different ranks of the discord server, with the API tokens and paypal ids and other things that they automated their payments with.
It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
I still have the deobfuscated code somewhere, not sure if I can find the link to the original research article again. Couldn't find it with the shitty reddit search.
edit: Man, this weekend been way too long. Here's the links to the original article from only a couple days ago:
[3] The google spreadsheet (archive link because traffic limit has been reached I guess): https://archive.is/ijiWP
edit 2: The pubhtml file of the google spreadsheet I have also on my hard drive, but it's ~23MB. Maybe I can make a gist out of that later? The spreadsheet didn't show an export button or UI, that's why I used wget at the time.
This is dated February 24, which is before I noticed all these other investigations hitting Reddit and HN. Seems maybe they were just piggybacking off Kaspersky
What makes you sure the malware described here is the same as the one you read about before? After all, GitHub isn't limited to one malware campaign at a time.
The structure of the archive looked very similar to the sample I was analyzing.
The securelist article [1] also describes the same malware techniques and stealer behaviors, just in a way more undetailed manner than the original reddit post.
edit: update my grandparent comment with the reddit links. It was on /r/netsec and /r/hacking and not on /r/cybersecurity where the author posted it first :D
> It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
Is it really that surprising? Using Python makes it easy to write their "business logic" and if they get caught, they just tweak the way they are obfuscating it. They aren't using any fancy exploits that they want to protect, this is the equivalent of a smash and grab robbery.
The amount of developers I've met who will just download, compile, and run stuff from GitHub in the same way as if it was closed-source, i.e. paying no attention to the fact that the source is available for inspection, is surprisingly many.
I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.
I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.
Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.
Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
Although the "repo" is a list of manifest files that include third-party download sources. So even if there is an approval process it seems to be quite vulnerable to including malware.
This is the problem, the best we can do is pay via exposure. But that actually ain't nothing. Not just individuals, but also orgs could then make money from private contracts based on their reputations? This should be the benchmark of trust. Could there be anything better?
Excellent question. No, I am not. I am just attempting to use my very limited knowledge on this subject to hopefully further discussion on a topic that feels really important.
I would love other people to jump in and elevate this conversation.
Sure, CVEs might not be the ideal metric. Could you, or anyone else, suggest a better metric?
If GitHub is too lethargic to do even contemplate this type of change, maybe this could be a differentiator for GitLab?
You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
I don't get it, is there priviledge escalation attacks for windows? I haven't logged in as an administrator since 2005 or so.
We know we can hit the windows key and type "sandbox"? (May need to "install" it from windows features.) Right?
There are software packages that let you snapshot the files and checksums, then compare again after you've run your test program / installer / whatever.
You can make this software "portable" so you don't have to install it every time. You can copy and paste into the sandbox from your windows desktop and drives.
Obviously this isn't sanboxie or nix or an immutable file system or anything, but let us not pretend it's 1996 and "GoBack.exe" hasn't been invented yet.
They can - if you write the sandbox and adapt applications to it. What I meant is that the sandbox should be built-in into a distribution.
Also, I did some research and the sandbox is difficult to implement because you need to stub literally every facility (because Linux was not designed for sandboxing). For example, I had to write an emulation of /proc in Python using FUSE because many apps rely on reading files there but granting them full access leaks too much information about your system and is not secure. Now think how much time you need to stub every API, including undocumented APIs like /sys, ioctls and so on.
Unless there is a comment "this code is actually safe, it's done this way for optimizations", or a variable called "thisCodeIsSafeItLooksWeirdForPerformance" and the LLM just ignores the backdoors.
Well it all comes down to trust eventually, you cannot inspect every single line of code of every programs you want on run on your computer.
Nowadays even Github stars are not worth that much trust because malicious actors can just make fake accounts or buy them.
The number of new GNU/Linux distros that have appeared since 1994 that just compile stuff into binary packages not even paying attention to the fact that the source can be inspected, is just staggering.
I don't see any hint on how to recognise, or how not to recognise them. Did the projects have lots of stars? Fake issues and pull activity? What kind of software did they claim to be? Did they work, to avoid it being obvious after executing and the user reporting the repository to Github? How hard was it to spot the malware, underhand C contest level or obvious if you just open the right file (among hundreds, I guess) and see it do illegitimate things?
All it says is that the projects were written in different common languages...
Honestly, whenever some malware like this is revealed, that just makes me wish for more sandboxing and alerting in OSes. For example, each app getting its own writable directory structure and access to anything else needing to be explicitly granted by the user.
It would require work to make the UX not be horrible, but that's a solvable problem. The fact that we don't have that in mainstream OSes in $CURRENT_YEAR given the security situation of the software out there, is insane.
Kaspersky is now banned for government use in multiple nations. Whilst there is some good work happening there, as above, for the most part, they should be considered a state actor for Russia.
That usually means that they're a threat, and these small good tokens are nothing more than PR efforts.
You can't avoid politics, when considering this company.
All cyber security companies should be considered state actors. Even if they currently aren't it's too easy for a state to coopt them.
If you build an antivirus software today, and tomorrow you get a secret court order to ignore certain malware for "national security" what are you going to do? What if it's a request to include a small binary payload in return for a lucrative government contract, with implied threats of what happens if you leak the request? You can decide not to do it and just shut down, but then the only ones left on the market are the ones that complied.
If you do cyber security for more than just compliance, evaluating the software providers against your threat model was always an important step. Whether that means avoiding American, Chinese or Russian software. In the threat model of a Western government agency, Russian software should have have been off limits since the 50s (even if Kaspersky tries to tell you they are not Russian at all).
That still doesn't mean their work is any less interesting or praiseworthy. Just like how you know NASA landed on the moon because Roscomos didn't dispute it, Kaspersky can do work and offer perspectives that might be more difficult for similarly sized western cyber security companies.
Australia's Assistance and Access Orders (TAN, TCN, etc.) [0] basically allow the government to order mandatory backdoors into various software. They do have some oversight, but it isn't significant. They can order any employee, not just the company.
The wording is also... Squirelly. You can't introduce a weakness, but the definition of weakness excludes the entire concept of backdoors.
However, Technical Capability Notices can be ordered where:
> reasonable, proportionate, practicable and technically feasible
The employee/company can push back and argue one of those isn't met, but ultimately it is the office of the Governor General that decides.
So far, it has basically only be used against journalists [1], as far as we know, which is nice and horrific.
Maybe don't put too much into the word "court order", but instead interpret it as an order from the government to force the company to use the tool for the governments/country's benefit.
One could also assume that the owners and/or management of the company are in the same boat as the government/country so they do not mind using the tool for the country's benefit when needed.
It is not very fair singling out Kaspersky and assuming that other AV companies are not a threat to foreign countries. Foreign software and hardware is always a threat. And US was caught spying even on their allies.
> The US, while hardly benign, have not orchestrated multiples of "largest attack in history"
You must be using a very personal interpretation of what "largest attack in history" is.
The US is literally the owner and operator of the largest surveillance and intelligence collecting apparatus in the history of mankind. I bundle in here all kinds of legal and illegal surveillance, interceptions, hacking, etc. directly state run, or leveraging other intelligence agencies, or leveraging the largest private data collectors in the world which are mostly US companies. It was already proven by the Snowden leaks, it's absolutely reasonable to assume this apparatus only grew stronger.
If that's not a never ending "largest attack" on everyone in the world I don't know what is.
You can't ignore this fact: The US and Australia partner on Pine Gap, which violates the human rights of literally billions of human beings every single second of the day.
Russia and China have a long way to go to catch up.
Sorry, but that's crazy exaggeration. Calling snooping "violation of human rights of literally billions of human beings" just because "privacy" gets a mention in the UNDHR doesn't make it as bad as anything Russia and China have done lately. And that's not even touching upon what "privacy" would mean that that declaration.
Ironically, we are having similar discussions regarding US companies if the trend with the current administration is to continue.
The big difference is that as of today, we are currently stuck with available alternatives, but it won't surprise me if many goverments start looking back into the computing diversity infrastructure that we had during cold war days.
Or it means that the original bans were primarily instituted because of myopic geopolitics and not because of any meaningful threats. In particular US ire towards Kaspersky grew rapidly after it was the only antivirus that picked up on NSA/'equation group' malware.
It's similar how the US banned all cooperation with China in space [1] because of some tropes about them being unable to do anything except steal American tech. That's why, to this day, there are no Chinese on the ISS. After that law China proceeded to develop, launch, and man their own space station, put a rover on Mars, and even carry out an unprecedented sample return mission from the dark side of the Moon, and just generally run circles around the US (except perhaps SpaceX) in space. Interestingly US researchers may not be able to access those Moon samples (which China shared with scientists worldwide) due to this stupid law.
Regardless what the original story behind the Kaspersky ban was, if you genuinely don't think that a Russian antivirus company represents a state-controlled threat to US organisations, public and private, in 2025 then I don't know what to say to you.
After the initial US allegations they moved their infrastructure and customer data over to Switzerland intentionally leaving them subject to both EU and Swiss customer data protection laws, and also opened up various hubs to enable interested parties to review their source code on demand, if desired.
I don't think every Russian company is conspiring against the US anymore than I think every US company is conspiring against Russia. In this case there's a clear and malicious motive for the US to want to block them that has nothing to do with threats, and they've gone way beyond any sort of reasonable standard to make it clear they have no ill intentions whatsoever.
Of course the problem is that proving you're not a witch is basically impossible, which is why innocent until proven guilty is a standard across the world, except when it comes into geopolitics when allegations are proof, leaving the accused parties to prove a negative.
Not if US and Russia become “allies”. Then UK/EU companies will become a bigger “threat”.
It should go even further e.g. you don’t want ARM installing backdoors on their chips and giving hostile foreign organizations like the MI6 access to vital American infrastructure, intelligence data etc. do you?
It might be the time to consider switching to Elbrus or at least mandating that all devices used by US government agencies have to use Intel’s chips.
I think the more prudent approach in the modern age is to simply assume that all states control organizations within their midst with the intention of posing a threat to citizens - foreign and domestic - and a misplaced trust in ones own state above all others is not only naive, but super dangerous.
If you're not holding your own government to the standards you apply to other states, you're putting yourself in danger.
Especially given the fact that the USA and its partners operates the largest, by far, information gathering/human rights abusing apparatus with well-known subversive purposes, by a long margin..
Increased collaboration between the Russian state and the American state is bad for the ordinary citizens of both — and for freedom-loving people in Ukraine, Europe, and everywhere else.
The US and Russia are the biggest nuclear powers in the world. Positive relations here are good for absolutely everybody. Positive relations do not mean one has to approve of the political system, ideology, or whatever else of the other side. See: Saudi Arabia which remained a key ally for many decades in spite of being wayyyyyy further off the spectrum (relative to the US) than Russia could ever be.
Overtly adversarial relationships trend towards violence, sooner or later, and that's not a path we ever want to go down.
The US has turned towards enabling Russia’s imperialist war, and the Pentagon article explains how it will unilaterally disarm in the face of Russian cyberwarfare, leaving Russian criminal groups to run rampant in Europe and even the US. Abetting conquest and criminality is not the sort of collaboration we should cheer.
Wars are largely started because of poor relations. The US overtly supported and encouraged an effort within Ukraine to overthrow a democratically elected president because he moving more towards Russia than the West. Russia then ended up invading Ukraine for fears of having NATO not only right on their doorstep, but right in their geographic Achille's Heel.
If the US and Russia were on good relations none of this would have happened, Germany's economy would still be booming, and just about everybody would be so much better off today. And no, the article does not say the Pentagon will "unilaterally disarm." It ordered a halt to offensive operations against Russia - e.g. the Russian government which is certainly going to be reciprocated. Criminal elements are a different topic, but I do expect as relations between US and Russia warm, they will no longer be looking the other way when these groups target the West.
Bullshit, after Ruzzia invaded Ukraine in 2014 you still have the ability to pretend Ukrainians did not really want to join EU and NATO and USA, Israel and Illuminaty caused the Ukrainians to protest their president that promised the West and then betrayed the people by going East.
Typical Zed propaganda where Eastern Europeans are all brainwashed to hate the good, kind Ruzzian empire. if you are USaians then go and fix your history and stop consuming MAGA and Zed propaganda.
True, they cease being “meaningful” the moment you surrender and stop viewing them as threats.
OFC it’s all relative, Russia and similar actors having more political/economic influence in the US (and by extension globally) might not be viewed as a negative by some people.
Please feel free to point out where the CIA successfully issued directives to those companies to target foreign nationals.
Baring in mind, that Snowden's revelations did in fact cause outcry, and national responses to US companies. And helped push through various data protections in Europe, including stipulating non-sharing of data with the US.
Has this been proven? Or is this another 'they are in a foreign country so they could be compelled to spy on us?' - not that I have a particular desire to defend Russia at this moment in time.
Why not judge on the merit. Unlike PRC's deepseek or tiktok which were shown and admitted to collect all sorts of data and specifically influence public opinion to favor a foreign interest this is literally just information, white hat infosec research
You cannot divorce the company from their other actions. They are engaged in cyber warfare with various nations. That means that all of their actions need to be weighed and judged.
They put it on their website, which makes it company PR, regardless of how it might be seen. Good things have been done by terrible actors, since the dawn of time. It is not information alone.
In that vein Europe should have 0% trust in any US software or hardware. We are not that much friends anymore, in fact US is currently actively helping our existential enemy and subverting us.
Remember of scandal with US spying directly all European top politicians? This was in quiet times compared to now.
To paraphrase you, terrible things have been done by good actors. You cannot divorce state from its other actions in same area neither. I don't think I need to bring up numerous fuckups of US 'defense' and secret services that literally killed tens of millions civilians in past 100 years across whole globe, with very little to show for and claim 'it was worth it because we achieved XYZ'.
As of now? I am making noise with my government on the US. The nation has dismantled their protections, they have an unhinged preacher of hatred in the White House, and he has a proven record of breaking international agreements.
Starlink and Tesla are security concerns.
The US' current attitudes suggest that they would very much like to see world war three. And would like to ally with Russia to make it happen.
Recklessly endangering international agreements will not be without consequences.
I don't believe Google has directly caused the leaking of classified information, or attacking vital infrastructure, as of yet. Kaspersky, yes [0]. TikTok, yes [1]. Google do, however, publish information on commercial spy networks [2].
However, it is likely that I would do so if they show themselves to be an enemy of my nation. If you've found Google attacking a government, I'm sure plenty of people would love to see the evidence.
Your first link doesn't show any evidence of, or even suggest that, Kaspersky has attacked Australia.
It shows only that the Australian government expresses concern over the capability, which doesn't seem entirely unreasonable and also politically motivated.
Oceania has always been at war Eastasia, and all that.
> Entities must manage the risks arising from Kaspersky Lab, Inc.’s extensive collection of user data and exposure of that data to extrajudicial directions from a foreign government that conflict with Australian law.
That's not concern of possibility. That's acknowledgement of exfiltration of data, back to Russia. Past tense.
This is political, yes. But only insofar as all actions of one nation against another is political. Australia go to some lengths not to piss Russia off. If things were not so political, then the response would likely be much greater, not less.
Are you weighing and judging thAt USA has killed millions of innocent people because of American Military Industrial complex before buying American products? You can’t divorce a company from it’s countries politics as you say.
If you are not judging the USA at the same standards as you do other countries then that would be very hypocritical.
The first few years of my life were in Bolivia. Where our prime minister, for the sin of being elected by the people, was shot dead on the streets of the capital, a street I lived on, by the CIA. I still have friends, who serve Morales today. I am well aware of the sins of the US.
Until Trump, the USA was not a direct threat to the nation I now live in. However, nuance is lacking in your response.
You cannot divorce a company serving its government, from the politics it lives in. There's little evidence of Y-Combinator, for example, of endeavouring to upend their entire business to serve as spies for the USA. If Kaspersky was divorced from the KGB, politics would not be as considerable a context for understanding their actions.
> You cannot divorce a company serving its government
I would extend that to "a company bound by law", since governments can change. [0]
Most people here argue that google, etc. have not been caught stealing/leaking data yet, as if Snowden didnt happen. And as if any foreign citizen data isnt fair game to US juristiction. [1]
The whole point to reading an article like this is to get the considered opinions of an expert, though, not to "judge it on the merit". Only an elite handful of security folks here on HN (and this is one of the few forums where you can find them!) are capable of doing that.
So sure, when another security wonk comes along and says "Kaspersky is right about this", I think it's worth discussing. Until then, we need to assume that any communication from the company is compromised by unstated interests. Not all of it is, surely, but some probably is, and "judge it on the merit" isn't a good standard to detect the bullshit.
This isn't kaspersky's research?
Around a̵ ̵w̵e̵e̵k̵ ̵a̵g̵o̵ ̵(̵?̵)̵ a couple days ago someone made a post on /̵r̵/̵c̵y̵b̵e̵r̵s̵e̵c̵u̵r̵i̵t̵y̵ /r/hacking where he made a scraper and analyzed all the malware he could find. The repo amount was in the ~1000s repos that he shared in a spreadsheet. Github as a domain is feasible as a malware dropper domain due to it being allow listed by Microsoft. The attackers seem to use bots to use the releases section of other repositories, the code is there, too, but incomplete.
They were also targeting many popular games like Fortnite, Valorant, CS2 and others with their cheats that contained the malware. It was kind of interesting to see because they used a lot of screenshots in the README files that seemingly were enough to convince gamers to install the malware.
The dropper/stealer samples that I took a look at were python obfuscated bundles targeting Win11 and lots of different browser cookie storages, password managers, and even replaced the MetaMask extension inside the browser profile with another one after stealing all the session cookies and passwords. As an exfil technique they used discord, and you could see lots of different ranks of the discord server, with the API tokens and paypal ids and other things that they automated their payments with.
It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
I still have the deobfuscated code somewhere, not sure if I can find the link to the original research article again. Couldn't find it with the shitty reddit search.
edit: Man, this weekend been way too long. Here's the links to the original article from only a couple days ago:
[1] https://old.reddit.com/r/netsec/comments/1izryuk/github_scam...
[2] https://timsh.org/github-scam-investigation-thousands-of-mod...
[3] The google spreadsheet (archive link because traffic limit has been reached I guess): https://archive.is/ijiWP
edit 2: The pubhtml file of the google spreadsheet I have also on my hard drive, but it's ~23MB. Maybe I can make a gist out of that later? The spreadsheet didn't show an export button or UI, that's why I used wget at the time.
This is dated February 24, which is before I noticed all these other investigations hitting Reddit and HN. Seems maybe they were just piggybacking off Kaspersky
What makes you sure the malware described here is the same as the one you read about before? After all, GitHub isn't limited to one malware campaign at a time.
E.g. we also have https://news.ycombinator.com/item?id=43203158 from 3 days ago, which seems to be a different thing at first glance.
The structure of the archive looked very similar to the sample I was analyzing.
The securelist article [1] also describes the same malware techniques and stealer behaviors, just in a way more undetailed manner than the original reddit post.
[1] https://securelist.com/gitvenom-campaign/115694/
edit: update my grandparent comment with the reddit links. It was on /r/netsec and /r/hacking and not on /r/cybersecurity where the author posted it first :D
> It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
Is it really that surprising? Using Python makes it easy to write their "business logic" and if they get caught, they just tweak the way they are obfuscating it. They aren't using any fancy exploits that they want to protect, this is the equivalent of a smash and grab robbery.
The amount of developers I've met who will just download, compile, and run stuff from GitHub in the same way as if it was closed-source, i.e. paying no attention to the fact that the source is available for inspection, is surprisingly many.
I think it is worse than that.
I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.
But, truly, what is the solution?
I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.
Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.
Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
Winget seems to finally do something similar for Windows: https://github.com/microsoft/winget-cli
Although the "repo" is a list of manifest files that include third-party download sources. So even if there is an approval process it seems to be quite vulnerable to including malware.
Edit: Example https://github.com/microsoft/winget-pkgs/blob/master/manifes...
> But, truly, what is the solution?
Let's use GitHub as an example. We have forks, and stars. Maybe we could also have some kind of build endorsement?
How one would verify that the endorser is worth your trust, I am not entirely sure.
Maybe endorsers could eventually be rated by CVEs found in their endorsements, and that would build trust?
How about directly linking to the CVEs and how quickly they were mitigated and in which commit?
Pay researchers to analyse repos without any. Post results. Link to the repo with mitigation PRs.
It’s insane this isn’t the standard already
> Pay researchers to analyse repos without any.
This is the problem, the best we can do is pay via exposure. But that actually ain't nothing. Not just individuals, but also orgs could then make money from private contracts based on their reputations? This should be the benchmark of trust. Could there be anything better?
Are you certain that CVEs are a good indicator?
Excellent question. No, I am not. I am just attempting to use my very limited knowledge on this subject to hopefully further discussion on a topic that feels really important.
I would love other people to jump in and elevate this conversation.
Sure, CVEs might not be the ideal metric. Could you, or anyone else, suggest a better metric?
If GitHub is too lethargic to do even contemplate this type of change, maybe this could be a differentiator for GitLab?
Copilot for sure should be able to describe the code and spot basic malware
LLM or human, what if they both competed in some sort of "I have the least CVEs in my endorsements list" battle?
This would actually be an excellent LLM coding benchmark,[0] in addition to a human endorser benchmark.
[0] If nobody is already doing this, especially retrospectively, and you do, then please at least give me a shout out. :)
You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
I don't get it, is there priviledge escalation attacks for windows? I haven't logged in as an administrator since 2005 or so.
We know we can hit the windows key and type "sandbox"? (May need to "install" it from windows features.) Right?
There are software packages that let you snapshot the files and checksums, then compare again after you've run your test program / installer / whatever.
You can make this software "portable" so you don't have to install it every time. You can copy and paste into the sandbox from your windows desktop and drives.
Obviously this isn't sanboxie or nix or an immutable file system or anything, but let us not pretend it's 1996 and "GoBack.exe" hasn't been invented yet.
Where did you get the idea that Linux cannot run applications in a sandbox?
They can - if you write the sandbox and adapt applications to it. What I meant is that the sandbox should be built-in into a distribution.
Also, I did some research and the sandbox is difficult to implement because you need to stub literally every facility (because Linux was not designed for sandboxing). For example, I had to write an emulation of /proc in Python using FUSE because many apps rely on reading files there but granting them full access leaks too much information about your system and is not secure. Now think how much time you need to stub every API, including undocumented APIs like /sys, ioctls and so on.
This is a solvable problem thanks to llms
Unless there is a comment "this code is actually safe, it's done this way for optimizations", or a variable called "thisCodeIsSafeItLooksWeirdForPerformance" and the LLM just ignores the backdoors.
Well it all comes down to trust eventually, you cannot inspect every single line of code of every programs you want on run on your computer. Nowadays even Github stars are not worth that much trust because malicious actors can just make fake accounts or buy them.
The number of new GNU/Linux distros that have appeared since 1994 that just compile stuff into binary packages not even paying attention to the fact that the source can be inspected, is just staggering.
I don't see any hint on how to recognise, or how not to recognise them. Did the projects have lots of stars? Fake issues and pull activity? What kind of software did they claim to be? Did they work, to avoid it being obvious after executing and the user reporting the repository to Github? How hard was it to spot the malware, underhand C contest level or obvious if you just open the right file (among hundreds, I guess) and see it do illegitimate things?
All it says is that the projects were written in different common languages...
You need to click through to the actual investigation
https://securelist.com/gitvenom-campaign/115694/
I'm in Canada and I just get auto-redirected to the kaspersky.ca home page when I try to visit the link.
They link here [0] for more details, which might be less geo-intercepted.
[0] https://securelist.com/gitvenom-campaign/115694/
Honestly, whenever some malware like this is revealed, that just makes me wish for more sandboxing and alerting in OSes. For example, each app getting its own writable directory structure and access to anything else needing to be explicitly granted by the user.
It would require work to make the UX not be horrible, but that's a solvable problem. The fact that we don't have that in mainstream OSes in $CURRENT_YEAR given the security situation of the software out there, is insane.
Agree. And code libraries should be similarly isolated.
Kaspersky is now banned for government use in multiple nations. Whilst there is some good work happening there, as above, for the most part, they should be considered a state actor for Russia.
That usually means that they're a threat, and these small good tokens are nothing more than PR efforts.
You can't avoid politics, when considering this company.
All cyber security companies should be considered state actors. Even if they currently aren't it's too easy for a state to coopt them.
If you build an antivirus software today, and tomorrow you get a secret court order to ignore certain malware for "national security" what are you going to do? What if it's a request to include a small binary payload in return for a lucrative government contract, with implied threats of what happens if you leak the request? You can decide not to do it and just shut down, but then the only ones left on the market are the ones that complied.
If you do cyber security for more than just compliance, evaluating the software providers against your threat model was always an important step. Whether that means avoiding American, Chinese or Russian software. In the threat model of a Western government agency, Russian software should have have been off limits since the 50s (even if Kaspersky tries to tell you they are not Russian at all).
That still doesn't mean their work is any less interesting or praiseworthy. Just like how you know NASA landed on the moon because Roscomos didn't dispute it, Kaspersky can do work and offer perspectives that might be more difficult for similarly sized western cyber security companies.
I'd heard of gag orders, but I hadn't heard of secret court orders like that. I searched and found this:
https://www.aclu.org/news/national-security/secret-court-opi...
Do you know of other examples?
Australia's Assistance and Access Orders (TAN, TCN, etc.) [0] basically allow the government to order mandatory backdoors into various software. They do have some oversight, but it isn't significant. They can order any employee, not just the company.
The wording is also... Squirelly. You can't introduce a weakness, but the definition of weakness excludes the entire concept of backdoors.
However, Technical Capability Notices can be ordered where:
> reasonable, proportionate, practicable and technically feasible
The employee/company can push back and argue one of those isn't met, but ultimately it is the office of the Governor General that decides.
So far, it has basically only be used against journalists [1], as far as we know, which is nice and horrific.
[0] https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
[1] https://www.abc.net.au/news/2019-07-15/abc-raids-australian-...
Maybe don't put too much into the word "court order", but instead interpret it as an order from the government to force the company to use the tool for the governments/country's benefit.
One could also assume that the owners and/or management of the company are in the same boat as the government/country so they do not mind using the tool for the country's benefit when needed.
That's why I choose my anitivirus software based on the jurisdiction, not on technical comparisons.
It is not very fair singling out Kaspersky and assuming that other AV companies are not a threat to foreign countries. Foreign software and hardware is always a threat. And US was caught spying even on their allies.
The US, while hardly benign, have not orchestrated multiples of "largest attack in history", for multiple previous years in a row.
Russia and China, have.
The threat scale here, is not an even playing field.
> The US, while hardly benign, have not orchestrated multiples of "largest attack in history"
You must be using a very personal interpretation of what "largest attack in history" is.
The US is literally the owner and operator of the largest surveillance and intelligence collecting apparatus in the history of mankind. I bundle in here all kinds of legal and illegal surveillance, interceptions, hacking, etc. directly state run, or leveraging other intelligence agencies, or leveraging the largest private data collectors in the world which are mostly US companies. It was already proven by the Snowden leaks, it's absolutely reasonable to assume this apparatus only grew stronger.
If that's not a never ending "largest attack" on everyone in the world I don't know what is.
Russia attacked ukraine but what did china do?
"Chinese hack of US telecoms compromised more firms than previously known" - https://www.reuters.com/business/media-telecom/chinese-hack-...
"Chinese hackers are deep inside America’s telecoms networks" - https://www.economist.com/china/2024/12/12/chinese-hackers-a...
You can't ignore this fact: The US and Australia partner on Pine Gap, which violates the human rights of literally billions of human beings every single second of the day.
Russia and China have a long way to go to catch up.
Sorry, but that's crazy exaggeration. Calling snooping "violation of human rights of literally billions of human beings" just because "privacy" gets a mention in the UNDHR doesn't make it as bad as anything Russia and China have done lately. And that's not even touching upon what "privacy" would mean that that declaration.
And Russian state is still bigger threat then the others (and current US leadership counts as almost Russian anyway)
Ironically, we are having similar discussions regarding US companies if the trend with the current administration is to continue.
The big difference is that as of today, we are currently stuck with available alternatives, but it won't surprise me if many goverments start looking back into the computing diversity infrastructure that we had during cold war days.
The US is on a path to un-ban Russian state affiliated companies.
https://www.nytimes.com/2025/03/02/us/politics/hegseth-cyber...
That the Pentagon has announced it will cease defending Americans against Russian threats hardly means that Americans are not threatened.
Or it means that the original bans were primarily instituted because of myopic geopolitics and not because of any meaningful threats. In particular US ire towards Kaspersky grew rapidly after it was the only antivirus that picked up on NSA/'equation group' malware.
It's similar how the US banned all cooperation with China in space [1] because of some tropes about them being unable to do anything except steal American tech. That's why, to this day, there are no Chinese on the ISS. After that law China proceeded to develop, launch, and man their own space station, put a rover on Mars, and even carry out an unprecedented sample return mission from the dark side of the Moon, and just generally run circles around the US (except perhaps SpaceX) in space. Interestingly US researchers may not be able to access those Moon samples (which China shared with scientists worldwide) due to this stupid law.
[1] - https://en.wikipedia.org/wiki/Wolf_Amendment
Regardless what the original story behind the Kaspersky ban was, if you genuinely don't think that a Russian antivirus company represents a state-controlled threat to US organisations, public and private, in 2025 then I don't know what to say to you.
After the initial US allegations they moved their infrastructure and customer data over to Switzerland intentionally leaving them subject to both EU and Swiss customer data protection laws, and also opened up various hubs to enable interested parties to review their source code on demand, if desired.
I don't think every Russian company is conspiring against the US anymore than I think every US company is conspiring against Russia. In this case there's a clear and malicious motive for the US to want to block them that has nothing to do with threats, and they've gone way beyond any sort of reasonable standard to make it clear they have no ill intentions whatsoever.
Of course the problem is that proving you're not a witch is basically impossible, which is why innocent until proven guilty is a standard across the world, except when it comes into geopolitics when allegations are proof, leaving the accused parties to prove a negative.
Not if US and Russia become “allies”. Then UK/EU companies will become a bigger “threat”.
It should go even further e.g. you don’t want ARM installing backdoors on their chips and giving hostile foreign organizations like the MI6 access to vital American infrastructure, intelligence data etc. do you?
It might be the time to consider switching to Elbrus or at least mandating that all devices used by US government agencies have to use Intel’s chips.
I think the more prudent approach in the modern age is to simply assume that all states control organizations within their midst with the intention of posing a threat to citizens - foreign and domestic - and a misplaced trust in ones own state above all others is not only naive, but super dangerous.
If you're not holding your own government to the standards you apply to other states, you're putting yourself in danger.
Especially given the fact that the USA and its partners operates the largest, by far, information gathering/human rights abusing apparatus with well-known subversive purposes, by a long margin..
I think the argument is that non-cooperation represents a much greater long term threat to everyone involved than cooperation, collaboration.
Increased collaboration between the Russian state and the American state is bad for the ordinary citizens of both — and for freedom-loving people in Ukraine, Europe, and everywhere else.
The US and Russia are the biggest nuclear powers in the world. Positive relations here are good for absolutely everybody. Positive relations do not mean one has to approve of the political system, ideology, or whatever else of the other side. See: Saudi Arabia which remained a key ally for many decades in spite of being wayyyyyy further off the spectrum (relative to the US) than Russia could ever be.
Overtly adversarial relationships trend towards violence, sooner or later, and that's not a path we ever want to go down.
The US has turned towards enabling Russia’s imperialist war, and the Pentagon article explains how it will unilaterally disarm in the face of Russian cyberwarfare, leaving Russian criminal groups to run rampant in Europe and even the US. Abetting conquest and criminality is not the sort of collaboration we should cheer.
Wars are largely started because of poor relations. The US overtly supported and encouraged an effort within Ukraine to overthrow a democratically elected president because he moving more towards Russia than the West. Russia then ended up invading Ukraine for fears of having NATO not only right on their doorstep, but right in their geographic Achille's Heel.
If the US and Russia were on good relations none of this would have happened, Germany's economy would still be booming, and just about everybody would be so much better off today. And no, the article does not say the Pentagon will "unilaterally disarm." It ordered a halt to offensive operations against Russia - e.g. the Russian government which is certainly going to be reciprocated. Criminal elements are a different topic, but I do expect as relations between US and Russia warm, they will no longer be looking the other way when these groups target the West.
Bullshit, after Ruzzia invaded Ukraine in 2014 you still have the ability to pretend Ukrainians did not really want to join EU and NATO and USA, Israel and Illuminaty caused the Ukrainians to protest their president that promised the West and then betrayed the people by going East.
Typical Zed propaganda where Eastern Europeans are all brainwashed to hate the good, kind Ruzzian empire. if you are USaians then go and fix your history and stop consuming MAGA and Zed propaganda.
> meaningful threats
True, they cease being “meaningful” the moment you surrender and stop viewing them as threats.
OFC it’s all relative, Russia and similar actors having more political/economic influence in the US (and by extension globally) might not be viewed as a negative by some people.
I appreciate your tangent wrt US vs China in space.
TIL: I had no idea China had already launched their own space station: https://en.wikipedia.org/wiki/Tiangong_space_station
Meh, or it was meaning threat, it is just that Trump is myoptic and completely under Putins control.
By the same logic, Google, Apple, Amazon, Microsoft should be considered state actors.
Why, yes.
Please feel free to point out where the CIA successfully issued directives to those companies to target foreign nationals.
Baring in mind, that Snowden's revelations did in fact cause outcry, and national responses to US companies. And helped push through various data protections in Europe, including stipulating non-sharing of data with the US.
Hmm, so what is your opinion of what the NSA is doing these days?
"Thank god for the GDPR"
Has this been proven? Or is this another 'they are in a foreign country so they could be compelled to spy on us?' - not that I have a particular desire to defend Russia at this moment in time.
This is a fair question.
I also get nitpickity about it.
Not because some organization or some person is Russian, then it must be under the control of Putin.
Pavel Durov is Russian, and I don't have reasons to believe he syphons my data to the Kremlin (other than getting randomly detained in France).
Why not judge on the merit. Unlike PRC's deepseek or tiktok which were shown and admitted to collect all sorts of data and specifically influence public opinion to favor a foreign interest this is literally just information, white hat infosec research
You cannot divorce the company from their other actions. They are engaged in cyber warfare with various nations. That means that all of their actions need to be weighed and judged.
They put it on their website, which makes it company PR, regardless of how it might be seen. Good things have been done by terrible actors, since the dawn of time. It is not information alone.
In that vein Europe should have 0% trust in any US software or hardware. We are not that much friends anymore, in fact US is currently actively helping our existential enemy and subverting us.
Remember of scandal with US spying directly all European top politicians? This was in quiet times compared to now.
To paraphrase you, terrible things have been done by good actors. You cannot divorce state from its other actions in same area neither. I don't think I need to bring up numerous fuckups of US 'defense' and secret services that literally killed tens of millions civilians in past 100 years across whole globe, with very little to show for and claim 'it was worth it because we achieved XYZ'.
As of now? I am making noise with my government on the US. The nation has dismantled their protections, they have an unhinged preacher of hatred in the White House, and he has a proven record of breaking international agreements.
Starlink and Tesla are security concerns.
The US' current attitudes suggest that they would very much like to see world war three. And would like to ally with Russia to make it happen.
Recklessly endangering international agreements will not be without consequences.
careful or you would have to divorce google because of their actions but the larger question is, will you?
I don't believe Google has directly caused the leaking of classified information, or attacking vital infrastructure, as of yet. Kaspersky, yes [0]. TikTok, yes [1]. Google do, however, publish information on commercial spy networks [2].
However, it is likely that I would do so if they show themselves to be an enemy of my nation. If you've found Google attacking a government, I'm sure plenty of people would love to see the evidence.
[0] https://securityaffairs.com/174586/intelligence/australia-ba...
[1] https://www.nytimes.com/2022/12/22/technology/byte-dance-tik...
[2] https://storage.googleapis.com/gweb-uniblog-publish-prod/doc...
Your first link doesn't show any evidence of, or even suggest that, Kaspersky has attacked Australia.
It shows only that the Australian government expresses concern over the capability, which doesn't seem entirely unreasonable and also politically motivated.
Oceania has always been at war Eastasia, and all that.
> Entities must manage the risks arising from Kaspersky Lab, Inc.’s extensive collection of user data and exposure of that data to extrajudicial directions from a foreign government that conflict with Australian law.
That's not concern of possibility. That's acknowledgement of exfiltration of data, back to Russia. Past tense.
This is political, yes. But only insofar as all actions of one nation against another is political. Australia go to some lengths not to piss Russia off. If things were not so political, then the response would likely be much greater, not less.
What user data? Telemetry from using their antivirus products? Is that what they’re talking about?
Are you weighing and judging thAt USA has killed millions of innocent people because of American Military Industrial complex before buying American products? You can’t divorce a company from it’s countries politics as you say.
If you are not judging the USA at the same standards as you do other countries then that would be very hypocritical.
The first few years of my life were in Bolivia. Where our prime minister, for the sin of being elected by the people, was shot dead on the streets of the capital, a street I lived on, by the CIA. I still have friends, who serve Morales today. I am well aware of the sins of the US.
Until Trump, the USA was not a direct threat to the nation I now live in. However, nuance is lacking in your response.
You cannot divorce a company serving its government, from the politics it lives in. There's little evidence of Y-Combinator, for example, of endeavouring to upend their entire business to serve as spies for the USA. If Kaspersky was divorced from the KGB, politics would not be as considerable a context for understanding their actions.
> You cannot divorce a company serving its government
I would extend that to "a company bound by law", since governments can change. [0]
Most people here argue that google, etc. have not been caught stealing/leaking data yet, as if Snowden didnt happen. And as if any foreign citizen data isnt fair game to US juristiction. [1]
0: https://en.m.wikipedia.org/wiki/Protect_America_Act_of_2007
1: https://www.dni.gov/files/icotr/ACLU%2016-CV-8936%20(RMB)%20...
So it only matters when it’s direct threat to you huh? All those people who suffered in the Middle East don’t matter? Cool story bro.
The whole point to reading an article like this is to get the considered opinions of an expert, though, not to "judge it on the merit". Only an elite handful of security folks here on HN (and this is one of the few forums where you can find them!) are capable of doing that.
So sure, when another security wonk comes along and says "Kaspersky is right about this", I think it's worth discussing. Until then, we need to assume that any communication from the company is compromised by unstated interests. Not all of it is, surely, but some probably is, and "judge it on the merit" isn't a good standard to detect the bullshit.
Not since today- russia is no longer to be threated as hostile and all cyber attacks planned on it have to yield.
[flagged]
Russia is currently waging an actual war of invasian. They are constantly threatening multiple countries with invasion and nuking.
Well said.
[dead]