On the Inspection of Anti-Virus Source Code to Demonstrate the Lack of Offensive Cyber Capabilities

A recent AP story notes that senior U.S. intelligence officials have advised Congress to steer well clear of Kaspersky's products. In response to such U.S. government concerns, Eugene Kaspersky has offered to allow the inspection of the source code of his anti-virus products.

Without commenting one way or another on the underlying matter, that is, whether or not Kaspersky security products have any built-in offensive cyber capabilities, I note that even a source code inspection may not shed much light on the matter. At best, it could rule out the possibility that the products themselves have no specific offensive cyber capabilities. However, even if this were true, it is easy to imagine that those products might be used to facilitate an attack.

The reason is that the source code of such products (i.e., the program) is different than the malware databases off of which these products operate. The malware databases contain “signatures” of known malware. The program compares the signature of incoming files against signatures in the databases and blocks incoming files whose signatures match something in the databases. Thus, the protective value of any signature-based malware protection program (most antivirus products qualify as such) depends on having as many signatures in the relevant databases as possible, and not on the program per se, which simply does the comparison.

What if the malware database does not contain the signature of malware X, which happens to originate from Russian intelligence? The product will not detect it, and malware X will penetrate to the user’s machine and do its offensive dirty work.

Why did the database not contain X’s signature? This is the critical question—and it’s impossible to answer. Here are two possibilities:

1. The signature of X may be missing for entirely innocent reasons—all malware databases are incomplete, and the completeness of coverage of extant threats is a point on which security vendors compete. The incomplete nature of coverage for any given product is why many people, me included, run second and third opinion anti-malware products—we wish to increase the probability of detection so that something not caught by product A is caught by product B or C.
2. X’s signature may be missing for less innocent reasons as well—perhaps Russian intelligence asked the vendor to refrain from including it in the database.

From the outside, there’s no way to tell whether either is true.

Would inspection of the malware database help? Not really. Such inspection would reveal only what can be caught, not what can’t be caught. The only way to shed light on whether X was deliberately omitted from the database would be if X’s signature was present in the databases of a number of other security product providers—if that were true, then one could conclude either that Kaspersky deliberately omitted X’s signature, or that Kaspersky’s product was considerably less sophisticated than those of its competitors. But again, the information derived could not differentiate between these two outcomes.

I realize that Kaspersky antimalware products do not rely exclusively on malware signatures to provide protection. Inspection of source code would provide useful information on a product’s detection capabilities for malware without known signatures. But for the most part, the analytical techniques used for such detection are heuristic in nature—that is, they are based on a number of rules derived from observations of how malware usually works (see here for a discussion of Kaspersky’s take on this matter). Malware that takes an approach not covered by these rules will not be detected. In the end, we would be left with the same problem—is a heuristic rule missing because Kaspersky’s engineers were not sufficiently clever or because they deliberately omitted a rule that would have caught some alleged Russian malware?

Again, I’m not casting aspersions on Kaspersky or Russia in this argument—one could substitute any vendor and any government for these names. Nor is this piece intended to suggest that Kaspersky is or is not what he claims to be—a vendor interested in the best possible protection for its customers. But the question of whether or not Kaspersky is in cahoots with Russia will not be resolved by access to source code or even to the malware signatures in the Kaspersky databases.