EJocys Posted August 21, 2016 Share Posted August 21, 2016 (edited) Hi Neowinians. I would like to ask you to check your Kaspersky Antivirus and return back with opinions. My browser debug console shows that it sends sensitive data to Russia, even when I use HTTPS secure connection. You can press F12 key to open console and choose "Network" tab to see all requests your browser makes when you open the web page. I was amazed to find that Kaspersky reporting all my secure google requests and bank sessions to ie.kis.scr.kaspersky-labs.com (185.85.13.154) which is located here: 185.85.13.154 Kaspersky LAB AO Moscow Russian Federation Latitude: 55.752220153809 Longitude: 37.615558624268 Source: https://www.ip2location.com/demo/185.85.13.154 Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z For example: Every time I was using secure search on google.co.uk, Kaspersky would make connections to server in Russia and load JavaScript which in itself enables ability to send all my logins, passwords and other sensitive data to file providers, because it was running from inside a secure connection and all sensitive data was available in plain text: https://ie.kis.scr.kaspersky-labs.com/55EA892A-F489-2A4A-BF5D-9E631C44C50C/main.jshttps://ie.kis.scr.kaspersky-labs.com/55EA892A-F489-2A4A-BF5D-9E631C44C50C/websocket?url=https%3A%2F%2Fwww.google.co.uk%2F&nocache=1471773767577https://ie.kis.scr.kaspersky-labs.com/C05C44C136E9-D5FB-A4A2-984F-A298AE55/vk/VkTooltipBanner.png When I was authorising into my bank with security details, Kaspersky would send links like that: https://ie.kis.scr.kaspersky-labs.com/1B74BD89-2A22-4B93-B451-1C9E1052A0EC/init?url=https%3A%2F%2Ffc1.retail.santander.co.uk%2Fquery%2F1%2FfwyK.html%3Feu%3Dhttps%3A%2F%2Fretail.santander.co.uk%2FLOGSUK_NS_ENS%2FChannelDriver.ssobto%3Fdse_operationName%3DLOGON&nocache=1fdc6 Responses from Kaspersky looked like static content. It means that there is no need to for Kaspersky to supply metadata to Russian Federation in order to protect its customers from viruses. Kaspersky developers could choose to load these scripts from locally running web server (127.0.0.1) and not to compromise customer's security. This is not the rocket science. Decision to send sensitive data to Russian Federation and enable possibility for Russian government to track every web site visit of Kaspersky's customer and acquire all logins and passwords does not look like a rookie mistake. Data goes to Russia; it means Russian law applies to it. Recently President Putin signed the Yarovaya bill into law, which is draconian law designed to collect data, make cryptographic backdoors mandatory and allow access to it by Russian security services for 3 years. Kaspersky accessing your sensitive data and sending it to ie.kis.scr.kaspersky-labs.com is exactly that - cryptographic backdoor. So, if you have Kaspersky on your computer, then please open secure site like https://www.google.com, press F12 for debug mode, go into “Network” tab, refresh page, see for yourself and report your opinion. Thank you. Edited August 21, 2016 by EJocys Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) That's not at all what is happening. Use a real tool like fiddler and see what it is really sending and where. What you are seeing is browser extension stuff used with the antivirus. alex_d2w 1 Share Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted August 21, 2016 Supervisor Share Posted August 21, 2016 Hello, Perhaps they are checking the HTTP stream for malware or exploits, doing reputational analysis or something else in their protection cloud. Regards, Aryeh Goretsky adrynalyne, +E.Worm Jimmy and Ian W 3 Share Link to comment Share on other sites More sharing options...
+Mirumir Subscriber¹ Posted August 21, 2016 Subscriber¹ Share Posted August 21, 2016 2 hours ago, EJocys said: Recently President Putin signed the Yarovaya bill into law, which is draconian law designed to collect data, make cryptographic backdoors mandatory and allow access to it by Russian security services for 3 years. The USA PATRIOT ACT was enacted 15 years ago. P.S. No one is forcing you to use KAV. Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 1 hour ago, adrynalyne said: That's not at all what is happening. Use a real tool like fiddler and see what it is really sending and where. What you are seeing is browser extension stuff used with the antivirus. There is no need to use Fidler because integrated debug tools of the browser reported all links and traffic just fine. Extension was using real domain registered in Russia (ie.kis.scr.kaspersky-labs.com). If there were, no need to go outside then https://localhost:port would be enough. It probably would be fine if "ie.kis.scr.kaspersky-labs.com" had 127.0.0.0 assigned internally, but that was not the case. Supplying data with GET requests also is interesting, because I used same method as a workaround to bypass web Brower’s cross-domain security in some of my applications. What I was seeing was browser extension with intentional back door used by antivirus. Do you think it was a mistake, for company, specializing in security and linked to Russian KGB and FSB to inject secure web content with externaly pointing URL? I don't think so. URL for Firefox users (ff.kis.scr.kaspersky-labs.com) resolves to 127.245.107.154 which is internal, but URL for Internet Explorer (ie.kis.scr.kaspersky-labs.com) resolves directly to Kremlin: 185.85.13.154. Edited August 21, 2016 by EJocys Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 45 minutes ago, goretsky said: Perhaps they are checking the HTTP stream for malware or exploits, doing reputational analysis or something else in their protection cloud. Doing analysis in a such way is a huge security flaw, especially if a thirparty injects its own JavaScript (main.js in case of the Kaspersky) . Properly secured websites must not include links to third party domains when when doing authentication. Loading third party scripts from domains which points to external source in real environment is a https://ie.kis.scr.kaspersky-labs.com/55EA892A-F489-2A4A-BF5D-9E631C44C50C/main.js is a seriois security threat to its customers. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 23 minutes ago, EJocys said: There is no need to use Fidler because integrated debug tools of the browser reported all traffic just fine. Extension was using real domain registered in Russia (ie.kis.scr.kaspersky-labs.com). If there were, no need to go outside then https://localhost:port would be enough. It probably would be fine if "ie.kis.scr.kaspersky-labs.com" had 127.0.0.0 assigned internally, but that was not the case. Supplying data with GET requests also is interesting, because I used same method as a workaround to bypass web Brower’s cross-domain security in some of my applications. What I was seeing was browser extension with intentional back door used with the antivirus. Show some fiddler logs proving it because it sounds like you don't understand what you are reading. Depicus and xendrome 2 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 42 minutes ago, Mirumir said: The USA PATRIOT ACT was enacted 15 years ago. P.S. No one is forcing you to use KAV. I have uninstalled KAV already. Problem is that EU sells Kaspersky products everywhere while at the same time using sanctions against Russia, which fights hybrid wars against pro-European countries. Now I am looking for Antivirus, which would not inject web pages with URLs pointing outside. Link to comment Share on other sites More sharing options...
+Gary7 Subscriber² Posted August 21, 2016 Subscriber² Share Posted August 21, 2016 Maybe this belongs in The Tin Foil Hat section Ian W, alex_d2w and T3X4S 3 Share Link to comment Share on other sites More sharing options...
+Mirumir Subscriber¹ Posted August 21, 2016 Subscriber¹ Share Posted August 21, 2016 10 minutes ago, EJocys said: I have uninstalled KAV already. Try Dr.Web +E.Worm Jimmy and alex_d2w 2 Share Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 10 minutes ago, Gary7 said: Maybe this belongs in The Tin Foil Hat section It's just a case of someone not understanding what they are seeing. Fiddler would likely clear this up to show that the data likely isn't actually being sent back to Kapersky but instead the local antivirus. Kapersky actually explains how it works on their forums. You see all sorts of people complaining about how Kapersky does it but none of them actually thinks it's phoning home with login credentials. Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 15 minutes ago, adrynalyne said: Show some fiddler logs proving it because it sounds like you don't understand what you are reading. I am not planing to install KAV anymore. I am writing comercial software (including network capturing and encryption), websites and network mobile apps and debug them by using network tools for 21 years now. I know that I am reading. It is hard to mis-unbderstand or misread web brower debug tools. It is not the rocket science. It looks like, it is not the first time Kaspersky is injecting scripts. While I understand the purpose of it (antivirus must have access to plain content in order to analyse it), I don't agree with "back door" implementation method of it i.e. Using live domains and live IPs. One year ago: https://www.reddit.com/r/privacy/comments/3frjqw/psa_kaspersky_injects_remote_javascript_into_all/ Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) 4 minutes ago, EJocys said: I am not planing to install KAV anymore. I am writing comercial software (including network capturing and encryption), websites and network mobile apps and debug them by using network tools for 21 years now. I know that I am reading. It is hard to mis-unbderstand or misread web brower debug tools. It is not the rocket science. It looks like, it is not the first time Kaspersky is injecting scripts. While I understand the purpose of it (antivirus must have access to plain content in order to analyse it), I don't agree with "back door" implementation method of it i.e. Using live domains and live IPs. One year ago: https://www.reddit.com/r/privacy/comments/3frjqw/psa_kaspersky_injects_remote_javascript_into_all/ If what you are saying is true, you wouldn't rely on browser debugging tools to tell you the full story about network traffic (everyone on the Internet is a security guru). As for your link, did you even read it? It isn't even a routable IP. Nobody denies the script injection, least of all Kapersky. Your accusation of it reporting your bank details to Russia is unfounded and is what is in question. Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 22 minutes ago, adrynalyne said: Fiddler would likely clear this up to show that the data likely isn't actually being sent back to Kapersky but instead the local antivirus. You would be right if https://ie.kis.scr.kaspersky-labs.com was pointing to internal IP i.e. 127.*.*.*. But on my PC it points to extearnal source on the Internet (185.85.13.154). Edited August 21, 2016 by EJocys Link to comment Share on other sites More sharing options...
+Gary7 Subscriber² Posted August 21, 2016 Subscriber² Share Posted August 21, 2016 Maybe Avast should not be used as it is from The Chek Republic.Sp?? Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) 3 minutes ago, EJocys said: You would be right if https://ie.kis.scr.kaspersky-labs.com if was pointing to internal IP i.e. 127.*.*.*. But on my PC it points to extearnal source on the Internet (185.85.13.154). Ok then. Let's see a screenshot of it sending your private information to that IP. Full headers and data. You can use fake details and reproduce I am sure. Link to comment Share on other sites More sharing options...
Aokromes Posted August 21, 2016 Share Posted August 21, 2016 1 hour ago, EJocys said: There is no need to use Fidler because integrated debug tools of the browser reported all links and traffic just fine. Extension was using real domain registered in Russia (ie.kis.scr.kaspersky-labs.com). If there were, no need to go outside then https://localhost:port would be enough. It probably would be fine if "ie.kis.scr.kaspersky-labs.com" had 127.0.0.0 assigned internally, but that was not the case. Supplying data with GET requests also is interesting, because I used same method as a workaround to bypass web Brower’s cross-domain security in some of my applications. What I was seeing was browser extension with intentional back door used by antivirus. Do you think it was a mistake, for company, specializing in security and linked to Russian KGB and FSB to inject secure web content with externaly pointing URL? I don't think so. URL for Firefox users (ff.kis.scr.kaspersky-labs.com) resolves to 127.245.107.154 which is internal, but URL for Internet Explorer (ie.kis.scr.kaspersky-labs.com) resolves directly to Kremlin: 185.85.13.154. http://www.ip2location.com/demo/185.85.13.154 ip2location states that ip is from kaspersky, not from kremlim. adrynalyne and alex_d2w 2 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 22 minutes ago, Gary7 said: Maybe this belongs in The Tin Foil Hat section You would be right if there was no evidence. External websites also report external IPs: https://who.is/dns/ie.kis.scr.kaspersky-labs.com ie.kis.scr.kaspersky-labs.com TTL=1637 A=185.85.13.154 Firefox users seems to be fine and not reporting to mothership: https://who.is/dns/ff.kis.scr.kaspersky-labs.com ff.kis.scr.kaspersky-labs.com TTL=399 A=127.245.107.154 P.S.: It is interesting to note that TTL for external IE address is much bigger. Probably just to make sure that network packages are not lost on local network adapter :). /s Link to comment Share on other sites More sharing options...
+Gary7 Subscriber² Posted August 21, 2016 Subscriber² Share Posted August 21, 2016 1 minute ago, EJocys said: You would be right if there was no evidence. External websites also report external IPs: https://who.is/dns/ie.kis.scr.kaspersky-labs.com ie.kis.scr.kaspersky-labs.com TTL=1637 A=185.85.13.154 Firefox users seems to be fine and not reporting to mothership: https://who.is/dns/ff.kis.scr.kaspersky-labs.com ff.kis.scr.kaspersky-labs.com TTL=399 A=127.245.107.154 P.S.: It is interesting to note that TTL for external IE address is much bigger. Probably just to make sure that network packages are not lost on local network adapter :). /s Well if you are using Windows 10 it does it as well. Not to Kaspersky but to Redmond. Why would Firefox be OK and all other Browsers not?? If Kaspersky were doing this it would do it to all browsers. I used it in the past without any problems but now all I use is Windows Defender as MS tells me that is all I need. I do scan with MBAM once in awhile. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 5 minutes ago, EJocys said: You would be right if there was no evidence. External websites also report external IPs: https://who.is/dns/ie.kis.scr.kaspersky-labs.com ie.kis.scr.kaspersky-labs.com TTL=1637 A=185.85.13.154 Firefox users seems to be fine and not reporting to mothership: https://who.is/dns/ff.kis.scr.kaspersky-labs.com ff.kis.scr.kaspersky-labs.com TTL=399 A=127.245.107.154 P.S.: It is interesting to note that TTL for external IE address is much bigger. Probably just to make sure that network packages are not lost on local network adapter :). /s I'm waiting for the evidence of it sending your personal data... alex_d2w, xendrome and +Gary7 3 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 12 minutes ago, Aokromes said: http://www.ip2location.com/demo/185.85.13.154 ip2location states that ip is from kaspersky, not from kremlim. This IP is linked to Latitude: 55.752220153809, Longitude: 37.615558624268 Source: https://www.ip2location.com/demo/185.85.13.154 Location of this IP points to Kremlin: Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z IP points to Kaspersky Lab in Kremlin. Of course, it doesn't mean that Kasperky Lab is actually located in Kremlin, but technically it is :). Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 2 minutes ago, EJocys said: This IP is linked to Latitude: 55.752220153809, Longitude: 37.615558624268 Source: https://www.ip2location.com/demo/185.85.13.154 Location of this IP points to Kremlin: Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z IP points to Kaspersky Lab in Kremlin. Of course, it doesn't mean that Kasperky Lab is actually located in Kremlin, but technically it is :). You do know that IP geolocation is not very accurate, right? alex_d2w 1 Share Link to comment Share on other sites More sharing options...
Aokromes Posted August 21, 2016 Share Posted August 21, 2016 (edited) 8 minutes ago, EJocys said: This IP is linked to Latitude: 55.752220153809, Longitude: 37.615558624268 Source: https://www.ip2location.com/demo/185.85.13.154 Location of this IP points to Kremlin: Map: https://www.google.co.uk/maps/@55.7522201,37.6155586,16z IP points to Kaspersky Lab in Kremlin. Of course, it doesn't mean that Kasperky Lab is actually located in Kremlin, but technically it is :). You know.... geolocalization services don't gives exact coords..... http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/ https://www.google.es/maps/dir/Ленинградское+шоссе,+39а,+Kaspersky+Lab,+Moscow,+Rusia,+123060/55.7503429,37.6157499/@55.7882977,37.5545582,13.25z/data=!4m8!4m7!1m5!1m1!1s0x43ddce7b7f14fe57:0x8e916c8c42a0d656!2m2!1d37.4814785!2d55.8371809!1m0 Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 6 minutes ago, Gary7 said: Well if you are using Windows 10 it does it as well. Not to Kaspersky but to Redmond. Why would Firefox be OK and all other Browsers not?? If Kaspersky were doing this it would do it to all browsers. I used it in the past without any problems but now all I use is Windows Defender as MS tells me that is all I need. I do scan with MBAM once in awhile. Firefox or Windows can send data to their servers on their own if there are no secure data, but there is difference when third party app injects links, which points to external servers, inside a secure (HTTPS) connection. As I have said. That would be not a problem if injected URL pointed to internal IP address, but it points to external address on the Internet. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 1 minute ago, EJocys said: Firefox or Windows can send data to their servers on their own if there are no secure data, but there is difference when third party app injects links, which points to external servers, inside a secure (HTTPS) connection. As I have said. That would be not a problem if injected URL pointed to internal IP address, but it points to external address on the Internet. Evidence of it sending your private data home please. Link to comment Share on other sites More sharing options...
Recommended Posts