Kaspersky and spying for Russian Federation


Recommended Posts

EJocys

Hi Neowinians. I would like to ask you to check your Kaspersky Antivirus and return back with opinions.

 

My browser debug console shows that it sends sensitive data to Russia, even when I use HTTPS secure connection.

You can press F12 key to open console and choose "Network" tab to see all requests your browser makes when you open the web page. I was amazed to find that Kaspersky reporting all my secure google requests and bank sessions to ie.kis.scr.kaspersky-labs.com (185.85.13.154) which is located here:

 

185.85.13.154
Kaspersky LAB AO
Moscow
Russian Federation
Latitude: 55.752220153809
Longitude: 37.615558624268

Source: https://www.ip2location.com/demo/185.85.13.154
Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z

 

For example: Every time I was using secure search on google.co.uk, Kaspersky would make connections to server in Russia and load JavaScript which in itself enables ability to send all my logins, passwords and other sensitive data to file providers, because it was running from inside a secure connection and all sensitive data was available in plain text:

https://ie.kis.scr.kaspersky-labs.com/55EA892A-F489-2A4A-BF5D-9E631C44C50C/main.js
https://ie.kis.scr.kaspersky-labs.com/55EA892A-F489-2A4A-BF5D-9E631C44C50C/websocket?url=https%3A%2F%2Fwww.google.co.uk%2F&nocache=1471773767577
https://ie.kis.scr.kaspersky-labs.com/C05C44C136E9-D5FB-A4A2-984F-A298AE55/vk/VkTooltipBanner.png

 

When I was authorising into my bank with security details, Kaspersky would send links like that:

https://ie.kis.scr.kaspersky-labs.com/1B74BD89-2A22-4B93-B451-1C9E1052A0EC/init?url=https%3A%2F%2Ffc1.retail.santander.co.uk%2Fquery%2F1%2FfwyK.html%3Feu%3Dhttps%3A%2F%2Fretail.santander.co.uk%2FLOGSUK_NS_ENS%2FChannelDriver.ssobto%3Fdse_operationName%3DLOGON&nocache=1fdc6

 

Responses from Kaspersky looked like static content. It means that there is no need to for Kaspersky to supply metadata to Russian Federation in order to protect its customers from viruses. Kaspersky developers could choose to load these scripts from locally running web server (127.0.0.1) and not to compromise customer's security. This is not the rocket science. Decision to send sensitive data to Russian Federation and enable possibility for Russian government to track every web site visit of Kaspersky's customer and acquire all logins and passwords does not look like a rookie mistake.

 

Data goes to Russia; it means Russian law applies to it. Recently President Putin signed the Yarovaya bill into law, which is draconian law designed to collect data, make cryptographic backdoors mandatory and allow access to it by Russian security services for 3 years. Kaspersky accessing your sensitive data and sending it to ie.kis.scr.kaspersky-labs.com is exactly that - cryptographic backdoor.


So, if you have Kaspersky on your computer, then please open secure site like https://www.google.com, press F12 for debug mode, go into “Network” tab, refresh page, see for yourself and report your opinion.

 

Thank you.

Edited by EJocys
Link to post
Share on other sites
adrynalyne

That's not at all what is happening. Use a real tool like fiddler and see what it is really sending and where. What you are seeing is browser extension stuff used with the antivirus. 

  • Like 1
Link to post
Share on other sites
goretsky

Hello,

 

Perhaps they are checking the HTTP stream for malware or exploits, doing reputational analysis or something else in their protection cloud.

 

Regards,

 

Aryeh Goretsky

  • Like 3
Link to post
Share on other sites
+Mirumir
2 hours ago, EJocys said:

Recently President Putin signed the Yarovaya bill into law, which is draconian law designed to collect data, make cryptographic backdoors mandatory and allow access to it by Russian security services for 3 years. 

The USA PATRIOT ACT was enacted 15 years ago. 

 

P.S. No one is forcing you to use KAV.

Link to post
Share on other sites
EJocys
1 hour ago, adrynalyne said:

That's not at all what is happening. Use a real tool like fiddler and see what it is really sending and where. What you are seeing is browser extension stuff used with the antivirus. 

There is no need to use Fidler because integrated debug tools of the browser reported all links and traffic just fine. Extension was using real domain registered in Russia (ie.kis.scr.kaspersky-labs.com). If there were, no need to go outside then https://localhost:port would be enough. It probably would be fine if "ie.kis.scr.kaspersky-labs.com" had 127.0.0.0 assigned internally, but that was not the case. Supplying data with GET requests also is interesting, because I used same method as a workaround to bypass web Brower’s cross-domain security in some of my applications. What I was seeing was browser extension with intentional back door used by antivirus. Do you think it was a mistake, for company, specializing in security and linked to Russian KGB and FSB to inject secure web content with externaly pointing URL? I don't think so.

 

URL for Firefox users (ff.kis.scr.kaspersky-labs.com) resolves to 127.245.107.154 which is internal, but URL for Internet Explorer (ie.kis.scr.kaspersky-labs.com) resolves directly to Kremlin: 185.85.13.154.

 

Edited by EJocys
Link to post
Share on other sites
EJocys
45 minutes ago, goretsky said:

Perhaps they are checking the HTTP stream for malware or exploits, doing reputational analysis or something else in their protection cloud.

Doing analysis in a such way is a huge security flaw, especially if a thirparty injects its own JavaScript (main.js in case of the Kaspersky) . Properly secured websites must not include links to third party domains when when doing authentication. Loading third party scripts from domains which points to external source in real environment is a  https://ie.kis.scr.kaspersky-labs.com/55EA892A-F489-2A4A-BF5D-9E631C44C50C/main.js is a seriois security threat to its customers.

Link to post
Share on other sites
adrynalyne
23 minutes ago, EJocys said:

There is no need to use Fidler because integrated debug tools of the browser reported all traffic just fine. Extension was using real domain registered in Russia (ie.kis.scr.kaspersky-labs.com). If there were, no need to go outside then https://localhost:port would be enough. It probably would be fine if "ie.kis.scr.kaspersky-labs.com" had 127.0.0.0 assigned internally, but that was not the case. Supplying data with GET requests also is interesting, because I used same method as a workaround to bypass web Brower’s cross-domain security in some of my applications. What I was seeing was browser extension with intentional back door used with the antivirus.

Show some fiddler logs proving it because it sounds like you don't understand what you are reading. 

  • Like 2
Link to post
Share on other sites
EJocys
42 minutes ago, Mirumir said:

The USA PATRIOT ACT was enacted 15 years ago. 

 

P.S. No one is forcing you to use KAV.

I have uninstalled KAV already. Problem is that EU sells Kaspersky products everywhere while at the same time using sanctions against Russia, which fights hybrid wars against pro-European countries. Now I am looking for Antivirus, which would not inject web pages with URLs pointing outside.

Link to post
Share on other sites
+Gary7

Maybe this belongs in The Tin Foil Hat section :p

  • Like 3
Link to post
Share on other sites
+Mirumir
10 minutes ago, EJocys said:

I have uninstalled KAV already.

Try Dr.Web ;) 

  • Like 2
Link to post
Share on other sites
adrynalyne
10 minutes ago, Gary7 said:

Maybe this belongs in The Tin Foil Hat section :p

It's just a case of someone not understanding what they are seeing. Fiddler would likely clear this up to show that the data likely isn't actually being sent back to Kapersky but instead the local antivirus. Kapersky actually explains how it works on their forums. You see all sorts of people complaining about how Kapersky does it but none of them actually thinks it's phoning home with login credentials. 

Link to post
Share on other sites
EJocys
15 minutes ago, adrynalyne said:

Show some fiddler logs proving it because it sounds like you don't understand what you are reading. 

I am not planing to install KAV anymore. I am writing comercial software (including network capturing and encryption), websites and network mobile apps and debug them by using network tools for 21 years now. I know that I am reading. It is hard to mis-unbderstand or misread web brower debug tools. It is not the rocket science. It looks like, it is not the first time Kaspersky is injecting scripts. While I understand the purpose of it (antivirus must have access to plain content in order to analyse it), I don't agree with "back door" implementation method of it i.e. Using live domains and live IPs.

 

One year ago: https://www.reddit.com/r/privacy/comments/3frjqw/psa_kaspersky_injects_remote_javascript_into_all/

Link to post
Share on other sites
adrynalyne
4 minutes ago, EJocys said:

I am not planing to install KAV anymore. I am writing comercial software (including network capturing and encryption), websites and network mobile apps and debug them by using network tools for 21 years now. I know that I am reading. It is hard to mis-unbderstand or misread web brower debug tools. It is not the rocket science. It looks like, it is not the first time Kaspersky is injecting scripts. While I understand the purpose of it (antivirus must have access to plain content in order to analyse it), I don't agree with "back door" implementation method of it i.e. Using live domains and live IPs.

 

One year ago: https://www.reddit.com/r/privacy/comments/3frjqw/psa_kaspersky_injects_remote_javascript_into_all/

If what you are saying is true, you wouldn't rely on browser debugging tools to tell you the full story about network traffic (everyone on the Internet is a security guru). As for your link, did you even read it? It isn't even a routable IP. Nobody denies the script injection, least of all Kapersky. Your accusation of it reporting your bank details to Russia is unfounded and is what is in question. 

 

 

image.png

Link to post
Share on other sites
EJocys
22 minutes ago, adrynalyne said:

Fiddler would likely clear this up to show that the data likely isn't actually being sent back to Kapersky but instead the local antivirus.

You would be right if  https://ie.kis.scr.kaspersky-labs.com was pointing to internal IP i.e. 127.*.*.*. But on my PC it points to extearnal source on the Internet (185.85.13.154).

Edited by EJocys
Link to post
Share on other sites
+Gary7

Maybe Avast should not be used as it is from The Chek Republic.Sp??

Link to post
Share on other sites
adrynalyne
3 minutes ago, EJocys said:

You would be right if  https://ie.kis.scr.kaspersky-labs.com if was pointing to internal IP i.e. 127.*.*.*. But on my PC it points to extearnal source on the Internet (185.85.13.154).

Ok then. Let's see a screenshot of it sending your private information to that IP. Full headers and data. You can use fake details and reproduce I am sure. 

Link to post
Share on other sites
Aokromes
1 hour ago, EJocys said:

There is no need to use Fidler because integrated debug tools of the browser reported all links and traffic just fine. Extension was using real domain registered in Russia (ie.kis.scr.kaspersky-labs.com). If there were, no need to go outside then https://localhost:port would be enough. It probably would be fine if "ie.kis.scr.kaspersky-labs.com" had 127.0.0.0 assigned internally, but that was not the case. Supplying data with GET requests also is interesting, because I used same method as a workaround to bypass web Brower’s cross-domain security in some of my applications. What I was seeing was browser extension with intentional back door used by antivirus. Do you think it was a mistake, for company, specializing in security and linked to Russian KGB and FSB to inject secure web content with externaly pointing URL? I don't think so.

 

URL for Firefox users (ff.kis.scr.kaspersky-labs.com) resolves to 127.245.107.154 which is internal, but URL for Internet Explorer (ie.kis.scr.kaspersky-labs.com) resolves directly to Kremlin: 185.85.13.154.

 

http://www.ip2location.com/demo/185.85.13.154 ip2location states that ip is from kaspersky, not from kremlim.

  • Like 2
Link to post
Share on other sites
EJocys
22 minutes ago, Gary7 said:

Maybe this belongs in The Tin Foil Hat section :p

You would be right if there was no evidence. External websites also report external IPs:

 

https://who.is/dns/ie.kis.scr.kaspersky-labs.com

ie.kis.scr.kaspersky-labs.com TTL=1637 A=185.85.13.154

 

Firefox users seems to be fine and not reporting to mothership:

https://who.is/dns/ff.kis.scr.kaspersky-labs.com

ff.kis.scr.kaspersky-labs.com TTL=399   A=127.245.107.154

 

P.S.: It is interesting to note that TTL for external IE address is much bigger. Probably just to make sure that network packages are not lost on local network adapter :). /s

 

 

Link to post
Share on other sites
+Gary7
1 minute ago, EJocys said:

You would be right if there was no evidence. External websites also report external IPs:

 

https://who.is/dns/ie.kis.scr.kaspersky-labs.com

ie.kis.scr.kaspersky-labs.com TTL=1637 A=185.85.13.154

 

Firefox users seems to be fine and not reporting to mothership:

https://who.is/dns/ff.kis.scr.kaspersky-labs.com

ff.kis.scr.kaspersky-labs.com TTL=399   A=127.245.107.154

 

P.S.: It is interesting to note that TTL for external IE address is much bigger. Probably just to make sure that network packages are not lost on local network adapter :). /s

 

 

Well if you are using Windows 10 it does it as well. Not to Kaspersky but to Redmond. Why would Firefox be OK and all other Browsers not?? If Kaspersky were doing this it would do it to all browsers. I used it in the past without any problems but now all I use is Windows Defender as MS tells me that is all I need. I do scan with MBAM once in awhile.

Link to post
Share on other sites
adrynalyne
5 minutes ago, EJocys said:

You would be right if there was no evidence. External websites also report external IPs:

 

https://who.is/dns/ie.kis.scr.kaspersky-labs.com

ie.kis.scr.kaspersky-labs.com TTL=1637 A=185.85.13.154

 

Firefox users seems to be fine and not reporting to mothership:

https://who.is/dns/ff.kis.scr.kaspersky-labs.com

ff.kis.scr.kaspersky-labs.com TTL=399   A=127.245.107.154

 

P.S.: It is interesting to note that TTL for external IE address is much bigger. Probably just to make sure that network packages are not lost on local network adapter :). /s

 

 

I'm waiting for the evidence of it sending your personal data...

  • Like 3
Link to post
Share on other sites
EJocys
12 minutes ago, Aokromes said:

http://www.ip2location.com/demo/185.85.13.154 ip2location states that ip is from kaspersky, not from kremlim.

This IP is linked to Latitude: 55.752220153809, Longitude: 37.615558624268

Source: https://www.ip2location.com/demo/185.85.13.154

Location of this IP points to Kremlin:

Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z

IP points to Kaspersky Lab in Kremlin.

 

Of course, it doesn't mean that Kasperky Lab is actually located in Kremlin, but technically it is :).

Link to post
Share on other sites
adrynalyne
2 minutes ago, EJocys said:

This IP is linked to Latitude: 55.752220153809, Longitude: 37.615558624268

Source: https://www.ip2location.com/demo/185.85.13.154

Location of this IP points to Kremlin:

Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z

IP points to Kaspersky Lab in Kremlin.

 

Of course, it doesn't mean that Kasperky Lab is actually located in Kremlin, but technically it is :).

You do know that IP geolocation is not very accurate, right?

  • Like 1
Link to post
Share on other sites
Aokromes
8 minutes ago, EJocys said:

This IP is linked to Latitude: 55.752220153809, Longitude: 37.615558624268

Source: https://www.ip2location.com/demo/185.85.13.154

Location of this IP points to Kremlin:

Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z

IP points to Kaspersky Lab in Kremlin.

 

Of course, it doesn't mean that Kasperky Lab is actually located in Kremlin, but technically it is :).

You know.... geolocalization services don't gives exact coords.....

http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/

https://www.google.es/maps/dir/Ленинградское+шоссе,+39а,+Kaspersky+Lab,+Moscow,+Rusia,+123060/55.7503429,37.6157499/@55.7882977,37.5545582,13.25z/data=!4m8!4m7!1m5!1m1!1s0x43ddce7b7f14fe57:0x8e916c8c42a0d656!2m2!1d37.4814785!2d55.8371809!1m0

Link to post
Share on other sites
EJocys
6 minutes ago, Gary7 said:

Well if you are using Windows 10 it does it as well. Not to Kaspersky but to Redmond. Why would Firefox be OK and all other Browsers not?? If Kaspersky were doing this it would do it to all browsers. I used it in the past without any problems but now all I use is Windows Defender as MS tells me that is all I need. I do scan with MBAM once in awhile.

Firefox or Windows can send data to their servers on their own if there are no secure data, but there is difference when third party app injects links, which points to external servers, inside a secure (HTTPS) connection. As I have said. That would be not a problem if injected URL pointed to internal IP address, but it points to external address on the Internet.

Link to post
Share on other sites
adrynalyne
1 minute ago, EJocys said:

Firefox or Windows can send data to their servers on their own if there are no secure data, but there is difference when third party app injects links, which points to external servers, inside a secure (HTTPS) connection. As I have said. That would be not a problem if injected URL pointed to internal IP address, but it points to external address on the Internet.

Evidence of it sending your private data home please. 

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.