Forgot your password?
typodupeerror
Security The Internet

Kaspersky Source Code In the Wild 154

Posted by Soulskill
from the somebody-get-attenborough-to-find-it dept.
mvar writes "The source code of an older version of 'Kaspersky Internet Security' has been circulated on the internet. The code was created in late 2007 and was probably stolen in early 2008. Names contained in the source indicate that the stolen code was probably a beta version of the 2008 software package – the current release is Kaspersky Internet Security 2011. According to a Russian language report by CNews (Google translation), the code was copied by a disgruntled ex-employee. The thief has reportedly been trying to sell the code on the black market for some time, and Kaspersky says that the code archive already appeared in various private forums last November."
This discussion has been archived. No new comments can be posted.

Kaspersky Source Code In the Wild

Comments Filter:
  • And, in other news, Microsoft has released Windows 95 to rapturous applause.

    Is there a difference?

    How many people (perhaps apart from malware writers) will really be affected by this disclosure of the source for some 4-year-old software?

    • by nicholas22 (1945330) on Monday January 31, 2011 @06:13PM (#35061058)
      This probably comes as news to you (you're not a developer, are you?) but when you build new software, you basically build upon older code. So yes, even the extreme scenario you talk about, would cause some headaches to Microsoft.
      • by armanox (826486)

        Not as much as you imply, seeing that the DOS-based platform and Windows 9x were both abandoned in favor of the NT-based platform (which traces back to OS/2).

        • by joshki (152061)
          NT actually traces its roots to VMS, not OS/2...
          • by belmolis (702863)
            The designer of NT came from a VMS background but NT was not based on VMS code.
            • >>>The designer of NT came from a VMS background but NT was not based on VMS [or OS/2] code.

              FTFY. And Netscape's designers came from their previous creation Mosaic for Amiga, Mac, and PC, but Netscape was not based on Mosaic code. Many moons later the Mozilla Suite spun-off from the never-released Netscape 5, and eventually became Seamonkey, but lo the users were not happy with Seamonkey's bloat, so they split-off the browser half and called it Firefox. And it was good.

              Thus spake the book of moz

              • by DarkOx (621550)

                Not really, the old Navigator was just called the Mozilla suite until Firefox shipped. The Seamokey project is run by a group that still wanted to continue development of the suite, which by the way is now no bigger than today's bloaty Firefox, used the same engine so displays pages exactly as well but offers more features and is an all around SUPERIOR browser. Firefox was good when it was actually smaller but these days is pretty pointless. What the should do is keep the FF name because its well markete

              • by joshki (152061)
                There are a whole lot of people who disagree with you. NT was VMS, reimplemented.
          • by morgauxo (974071)
            NT was built on Multics code, extended with concepts from VMS
        • by DarkOx (621550)

          That may be so, but its not the bottom in kernel level stuff anyone is interested in the Windows code base leaking for (well some crackers and other criminals might be) there are plenty of FOSS kernels that are every bit as good on NT to choose from. What's good about Windows is the stack of libraries. Lots of those are present in WIndows 9x and the complete source to Windows 95 even today would be of great use to someone who wanted to support win32 subsystems on top of some other platform.

      • by calzakk (1455889)
        Not necessarily true. I worked for an AV company several years ago. While the legacy product was in maintenance, a completely new version was in development and used very little code from the original product.
    • by hairyfeet (841228) <bassbeast1968@gma i l . com> on Monday January 31, 2011 @06:27PM (#35061184) Journal

      Actually MSFT releasing the Win9X source would be WONDERFUL news, because if you haven't tried it Win9X can make a great embedded OS [embeddingwindows.com] with better driver support and lower specs than pretty much any embedded OS out there.

      And as for why anyone would care about TFA, that's simple: Often you don't "throw the baby out with the bathwater" and significant portions of the code will be reused. This means the black hats pretty much have a roadmap to use to trash Kaspersky AV. Even if they didn't use much of the previous code it most likely will allow them to see how the Kaspersky AV team treats PC resources like memory, giving them a good idea of where the weak spots are. Bad news for Kaspersky users I'd say.

      • That page you linked to is insane. "Enhanced security"? From Windows 9x and its legendarily bad TCP stack, not likely. "Advanced next generation hardware support"? What about all those WDMI-only drivers from the current generation, guys? Or using more than 256 MB of RAM? Or a hard drive with more than 20 GB capacity? It's schizophrenia at its best!
        • by Sarten-X (1102295)
          Right... Because the computer I built as a recipe box for my kitchen certainly needs 8 GB of RAM, 3 TB disk space, and a video card that can ray-trace 1080p in real time.
          • So what are you trying to say? That a Win98 box is "next generation" compared to most embedded systems? 'cause otherwise, the fact stands that the EOS guys are spinning total BS.
            • by Sarten-X (1102295)

              I'm saying that arbitrary hardware requirements do not have any relation to how well something actually does its job, and the examples you gave are ridiculously off-base for an embedded system in the first place.

              As an example, ATMs get new anti-counterfeiting devices all the time (certainly often enough to refer to any particular device as "next-gen"), yet they run old operating systems without significant problems. Sure, there's the occasional virus, but the overall rate of infection is far lower than desk

              • Hold up: we're not talking about visiting natural satellites here. The page advertises EOS for web kiosks and FTP servers. An FTP server is probably something you want to have considerable disk space for, web kiosks by their very nature have to be user-accessible (and thus virus-prone!), and both are going to be relying on that TCP stack. So you may want to look more closely before making generalisations about the typical usage of the word "embedded".

                Check out this quote: "EOS is Secure. Security for bot
                • by Sarten-X (1102295)

                  Also [embeddingwindows.com] industrial control and monitoring, remote instrumentation and telemetry, smart appliances, and research.

                  An FTP server probably needs a TCP stack, but it likely doesn't need support for laptop power management. On the other hand, a remote monitor might need to run with a backup battery, but communicate over a serial line. Again, embedded systems involve a lot of choices. The field of embedded machines is enormous, and there is certainly no single OS (and especially no single configuration) that will fi

            • by tehcyder (746570)
              Windows 9x is "next generation" compared to MS-DOS.
          • by h4rr4r (612664)

            No but it should be running a better OS. No issue at all getting linux into something like that, pretty common in the embedded world already.

            • by Sarten-X (1102295)

              It currently runs Debian, stripped down to about 100 megs, and that's with only removing packages. A friend of mine (who is more familiar with the Linux internals) says that figure can easily be cut in half. The spare hard drive I stuck in the box is 2 GB, so I'm not particularly worried. Text recipes don't take that much space.

              The first version I set up actually ran Windows 98, because I had originally written my recipe program in Visual Basic. It has since been translated to a language that causes less pa

              • by tehcyder (746570)

                I had originally written my recipe program in Visual Basic.

                It takes a brave man to write a sentence like that on slashdot.

      • Embedding Win9X does not sound like a good idea security-wise if the device is going to go anywhere near the internet.
        • by hairyfeet (841228)

          Why is that? We are talking about an embedded OS not some desktop where you could surf with the thing. Most likely you would simply have a VPN connection to the main server to say process CC info for a purchase. And don't forget we are not talking vanilla Win9X but a stripped down version with only enough files/features to run the single app you are using it for.

          So I think you and the rest of the guys here are looking at it the wrong way. You can't judge this by running vanilla win9X on the net because th

          • by h4rr4r (612664)

            Still no reason to go adding the risks that come with win9x. Lots of better options available.

          • by dave420 (699308)
            Forget it. You will never win this one. Explaining that it doesn't run *anything* other than what you tell it to, and that it's not the desktop version, is pointless. Their minds are made up.
            • by hairyfeet (841228)

              It just goes to show you how rabid the blind hate and fanboyism is here on Slashdot. I mean when you point out the entire OS is fitted onto a 16Mb flash and hardwired to ONLY run a single app and connect to a single address and they STILL think it "is a security risk"?

              I'd sure as hell hate to have these guys work on anything at any of my SMBs as they are probably the type that thinks you can just slap any Linux or Mac on the net with no firewall or anything because "its not Windows and is safe from viruses"

      • by malloc (30902)

        This means the black hats pretty much have a roadmap to use to trash Kaspersky AV. Even if they didn't use much of the previous code it most likely will allow them to see how the Kaspersky AV team treats PC resources like memory, giving them a good idea of where the weak spots are. Bad news for Kaspersky users I'd say.

        The moment you give someone your binary you've given them your code, just in a harder to read format. Any black-hat that cares will merely read the disassembly. Original source code not required.

        -Malloc

        • by vegiVamp (518171)

          There's a very limited number of people who can actually read large swathes of disassembled code, though, and I believe the majority of that already small number has more interesting things to do than see what makes another antivirus suite tick.

          Well, until Kapersky manages to tick one of them off, that is.

          • by malloc (30902)

            I don't disagree but I think, by the same token, people that can't (or are too lazy to) read the assembly are less likely to have the m4d sk1lls (or attention span) to do something very serious with/to the anti-virus program. But, as you say, once you get into "ticked the general populace off" territory (instead of just "highly-skilled dude working for evil overlord for big$" territory), having the easier-to-read source laying around won't help.

    • by Beardo the Bearded (321478) on Monday January 31, 2011 @06:33PM (#35061246)

      Here's the thing.

      The people who write malware already have this code. They might not have the C source, but they've got a good handle on the IO flow and undoubtedly have it in assembly. Is this a game-changer for the malware writers? Not even remotely. Even if this was the source code for the latest version from 2011, it wouldn't change anything.

      "They" have access to the exact same software that we have. They can download Avast! or AVG or Kaspersky or MSE and write the malware to be untraceable under those security suites. Hell, if they really wanted it they could find disgruntled employees or cleaning crews and get access to the repositories for cash monies.

    • Works nowdays anyhow so... i really dont care.

      Besides, im on Linux.

    • by DrXym (126579)
      How many people (perhaps apart from malware writers) will really be affected by this disclosure of the source for some 4-year-old software?

      The answer is lots of people. Customers of Kaspersky may suddenly discover themselves infected with malware that sidesteps, disables or otherwise interferes with their AV or firewall software. Other people might receive emails offering "free" and apparently legit Kaspersky software which subsequently holds their machine to ransom, or installs a bot. And everyone else w

  • Pretty useless now (Score:5, Interesting)

    by ArchieBunker (132337) on Monday January 31, 2011 @06:12PM (#35061026) Homepage

    Code to a 4 year old anti virus app, whats that going to be worth? Kaspersky was great until a few years ago. Then one release made my parents older p4 system near unusable. It went from firefox loading in a few seconds to close to 30 seconds. Forums were filled with the same complaints and no real fixes. I changed to Avast and its been great.

    • Avira is also good. But Kaspersky is even better. You should use it with more modern hardware. Otherwise stick with Avast and all is good.
      • by h4rr4r (612664)

        Buy a faster computer just to run anti-virus?
        You windows kids make me laugh.

      • I used to be a big fan of Kaspersky, but their 2010 update is a real piece of junk. A failed update should not cause a corrupted database that it can't rollback from. It also should not give up and force you to manually download updates from their support website.

        And yet this exact thing kept happening every few months like clockwork until I gave up and dumped it. When it worked, it worked very well, but dang.

        • by markhb (11721)

          I got hit with something nasty a few years ago, and the first thing it did was disable my CA Antivirus (provided by my ISP) from updating. Lo and behold, there was no way that I could find to manually update CA AV at all. I finally was able to clean the machine using Kaspersky's online virus scanner, and I was sufficently happy with it that I bought the product; I'd be perfectly happy with the occasional manual database download if the alternative was having no way to update the signatures, ever.

          • Manual database download = press update button? fine. Manual database download = navigate through the vendors site looking for download-able updates = not fine. I can't think of any reason for this besides sloppy coding. Corrupted updates completely disabling the AV protection until I happen to notice, also = not fine.
      • by dudpixel (1429789)

        Avira is also good. But Kaspersky is even better. You should use it with more modern hardware. Otherwise stick with Avast and all is good.

        (emphasis mine)

        not according to av-comparatives.org. kaspersky has slipped behind quite a bit while avast and avira are still front-runners.

    • by giorgist (1208992)
      Simply it would be interesting to see if they have an GPL code or any questionable code in there.
      Open source using companies can be procecuted if the wrong thing slips in.
      Closed source companies can't be ...

      See Oracle Vs Google.

      G
      • by h4rr4r (612664)

        Sure they can. Quite common to run strings against binaries to see what you get. The busybox folks have sued more than one closed source vendor.

    • I changed from XP to Windows 7 and skipped anti-virus on my computer. Gmail screens all my documents I receive for viruses, chrome browser has pretty good security, applications I download are from legitimate sources, good backup and archiving, and the occasional malwarebytes scan (yet to find anything in 18 months). Why did I go this route? Well I found I had malware despite having a fully updated Mcafee AV on my XP computer. I realized safe computing and a modern OS would likely be enough for an educat
      • by Opportunist (166417) on Monday January 31, 2011 @06:46PM (#35061346)

        It's a very good start. Brain 1.0 is still the best virus scanner out there.

        Still, there are threats that can't be defeated that way. Scenario: Exploit in a major flash application that affects all possible plugins (since they are essentially the same with different interfaces to the browser), an iframe hidden in a webpage on a, say, hotel homepage you happen to visit because you are planning your vacation, infection complete. If you happen to dislike plugins, browsers themselves can have their loopholes (IIRC the MHTML hole already made it to /. today), not to mention that browsers do also rely on APIs in the end, which are the same, no matter what browser you use.

        I'm not saying get a AV tool. All I say is that there are still vectors you cannot defeat just by being careful. A system's security is the minimum of the user's and the system's ability. Not the average.

        • It's a very good start. Brain 1.0 is still the best virus scanner out there.

          Still, there are threats that can't be defeated that way. Scenario: Exploit in a major flash application that affects all possible plugins (since they are essentially the same with different interfaces to the browser), an iframe hidden in a webpage on a, say, hotel homepage you happen to visit because you are planning your vacation, infection complete. If you happen to dislike plugins, browsers themselves can have their loopholes (IIRC the MHTML hole already made it to /. today), not to mention that browsers do also rely on APIs in the end, which are the same, no matter what browser you use.

          I'm not saying get a AV tool. All I say is that there are still vectors you cannot defeat just by being careful. A system's security is the minimum of the user's and the system's ability. Not the average.

          I also use Flash Block :)

          You do make a very good point about flash as is your point that nothing is ever full proof. I felt after having done the "right thing" and getting malware, coupled with Mcafee not even allowing me to uninstall it completely, I was sick of the game and decided to try Brain 1.0.

      • by calzakk (1455889)
        Consider this: the legitimate source's website is hacked, and all its downloads are infected with new malware not yet seen in the wild. This remains unnoticed for several days, during which time the malware has been downloaded by hundreds or even thousands of users. By the time the AV companies get a sample, it's too late for all those downloaders...
        • Consider this: the legitimate source's website is hacked, and all its downloads are infected with new malware not yet seen in the wild. This remains unnoticed for several days, during which time the malware has been downloaded by hundreds or even thousands of users. By the time the AV companies get a sample, it's too late for all those downloaders...

          Sure these things can happen. But they are very rare. Risk am willing to take over the slow down AV software packages add to my nice clean system

      • by steelfood (895457) on Monday January 31, 2011 @07:23PM (#35061724)

        But that's not what an AV is for, despite the industry trying to market it as such. Antivirus software is reactionary. The company has to receive an unknown virus and analyze it before they can put the virus in the next definition file update. And any heuristics module included is typically useless against all but the most basic attacks.

        AV is at best a catch-all for uncontrolled or uncontrollable situations. Office computers, shared family home machines, etc. that are subject to illogical users' whims would benefit from AV. But AV cannot stop zero-day exploits, cannot prevent malicious JS, and is completely useless against a determined attacker with physical access to a machine.

        Proper computer security addresses each attack vector separately. A properly-configured software firewall will take care of most of the threats though the network. In fact, hiding behind a NAT will take care of 99% of the zero-day threats; whitelisting outbound traffic is just good security practice. Noscript and safe surfing habits will guard against anything coming in through the browser. Obviously, preventing unauthorized physical access to the system requires physical security.

        All AV will do is maybe stop that infected autorun from your kid's buddy's flash drive, or delete that exe file you accidentially downloaded from a questionable site you were surfing. But that's what's it's really there for:all the cases you don't really know or expect to have to guard against.

      • by Haedrian (1676506)

        Not recommended.

        A bunch of malware nowadays appears on:

        1. Hacked Websites
        2. Advertising

        Yeah, if you disable JavaScript and Flash you might have a 'safe experience'. But then if your favourite news website gets hacked, you'll catch a virus.

        Its not worth it , truly. Or, your flash drive might get infected from someone (there was a printing bureau which actually had this sort of worm on their pcs - infected tons of people).

      • So... how much do you trust that flash plugin you got? How about silverlight?

        And McAfee is really quite mediocre as AVs go. Avast | AVG | MSSE are all far better.

    • by ic3p1ck (597610)

      Well, if your assertion is correct, then wouldn't the 4 year code be worth quite a lot? Seeing as it is a better version before it went downhill?

    • by Patch86 (1465427)

      I know it's never likely to be popular on these message boards, but I've actually been having a good experience with Microsoft Security Essentials on the one machine I've tried it on. I've got other machines with AVG Free and avast! on, and MSE has come across relatively simple and light-weight. I'm told it has reviewed pretty well in AV testing too.

      Not that I have any complaints from any of the main free AV programmes I've used, but it's nice to see another decent option in the line up.

  • by nicholas22 (1945330) on Monday January 31, 2011 @06:12PM (#35061036)
    Another disgruntled employee. I wonder why he is disgruntled...
  • Stolen?? (Score:5, Funny)

    by Jaxoreth (208176) on Monday January 31, 2011 @06:13PM (#35061042)

    I wish them luck recovering it so they don't have to rewrite it from scratch.

    (Copyright infringement is not theft.)

    • Bhahahaha, what are you smoking man? What on earth makes you think they would rewrite everything?? This is the real world.
    • I bet now they wish that software could be multiplied easily. If that was only possible, I'd have this great idea where you could create a copy of your software, then store it somewhere safe in case some thief gets in, empties out your servers and makes it away with that big bag with that huge $$ sign on it.

      I'll be rich when this finally becomes possible!

      Dammit, I should have patented it before posting here...

    • Re: (Score:3, Insightful)

      by gilbert644 (1515625)
      Here's another one: Identity theft. Language evolves. Deal with it.
      • by Jaxoreth (208176)

        Here's another one: Identity theft. Language evolves. Deal with it.

        Calling copyright infringement theft is a deliberate attempt to equate infringers with criminals (or the result of having been influenced by same) -- not an accidental evolution of language -- whereas identity theft is, in fact, a crime.

        Furthermore, if someone copies your code then at worst you've "lost sales" but at least your program still works. If someone steals your identity, then your identity itself is compromised (in its function as a unique identifier) and your ability to use your identity is redu

      • by DittoBox (978894)

        The legal and economic definitions of theft indicate the loss of a physical item. If I steal something from a store, that item needs to be replaced. If I infringe your copyright by downloading your music, you've at worst lost a sale. The economic impact is a lot less because you're not actually losing real goods that already have work invested into them.

        Is it wrong? Yes.
        Does it suck? Yes.
        Is it a theft. No.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Here's another one: Identity theft. Language evolves. Deal with it.

        Heck no... framing bank fraud as "identity theft" puts the onus on the victim instead of where it properly belongs.

  • Kaspersky users might need to think about ditching their antivirus. The good news is Ubuntu will welcome them with open arms.
    • by sqlrob (173498) on Monday January 31, 2011 @06:37PM (#35061286)

      That won't work. The source for Ubuntu has already leaked.

    • Re: (Score:2, Insightful)

      You know what?

      Ubuntu can get viruses just as easily as other OSes. The Apache servers that control botnets aren't running IIS. Wine is a weak point, and Flash is a cross-platform single-point-of-failure. How many times have you blindly added a repository based on what some random untrusted person on the Internet tells you to do? I know I have.

      The only reason that it's not as 0wn3d as Windows is that Windows was easy pickings and has huge market share. Now the bad guys are going to focus on smartphones

      • by Anonymous Coward

        Certain people keep saying the only reason there's no such thing as Linux malware is market share.
        The fact that applications running on Linux can't alter system files has absolutely nothing to do with it.
        Prove it. Release your exploit already.

        BTW, Wine is notoriously bad at running malware.

        • by sqlrob (173498)

          Drop an executable in ~, change ~/.profile and ~/.bashrc to put those directories first, pwned.

          Easy to clean, true, but if you're not looking for it, it's not there. Also defeatable by mounting home noexec but how many user installs do that?

          • by unapersson (38207)

            That's still not an example of modifying system files. So you're dropping an executable in root then running some code to edit some files so you can run the executable. Isn't there some kind of circular reference problem there?

            • by sqlrob (173498)

              You can't modify the system files. Notice I said run from ~, not /.

              Arbitrary file write in a browser or plugin or mail client, and you're in, compromise. Granted, just for that user but that's all you need for most personal systems. It's more than good enough for a botnet - you can make connections out and harvest any e-mail addresses / private data from ~.

              There's actually an additional hole in *nix that's not present in Windows (or more accurately, Firefox on those systems). You can write a browser plugin

        • by djp928 (516044)

          This is mainly because Wine is notoriously bad at running anything.

      • by Anonymous Coward

        You seem to be confused about how botnets are currently being controlled.

        Hint: It's not through Apache.

  • by Anonymous Coward

    "The source code of an older version of 'Kaspersky Internet Security' has been circulated on the internet. The code was created in late 2007 and was probably copied in early 2008. Names contained in the source indicate that the copied code was probably a beta version of the 2008 software package - the current release is Kaspersky Internet Security 2011. According to a Russian language report by CNews (Google translation), the code was copied by a disgruntled ex-employee. The copier has reportedly

    • by halivar (535827)

      Everybody here understands exactly what happened. Nobody cares about the semantics. You have contributed nothing.

    • by exomondo (1725132)
      We all know what 'stolen' means in the context of data, it means 'copied without permission of the owner', im sorry you fail to understand that.
  • I have a lovely stapler at home.

  • Like Netscape, who released their source code so a bloated, unwieldy application could be improved upon and re-released as something that's actually functional, it seems Kaspersky are following suit. Good on them.
  • Someone check this out to see the quality of this closed code!
    Code quality is often a excuse for commercial software to sell VS OSS, and I am interested on how "higher" the quality of this stuff is.

  • by rent (66355) on Monday January 31, 2011 @09:35PM (#35062898) Homepage
    I visited some of these forums today, and fair enough.. the source code is there. Here is what I found:

    #include <stdio.h>
    #include <kaspersky.h>

    char make_prog_look_big[1600000];

    main()
    {
       if (detect_cache())
          disable_cache();

       if (fast_cpu())
          set_wait_states(lots);

       set_mouse(speed, very_slow);
       set_mouse(action, jumpy);
       set_mouse(reaction, sometimes);

       printf("Please wait, Kaspersky is scanning your computah)\n");

       if (system_ok())
          crash(to_dos_prompt);
       else
          system_memory = open("a:\swp0001.swp", O_CREATE);

       while(1) {
          sleep(5);
          scan_a_single_file();
          sleep(5);
          update_progress_bar();
          sleep(5);
          if (rand() < 0.9)
             crash(complete_system);
          }
          return(unrecoverable_system);
       }

    }
  • Been using Kaspersky for home and business for over ten years. Given that this is a company whose primary business is security, I find it beyond comprehension that a 'disgruntled employee' could steal and distribute source code. Trust destroyed...
    • by _Shad0w_ (127912)

      Why? You have to balance security with usability - in this case the ability to actually do your job - which fundamentally means you have to trust your developers with your source code.

      If you're a larger company you can break your code down and only allow people access to the module they're working on, for smaller to mid sized companies that's not such a viable option; people generally work on whatever bit of code needs working on. I doubt Kaspersky actually employees that many developers.

      That's assuming i

10 to the 6th power Bicycles = 2 megacycles

Working...