Is Kaspersky Anti Virus Software Russian Spyware

Kasper-Spy: Kaspersky virus protection threatens users' privacy

This article is also available in German

For our big test of antivirus software in c’t 3/2019, I installed the virus protection from Kaspersky on my work computer to find out firsthand what added value the protection programs of the major antivirus manufacturers still offer in everyday life.

The weeks and months that followed were uneventful - the Kaspersky software basically worked as well or poorly as Windows Defender. However, one day I made a strange discovery. I looked at the HTML source code of any website and came across the following line of code:

Apparently an external JavaScript called main.js was reloaded from a Kaspersky domain. This is not uncommon, after all, hardly any website these days can do without external JavaScript resources.

It only got unusual when I viewed the HTML text of other websites: I found the puzzling code on every site without exception - even on the page of my house bank. I suspected that the Kaspersky software must have something to do with it.

I decided to get to the bottom of it and repeated the experiment with Firefox, Edge and Opera. Again, I came across the code all over the place. Since no suspicious browser extensions were installed that could be responsible for this effect, my attempts only allowed one conclusion: the Kaspersky virus protection manipulated my data traffic without being asked and injected the code. So far, I only knew this behavior from online banking Trojans, which manipulate bank pages in this way, for example to change the transfer destination.

But what is Kaspersky doing this for? In order to clarify this question, I examined the injected script main.js. Apparently, among other things, it is responsible for displaying green protective shields behind Google search hits if a link is clean according to Kaspersky. This could end my analysis, but there was one small detail that did not leave me alone. The address from which the Kaspersky script was loaded contains a suspicious character string:

The section marked in bold is composed according to a characteristic pattern. The structure matches a so-called UUID - that stands for Universally Unique Identifier. Such IDs are used to make things clearly identifiable. But who or what can be identified using the Kaspersky ID?

I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on the other systems. However, I discovered a crucial difference: the UUID in the source address was different on each system. The IDs were persistent and did not change even after several days. This made it clear that an ID could be permanently assigned to a specific computer.

The suspicious ID

I was also confused by the place where I came across the ID: The Kaspersky software injected it directly into the HTML code of the website. And that's a bad idea, because other scripts that run in the context of the website domain can access the HTML code at any time - and thus also the smuggled Kaspersky ID.

In plain language, this means that any website can simply read the user's Kaspersky ID and misuse it for tracking. If this assumption is correct, then Kaspersky has created a dangerous tracking option that makes every cookie look old: In this case, websites can track Kaspersky users across browser boundaries. But that's not all: The super tracking can even overcome the incognito mode of the browser and thus reduces it to absurdity.

But could a company that has been committed to the security and privacy of its customers for over twenty years have overlooked such an obvious problem? I decided to put it to the test. Half an hour later I had created a simple website that was supposed to automatically read and save the visitors' Kaspersky ID.

And it worked right away. After I had collected the IDs of some test computers, I also stored the names of the colleagues who owned the computers in the code of my demo page. From then on, I was even able to greet you personally when you opened the page - regardless of which browser you were using and how often you deleted the cookies. Incognito mode also offered no protection from tracking. By now it was clear to me that I had encountered a serious problem.


In order not to endanger anyone unnecessarily, I first informed Kaspersky of my findings. The company's German research department replied shortly after that they would look into the matter. About two weeks later, the headquarters in Moscow, Russia, analyzed the case. The problem I discovered is real and affects all consumer versions of Kaspersky software for Windows - from the free version to Kaspersky Internet Security and Total Security. There was also a gap in small office security for small businesses. Several million users were therefore exposed to a data protection risk.

My questions showed that the leak had existed since the 2016 versions that appeared in autumn 2015. Anyone who also became aware of the data leak could take advantage of it for almost four years. According to the manufacturer, “such an attack is too complex and not profitable enough for cyber criminals”, so it is unlikely that the vulnerability has already been misused. But I see it differently: If I can create a website in the shortest possible time that reads out and stores the ID, why shouldn't others have succeeded in the course of four years? As is well known, there are a ton of companies that specialize in spying on website visitors in as much detail as possible.

The cat is out of the bag

Since Kaspersky had apparently recognized the seriousness of the situation and promised me a patch, I waited. The "Patch F" has actually been distributed since June and in July the manufacturer published a security advisory in which the problem and solution are described. I asked Kaspersky to assign a so-called CVE number to the vulnerability, i.e. a globally valid identification number for security holes. Since then, the child has had a name, too, called CVE-2019-8286. The security authorities have also become aware of the problem through the Kaspersky Advisory and the CVE registration. As a result, the CERT-Bund of the Federal Office for Information Security (BSI) warned of the information leak.

After Kaspersky distributed the patch, I insisted on repeating my experiments. The software still injects an ID - only this is now identical for all users: FD126C42-EBFA-4E12-B309-BB3FDD723AC1. As a result, a website can no longer recognize individual users. However, it is still possible to find out whether a visitor has the Kaspersky software installed on their system and approximately how old it is. An attacker can use this information to distribute malware tailored to the protection software or to redirect it to a suitable scam site - according to the motto: “Your Kaspersky license has expired. Please enter your credit card number to extend the subscription ”. I also reported this problem back to Kaspersky.

If you want to be on the safe side, you can deactivate the responsible function in the Kaspersky software. You can find the off switch by clicking on the gear icon in the lower left corner of the main window and then clicking on Advanced / Network. Then deactivate the option “Include script for interacting with websites in the data traffic” under “Processing the data traffic”. (rei)

Much of the c’t investigative research is only possible thanks to information that readers and whistleblowers transmit to us directly or anonymously.

If you yourself have knowledge of a grievance that the public should know about, you can send us an anonymous tip or sensitive material. Please use our anonymous and secure mailbox for this.