14 DAY TRIAL // A former antivirus analyst ostracized by the AV community for unethical behavior is accusing Kaspersky Lab of injecting malicious code into his newly launched website. Researchers with the Russian antivirus vendor portray the former white hat as a cyber-criminal associated with the Sinowal gang.
Peter Kleissner is an 18-year-old hacker living in Vienna, Austria. He made a name for himself partially due to a research paper regarding master boot record (MBR) rootkits, which he presented at the 2009 Black Hat security conference. MBR rootkits consist of malicious code that is able to execute before the operating system and reinfect it on every reboot.
During his Black Hat talk, the hacker publicly released the source code for such a program developed by himself and dubbed the "Stoned Bootkit." This rootkit is particularly interesting, as it is able to infect all post-XP Windows operating systems, including Windows 7. Additionally, it features an application programming interface (API), allowing even cybercrooks with average programming skills to create potent malware.
At the time, Peter Kleissner was working for Austria-based AV vendor Ikarus, and his decision to release an open source MBR rootkit obviously not fell well with fellow antivirus professionals. And as if that violation of the white hat ethical code wasn't enough, on his way back from US, while waiting for his flight connection to Vienna, the hacker decided to pen test the Internet terminals at the Zurich Airport without authorization.
According to Kleissner's own account, Ikarus eventually forced him to resign and he was also banned on industry-specific mailing lists. In order to get back at the community which renegated him, the young hacker launched an online system called AV Tracker.
This project aims to maintain a list of the IP addresses used by antivirus companies and malware analysis services such as Virus Total, Anubis, ThreatExpert, Sunbelt's CWSandbox and others. "You can include this list to block them out (making it unable for AVs to analyze your software). You can also DDoS them in order to lame 'em down," the website reads.
To gather the IPs, Kleissner created a small spy program and fed it to the online malware analysis services, knowing that these represent a sample-exchange channel for antivirus companies. Once this executable is ran by AV researchers, it reports the IP address of their test machines back to the AV Tracker website.
This program also seems to have a message hidden into it. "This is Peter Kleissner. [expletive] Ikarus. [expletive] the world. [expletive] you all! I was once working with Ikarus and was a white hat, now I am the worst mean [expletive] black hat and I am selling the source code of Ikarus T3 [Ikarus' product] :D," part of it reads. When confronted with it by a user on his blog, the hacker responded with "[...] ensure to not take those messages literal, if you do, then you will fail to understand me and my mind. And btw I am listening to Eminems sounds, so that shoulda [sic.] explain a bit too."
While writing about this program, Vitaly Kamluk, Kaspersky's director of research center for the EEMEA region, mentioned that the company's analysts modified the requests it sent to the AV Tracker service. "We played around with this request, and substituted various random strings instead of the user name and system parameters," he noted.
However, in a post entitled "Kaspersky Labs hacks my site," Kleissner claims that they actually injected malicious code into his website, more specifically an iFrame pointing to an exploit toolkit. The hacker sent an e-mail to the antivirus company asking 2000 Euros in compensation for the time he lost cleaning his website and threatened them with a lawsuit if they don't comply.
"Naturally, we have gathered all relevant data and forwarded it to our lawyer who will now take the next steps. If all cyber criminals were as cooperative as this one, life would be much easier for AV companies," Mr. Kamluk said. Kleissner subsequently confirmed that a lawyer based in Vienna responded to his e-mail on behalf of Kaspersky.
Given all of the hacker's controversial blog posts and shady actions, it seems the company has enough evidence to support their claim that he is involved in cybercriminal activities. One of his messages reading "I am with the Sinowal (Whistler) [a banking trojan] developers, funny days, aren't [they] ;)" is kind of telling in this respect.