Kaspersky internet security key Archives

UPDATED Oct. 18 with comments from Kaspersky Lab. UPDATED Oct. 25 with preliminary results of Kaspersky Lab's internal investigation. UPDATED Nov. 16 with final results of Kaspersky Lab's internal investigation.

The allegations that Kaspersky Lab spied on its customers on behalf of Russian intelligence services, as was reported in top American newspapers this past week, are very serious and threaten the future of the antivirus maker — even if no conclusive proof has been offered and no one making the accusations has been willing to speak up in public.

Here at Tom's Guide, we still recommend Kaspersky antivirus software for home users who don't work in any industries involved with national security. But we sent questions to several information-security experts, ranging from a former NSA staffer to a lawyer for the Electronic Frontier Foundation, for their opinions on whether they considered Kaspersky software safe to use.

"My firm is recommending that our customers, who largely are financial companies, uninstall Kaspersky AV."

— Dave Aitel, Immunity Inc.

Most of our respondents agreed that people who work in government or critical-infrastructure industries should not use Kaspersky software. One said he was telling everyone to remove it.

"My firm is recommending [that] our customers, who largely are financial companies, uninstall Kaspersky AV," said Dave Aitel, a former NSA staffer and the founder, owner and chief technology officer of Immunity Inc., an information-security consultancy. "There is no plausible innocent explanation for the information that has been presented."

Other security experts we spoke to weren't ready to condemn the company without seeing the evidence. But they added that we've got just as much to fear from Chinese vendors — and that most modern antivirus software, not just Kaspersky's, could be abused to become an espionage tool.

"I haven't seen anything which makes me think that it's any more dangerous to run Kaspersky than any other major antivirus product."

— Graham Cluley, independent security consultant

MORE: Best Antivirus Software

"I haven't seen anything which makes me think that it's any more dangerous to run Kaspersky than any other major antivirus product," Graham Cluley, an independent security blogger and former staffer at the antivirus maker Sophos, told us. "Kaspersky might be being singled out … because the company is Russian, and that doesn't sit too well in the current geopolitical climate."

John E. Pike, founder and director of adityagaur.com, a national-security think tank, said Kaspersky antivirus software was "probably" safe to use, but he added that "such products have too much spaghetti code for anyone to have confidence that they understand all that is going on under the hood."

Strong, but unproven, accusations

On Oct. 5, The Wall Street Journal, citing unnamed current and former government officials, reported that in , Kaspersky antivirus software running on the home computer of an unnamed NSA staffer spotted NSA files that the staffer had brought home and put on his or her machine. (The staffer broke the rules by taking the files home, but he or she is not suspected of espionage.)

The Kaspersky antivirus software somehow alerted Russian intelligence to the presence of the NSA files, and Russian spies then targeted the NSA staffer's computer and copied files from the machine, according to the WSJ It's not clear exactly how Russian intelligence got access to Kaspersky data, or exactly what kind of NSA files the staffer had on his machine. (NSA-made malware would have been noticed by many antivirus products.)

"Whichever antivirus product you use, you should configure it to NOT send data back to the vendor."

— Rob Graham, CTO, Errata Security

Late Tuesday (Oct. 10), The New York Times, also quoting anonymous sources, reported that Israeli spies who had hacked into Kaspersky's internal networks in were the first to see evidence that Kaspersky software had been used to spy on the NSA staffer. The Israelis apparently turned what they had found over to the NSA.

The Washington Post backed that allegation with its own story, and in , Kaspersky Lab itself had disclosed the Israeli hack of its own networks.

On Oct. 11, The Wall Street Journal came back with a second story, in which more (or perhaps the same) unnamed government officials told the paper that Kaspersky's malware database, which looks for certain snippets of code in an attempt to catch malware, had been updated at a certain point to look for text strings that indicated U.S. intelligence documents. Such a text string might be "TOP SECRET," or the code name of a known NSA or CIA operation or program.

You could try turning off antivirus data collection

Rob Graham, head of information-security consultancy Errata Security and creator of several security tools, had a suggestion for all antivirus users who might be worried about the software spying on them.

"For ordinary consumers, it's probably as safe using Kaspersky as any other antivirus software," Graham told us. "Whichever product you use, however, you should configure it to NOT send data back to the vendor."

MORE: Best Identity-Theft Protection Services

Graham was referring to the telemetry, a feature of most antivirus programs that sends data about the customer's machine to the antivirus company's servers for analysis, which, in turn, leads to quick responses to new malware.

Kaspersky's telemetry functions reportedly tipped off the Russian spies to the presence of NSA software on the NSA staffer's home computer. Most antivirus software, including Kaspersky's, lets you toggle off telemetry so that your machine, at least in theory, receives data from the antivirus company without sending any back.

Because of telemetry, antivirus products "have access to everything on the system and communicate constantly," states a blog post co-authored by Roel Schouwenberg, a former Kaspersky Lab malware researcher who is now at Celsus Advisory Group, an information-security consulting firm. "They are effectively 'trusted implants.'"

Kurt Opsahl, deputy executive director and general counsel at the Electronic Frontier Foundation, a digital-liberties advocacy group, agreed that telemetry is a risk, and not only to Kaspersky customers.

"Cloud-based AV … necessarily allows the AV software to see and report on what's on your machine — and gives an opening to intelligence agencies to get that information," he told us. "Kaspersky shows that this can actually happen, though something similar may well have happened elsewhere."

Happy to work with the authorities – of all nations

Within the global information-security community, Kaspersky Lab is highly respected for the quality of its research, as well as for its willingness to share its findings, work with other antivirus companies and collaborate with police agencies against cybercrime.

We at Tom's Guide, as well as rival publications, have consistently rated Kaspersky antivirus software well for its excellent malware detection (as borne out in regular lab tests), its low system-performance impact and its useful extra features.

As a young man, Eugene Kaspersky was educated at a KGB-run technical academy, then served in Soviet military intelligence.

Kaspersky Lab and McAfee, along with Europol and the Dutch national police, created and run the adityagaur.com website to help victims of encrypting ransomware protect and recover their data. Just yesterday (Oct. 12), Interpol announced that it was expanding its relationship with Kaspersky Lab to share threat intelligence.  

But Kaspersky may not be for everybody

"Kaspersky Lab is an excellent company with a solid reputation for building good security products," Nicholas Weaver, a researcher at the International Computer Science Institute, an affiliate of the University of California, Berkeley, wrote on the Lawfare blog in July. "But that is only true for most users. Kaspersky software should be banned from all governmental computers, defense contractors, and related assets."

"Companies may well be targets of economic spying, while non-profits and activists may be targets of spying on political opposition, and should give a higher weight to the spying risk," Opsahl said. "Given what's known, is it worthwhile to stick with [the] software with this news? Probably less so than with consumers."

How close is Kaspersky to the Kremlin?

There's always been a bit of suspicion about Kaspersky Lab. The company's co-founder and owner, Eugene Kaspersky, was educated at a KGB-run technical academy beginning when he was a teenager, and then served in Soviet military intelligence. (Many security experts of all nationalities working in the private sector have similar backgrounds.)

The company's relationship with the Kremlin has never been clear, though Western experts on Russia think there's no way Eugene Kaspersky could have become a billionaire without having reached an understanding with the government. Under Russian law, any company must open its communications lines to the authorities upon request.

The Kaspersky company has consistently denied that it assists any government with espionage operations.

Kaspersky Lab was given the contract to run all cybersecurity efforts at the Winter Olympics in Sochi, Russia, but there may not have been any other Russian company that could have pulled it off. In , Eugene Kaspersky's eldest son was kidnapped and held for ransom by apparently incompetent abductors, then freed unharmed after a police raid.

"I feel bad for Kaspersky, because they're probably good guys who are trying to do the right thing, but the forces above them are much more powerful," Kenneth Geers, a senior fellow at the Atlantic Council and an expert on Eastern European cyberespionage, told The Parallax security blog. "Their software can see nation-state operations because they have deep visibility into enterprise and government networks."

Does Kaspersky software seek out American spying tools?

Kaspersky Lab was involved in the discovery of several spyware tools thought to be developed and used by the NSA, including the Stuxnet worm that sabotaged an Iranian uranium-enrichment facility in

For those reasons, the company has been accused of going after American intelligence operations, but it also has discovered and disclosed spyware campaigns thought to be run by Russian and Chinese intelligence. (Kaspersky has a policy of not naming which countries may be behind specific cyberespionage campaigns.)

"Anyone worried about the Russian government or Russian organized crime might want to look elsewhere."

— John E. Pike, adityagaur.com

"We still don't have enough solid information to really judge Kaspersky, just hearsay and rumor," Rob Graham said. "With that said, I wouldn't trust any company from Russia or China, at least not when important national concerns are at stake."

"Kaspersky has, in the past, drawn attention to malware campaigns that almost certainly were orchestrated by Russia, and targeted Russia's enemies," said Graham Cluley. "Perhaps I'm a bear of very little brain, but I don't see why a company colluding with the Russian government would be doing that."

Who should not be using Kaspersky software?

"Anyone worried about the Russian government or Russian organized crime might want to look elsewhere," Pike told Tom's Guide. "This is the same issue as Lenovo computers — probably not a problem for most consumers, but anyone who is worried about being targeted by the Chicoms would probably look elsewhere."

Graham and Weaver agreed that you might need to worry just as much about China as about Russia.

"I don't think important government entities should trust security products/services from adversarial nations like Russia and China," Robert Graham said. "It's unlikely Kaspersky is actually spying for his government, but yet, it's still an event we would add to our risk matrix and defense against."

"Anyone who views the Chinese government as an adversary should avoid Huawei, and those who count the Russian government as an adversary should not install Kaspersky products," Weaver wrote on his blog. "This is why it is shocking me that U.S. government used Kaspersky Lab's products — including on [Department of Defense] systems."

Colder climate

None of the suspicions about Kaspersky Lab mattered much until the popular uprising in Ukraine that removed a pro-Russian president. That, in turn, sparked the Russian forcible takeover of Crimea, the beginning of the ongoing separatist war in eastern Ukraine and the sudden worsening of U.S.-Russian relations.

In , stories began appearing in the U.S. media about Kaspersky Lab's ties to the Kremlin and to Russian intelligence, including one that said Russian intelligence operatives had been deliberately placed on Kaspersky's staff in

The Russian intelligence effort to influence the U.S. presidential election, and the subsequent American investigations into that effort, have only made things harder for Kaspersky Lab. This spring, several U.S. intelligence-agency heads told Congress that they would not run Kaspersky software on their own computers. FBI agents interviewed Kaspersky employees in the U.S.

In September, the Department of Homeland Security ordered the removal of Kaspersky software from U.S. government agencies. Best Buy and Office Depot announced they would no longer sell Kaspersky software and offered to remove it from customer machines for free.

Eugene Kaspersky has offered to testify before Congress and to let American officials read his company's source code. The U.S. government hasn't taken him up on either offer yet.

Innocent explanations?

So far, most of the allegations made against Kaspersky Lab in the American press can be explained. The NSA files on the staffer's home computer could have been malware, in which case Kaspersky's antivirus scanners would have picked them up. Kaspersky itself need not have tipped off Russian intelligence about the files; the Russian security services could have been tapping into Kaspersky's data feeds.

"I'll leave it to Kaspersky to provide the plausible innocent explanation," Opsahl told us, but added that "a plausible explanation may not be enough. Kaspersky probably needs to show that it is not just an innocent victim, but actually the better option in the marketplace."

"If there really is any evidence that Kaspersky has colluded inappropriately with Russian intelligence, then I think we would all welcome seeing it."

— Graham Cluley, independent security consultant

Even the allegation that Kaspersky's malware-signatures database was altered to look for "TOP SECRET" and other text strings could be explained if Russian intelligence operatives were working secretly among Kaspersky employees.

Kaspersky management might or might not have known about such possible arrangements. But, given the political climate in Russia, it might not have had a choice.

"If there really is any evidence that Kaspersky has colluded inappropriately with Russian intelligence, then I think we would all welcome seeing it, to put this matter to bed once and for all," Cluley said.

"I think there's a danger for other security companies here, though, too," he added. "Not only are some acting rather shabbily in exploiting Kaspersky's discomfort, but they might also want to be wary that they are not also targeted by whispers in the future."

What the future holds for Kaspersky

Eugene Kaspersky seems too gregarious and talkative to be a spy. Until things got hot for him in the U.S., he was a regular fixture at American security conferences. If he wasn't addressing a conference, he'd be holding court in the hallway, ready to talk to anyone who asked.

Kaspersky the man doesn't seem to spend much time in Moscow. He sponsors a Formula 1 racing team, an Australian rugby team and a Greek archaeological site; he hikes around volcanoes in the Russian Far East; and he has placed Kaspersky Lab's holding company in London.

He still holds his own security conference, the Security Analyst Summit, every winter in a tropical tourist resort, although it hasn’t been held on U.S. territory since

"It will be interesting to see how other Western countries begin to respond to the claims" against Kaspersky, Cluley said. "So far, I haven't seen other governments sharing America's nervousness about Kaspersky's software."

"The question is whether Kaspersky can save its non-American business based on those markets not believing the damning information in U.S. newspapers," Aitel told us. "Should any more leaks come out regarding this investigation that indicate Eugene himself knew about this activity, then the company would be kaput."

UPDATE: Kaspersky Lab addressed the allegations in a blog post Oct.

"We help law enforcement agencies (globally, not only in Russia), but with only one thing — catching cybercriminals," the post said. "We've never assisted any cyberspies or military intelligence. That would go against our principles. We do not participate in spying."

"Our products, much like antivirus software from most other companies, have a cloud protection component," it continued. "We call this Kaspersky Security Network (KSN)."

"You can turn KSN off when installing the product or at any time after installation in the protection settings," the blog post added. "If you like to develop cyberweapons on your home computer, it would be quite logical to turn KSN off — otherwise your malicious software will end up in our antivirus database and all your work will have been in vain."

UPDATE: On Oct. 25, Kaspersky Lab released preliminary findings from its own internal investigation. (A third-party investigation is still promised.) The findings appear to largely exonerate the company of wrongdoing

Most noteworthy was that, according to the Kaspersky report, the NSA staffer upon whose home PC the NSA files were discovered had himself accidentally infected his computer with malware when he installed a "cracked" version of Microsoft Office software. "Cracked" software comes with product-key generators that let you run expensive software without paying for it, but the key generators are often full of malware.

The NSA staffer was only able to run the key generator after disabling his Kaspersky antivirus software, the report found. After he installed Microsoft Office, he re-enabled the antivirus software, which detected the malware that came with the key generator as a "backdoor" which could have let any other kind of malware or attacker onto the machine.

The Kaspersky report doesn't say so explicitly, but the backdoor could have been an avenue by which cybercriminals or Russian spies could have broken into the machine and stolen NSA-related files.

After Kaspersky antivirus software had been re-enabled and had found the key-generator malware, it thoroughly scanned the machine and found a compressed archive files containing new variants of NSA malware (which Kaspersky refers to as "Equation Group" malware).

Copies of the archive containing the new variants were uploaded to Kaspersky's cloud servers, analyzed and discovered to be NSA malware. At this point, the report says, Kaspersky chief Eugene Kaspersky (referred to as "the CEO") was informed, and he ordered that the copies of the archive be destroyed.

UPDATE: On Nov. 16, Kaspersky Lab released the complete report on its internal investigation. It adds more detail to the preliminary report, noting that the American computer in question used "an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD" area — in other words, near NSA headquarters.

The report also notes that the customer's computer was infected with at least different strains of malware and adware, not counting the NSA malware also on the machine. The report theorizes that the machine was infected while the user disabled Kaspersky software so that he could install a "cracked" version of Microsoft office, and that such a vulnerable machine could easily have been compromised by nation-state attackers targeting a known NSA employee.

It further explains that the compressed archive containing NSA malware also included four documents "bearing classification markings", which implies that they contained language such as "TOP SECRET." The Kaspersky report says that the documents would have been uploaded to Kaspersky servers as part of routine malware collection not because they contained classification markings, but because they were part of an archive containing malware.

"We cannot assess whether the data was 'handled appropriately' (according to U.S. Government norms)," the report adds, "since our analysts have not been trained on handling U.S. classified information, nor are they under any legal obligation to do so."

The one new item in the full report explains why Kaspersky software might appear to have been deliberately programmed to search for language in documents such as "TOP SECRET," as alleged in one of the media reports concerning the company. Ironically, it's because an older strain of apparently Russian state-sponsored malware searched for exactly the same thing.

In March , a cyberespionage campaign exploited the widely used TeamViewer remote-access software to steal electronic documents from governmental organizations, embassies, research institutions and high-tech manufacturers in Europe and the former Soviet states, including Russia.

Researchers called the espionage campaign "TeamSpy," and its associated malware searched for keywords, including "secret" in English, Russian and Georgian, in Word, Excel and PDF files. A Kaspersky report at the time noted that the malware appeared to be created by Russian speakers. (Kaspersky never speculates on who might have created state-sponsored malware, leaving it to readers to guess.)

In , the current Kaspersky report says, the company added a malware signature to search for the keywords that TeamSpy itself was searching for — in an attempt to detect TeamSpy malware. Anyone looking for clues that Kaspersky itself was looking for classified documents could have mistaken that signature for a smoking gun, the report implies.

"It is a possibility that [to] an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind," the report says. "Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us."

Best Antivirus Software

CozyDuke (aka CozyBear, CozyCar or &#;Office Monkeys&#;) is a precise attacker. Kaspersky Lab has observed signs of attacks against government organizations and commercial entities in the US, Germany, South Korea and Uzbekistan. In , targets included the White House and the US Department of State, as believed.

The operation presents several interesting aspects

• extremely sensitive high profile victims and targets
• evolving crypto and anti-detection capabilities
• strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components

The actor often spearphishes targets with e-mails containing a link to a hacked website. Sometimes it is a high profile, legitimate site such as &#;adityagaur.com&#;, hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy.

In other highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is &#;Office Monkeys LOL adityagaur.com&#;. The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently. Many of this APT&#;s components are signed with phony Intel and AMD digital certificates.

Recent CozyDuke APT activity attracted significant attention in the news:

Sources: State Dept. hack the &#;worst ever&#;, CNN News, March
White House computer network &#;hacked&#;, BBC News, October
Three Months Later, State Department Hasn&#;t Rooted Out Hackers, Wall Street Journal, February
State Department shuts down its e-mail system amid concerns about hacking, Washington Post, November

Let&#;s examine a smattering of representative CozyDuke files and data. There is much to their toolset.

Office Monkeys dropper analysis

CozyDuke droppers and spyware components often maintain fairly common characteristics, but these files&#; functionality are modified in slight ways depending on the team&#;s needs. This rapid development and deployment is interesting.

dffc06e24aa,Office Monkeys LOL adityagaur.com

Believe it or not, recipients in bulk run the file within:

95b3ec0a4eefaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe

This file in turn drops two executables to %temp%:

• 2aabd78efd7bfd0d91e68ad3, adityagaur.com
• 3df87cce, adityagaur.com

It first launches adityagaur.com, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague. It then launches adityagaur.com, a CozyDuke dropper maintaining anti-detection techniques:

3df87cce,adityagaur.com,kb,adityagaur.comyBear.v,CompiledOn

Anti-detection and trojan functionality

The file collects system information, and then invokes a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here:

SELECT * FROM AntiVirusProduct
SELECT * FROM FireWallProduct

The code hunts for several security products to evade:

• CRYSTAL
• KASPERSKY
• SOPHOS
• DrWeb
• AVIRA
• COMODO Dragon

In addition to the WMI/wql use, it also hunts through the &#;SOFTWAREMicrosoftWindowsCurrentVersionUninstall&#; registry key looking for security products to avoid. Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates. These files are stored within an kb encrypted cab file in the dropper&#;s resources under the name &#;A&#;. The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: x36x11xddx08xacx4bx72xf8x51x04x68x2ex3ex38x64x

The cab file is decompressed and its contents are created on disk. These dropped files bundle functionality for both 64bit and 32bit Windows systems and are all located within one directory:
C:Documents and SettingsuserApplication DataATI_Subsystem

fadbdc,amdhcpdll,54kb  ← 32bit dll,CompiledOn
dd48a3ffb3af2c3e3,adityagaur.com,60kb  ← 64bit dll,CompiledOn
bcc8f11edf33ad1c0fed,adityagaur.com,kb ← 32bit dll, adityagaur.comyDuke.a, CompiledOn
e79e3dbde55dcf3fca,6kb,adityagaur.com

The code copies rundllexe from windowssystem32 to its newly created %appdata%ATI_Subsystem subdirectory as &#;amdocl_asexe&#; alongside the three dll&#;s listed above. It runs adityagaur.com with two parameter values, it&#;s only export and an arbitrary pid,  i.e.:
&#;C:Documents and SettingsuserApplication DataATI_Subsystemamdocl_asexe&#; &#;C:Documents and SettingsuserApplication DataATI_adityagaur.com&#;&#;, ADL2_ApplicationProfiles_System_Reload &#;

This dll is built with anti-AV protections as well. However, it looks for a different but overlapping set, and the random duplication suggests that this component was cobbled together with its dropper, partly regionally based on target selection.

The code collects information about the system and xml formats this data prior to encryption for proper parsing:

Finally, this process beacons to adityagaur.com, which appears to be a site that has been compromised and misused multiple times in the past couple of years.
hxxp://adityagaur.comemaristas[.]com/app/adityagaur.com?{A01BA0AD-9BBFB76B-A00AD11CBAAA}, providing the current network adapter&#;s service name GUID. It uses standard Win32 base cryptography functions to generate a CALG_RC4 session key to encrypt the collected data communications and POSTs it to the server.

Executable-Signing Certificates

Samples are usually signed with a fake certificate &#; we&#;ve seen two instances, one AMD and one Intel:

Configuration files:

Some of the malware uses an encrypted configuration file which is stored on disk as &#;adityagaur.com&#;. This is encrypted by RC4, using the key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}. Here&#;s how it looks decrypted:

Second stage malware and communications:

The attackers send commands and new modules to be executed to the victims through the C&Cs. The C&C scripts store these temporarily until the victim next connects to retrieve local files. We&#;ve identified two such files:

Here&#;s how such a database file appears:

These are BASE64 encoded and use the same RC4 encryption key as the malware configuration.

Decoding them resulted in the following payloads:

bc8bedefabaa, adityagaur.com_
5dd8bfc8bebc8a, cmd_adityagaur.com
e0b6f0dc81a0fbdf, screenshot_adityagaur.com

Decoding them also resulted in a set of tasking files maintaining agent commands and parameter values:

adityagaur.com

And a set of &#;reporting&#; files, maintaining stolen system &#;info&#;, error output, and &#;AgentInfo&#; output, from victim systems:

DCOM_amdocl_ld_API_.raw
Util_amdave_System_.vol
Last_amdpcom_Subsystem_.max
Data_amdmiracast_API_.aaf
adityagaur.com

screenshot_adityagaur.com is a bit dll used to take a screenshot of the full desktop window and save it as a bitmap in %temp%. The number of times the screenshot is repeated is configurable within the xml task file.

cmd_adityagaur.com is a bit dll that maintains several primitives. It is used to create new processes, perform as a command line shell, and several other tasks.

Each of these payloads is delivered together with a configuration file that explains how to run it, for instance:

In another tasking, we notice a tracked victim:

Attackers map a network drive use Microsoft OneDrive to run further tools:

They copy down a base64 encoded document from Microsoft OneDrive to the victim system and decode it there:

Not everything works as planned, so they maintain error reporting facility for the c2 communications:

Furthermore, ChromeUpdate is a bit executable (which appears to be a WEXTRACT package) that oddly drops a bit Dll. adityagaur.com is simply stored as a cabinet file in the ChromeUpdate&#;s resource section.

adityagaur.com starts the file with &#;rundll32 adityagaur.com,ADB_Setup&#;

adityagaur.com analysis

adityagaur.com was written in C/C++ and built with a Microsoft compiler.

adityagaur.com code flow overview

• RC4 decrypt hardcoded c2 and urls
• resolve hidden function calls
• collect identifying victim system data
• encrypt collected data
• send stolen data to c2 and retrieve commands

adityagaur.com code details

Structurally, &#;adityagaur.com&#; is a fairly large backdoor at KB. It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn&#;t exposed until runtime. No pdb/debug strings are present in the code.

It maintains eight exports, including DllMain:

• ADB_Add
• ADB_Cleanup
• ADB_Initnj
• ADB_Load
• ADB_Release
• ADB_Remove
• ADB_Setup

ADB_Setup is a entry point that simply spawns another thread and waits for completion.

Above, we see a new thread created with the start address of adityagaur.com export  &#;ADB_Load&#; by the initial thread.

This exported function is passed control while the initial thread runs a Windows message loop. It first grabs an encrypted blob stored away in a global variable and pulls out bytes of this encrypted data:

Keys for Kaspersky are required to activate Kaspersky Lab products. License keys can be purchased on the official website of the company. But you can use Kaspersky for free and at the same time officially. In this article, we'll talk about how to do this. And so on in order.

Where to get an antivirus program and how to install it

It is better to download Kaspersky Lab programs from the official website of the company. But first, let's take a closer look at the names and abbreviations.

Kaspersky Anti-Virus in abbreviated form - KAV. One of the first products of the company. Those who are older probably remember how he used to scream like a pig squeal when he discovered a virus. Its main task is to protect your computer from viruses.

Abbreviated form of Kaspersky Internet Security is KIS. Unlike KAV, it not only protects your computer from viruses, but also makes it safe to use the Internet. It blocks the interception of your data, protects the input of passwords, blocks harmful scripts and sites, blocks pop-ups and performs many other useful functions. KIS can be installed both on a computer and on android devices.

Abbreviated form of Kaspersky Total Security - KTS. It is a relatively new product of the company. KTS differs from KIS in that it has the ability to manage all devices on which Kaspersky Total Security is installed through the "my kaspersky" portal, as well as several useful and easy-to-use additional functions.

These products offer the same protection against viruses and threats. The virus signatures and treatment technologies are the same. Even the set of components in the "Protection" tab is no different from each other. So any of these products will keep your device safe. I use kaspersky internet security.

How to install a Kaspersky application

To install the program, you need to download it. As I said at the very beginning, it is better to download from the official site. Go to the adityagaur.com website and select the "download" section

Choosing a product to download KAV, KIS or KTS. Click "download". For example, I chose Kaspersky Internet Security

Run the downloaded installation file and wait for the installation to complete.

After installation, we need to activate the program. To do this, press the button "Activate trial version of the program" and register the antivirus program for 30 days.

But what to do when the free period ends?

There are two options:

1. Buy license key KAV, KIS or KTS
2. Use free trial keys (we will figure out how to do this below)

Keys for kaspersky, where to get them and how to use them

Not long ago, magazine keys were very popular. These keys had a lifespan of 30 to 60 days. They were published in computer magazines such as "Chip", "ComputerBild" and "PC World". Fresh magazine keys came out with each new issue of the magazine. But unfortunately the freebie ended in early

Trial keys have replaced. What is a trial key? The trial key is a trial license for a period of 30 to 90 days. It is given for testing antivirus software. At the same time, the functionality of the program works in full. With these keys, you can use Kaspersky for free and officially.

To activate such keys, you need to completely uninstall the program along with the license information (you can check the box when uninstalling) of the antivirus program. After downloading it from the official website, install and activate the trial key.

Reset trial version of Kaspersky without a resetter.

Since March 15, , KRT CLUB has stopped working. Now it is more difficult and longer to reset the license than it was before, but it is still possible. Below is the instruction from the video and the correct links:

Instructions

Video instruction how to reset activation

The main question remains, where to download fresh keys for Kaspersky? You can download the keys on our website (see below). Search the Internet, since now there are many sites that publish them.

Download fresh keys for Kaspersky

Keys for Kaspersky Anti-virus

(updated 12/11/)

Keys for Kaspersky Internet Security

(checked: 01/08/)

Keys for Kaspersky Total Security

(checked: 07/14/)

Keys for KIS Android

(updated )

Summarize.In order to use Kaspersky's antivirus program for free, you need to do the following:

If something didn't work out for you, ask your questions in the comments. Good luck everyone, bye!

There are enough keys in the archive to pick up working keys for Kaspersky, if suddenly the key you used is expired or blocked, then be sure to write about it in the comments, we are constantly monitoring and adding fresh keys for kaspersky We update the keys and select with the help of programs that you can use yourself. Have you finished your antivirus trial period? then download free keys.

Updated

We do not upload to file-sharing hosting all files located on the site server. thus there will be no nerves in downloading fresh keys for kaspersky through advertising and spam.

The archive with the keys is checked and does not contain malicious code, in order to make sure you check the downloaded fresh keys for Kaspersky with any antivirus.

If, when updating adityagaur.com, the previously posted keys are not blocked, then the archives are not updated.

Versions of kaspersky anti-virus for which the keys in the archive start from old ones and end with fresh keys for kaspersky .

Antivirus activation using the keys that are in the archive:

1. In the activation key input field, enter here is the code: U and continue with " Further«.
2. After the simple previous step click on the "Browse" button and select the key from the folder you downloaded.

Link for downloading keys for kaspersky all versions for free:

Download fresh keys for kaspersky

Download fresh keys for Kaspersky

Kaspersky activation codes:

Log key for Kaspersky Anti-Virus from CHIP

HK12K-2KAE1-HY54B-GZHAE

WJKQ8J5K-8ZGAMQUE (CHIP # 10/30 days)
78KNY-6TPQM-ZNE3S-Q1ETK (Gambling addiction # 11/30 days) NEW!
S7ZYU-9TNJP-EM9QT-RV4YE (PC World No. 10/30 days)

Log key for Kaspersky Anti-Virus from ComputerBild magazine

HN17R-WJ7BV-GKJY7-WRK87

WE-A3VMC-S6CY3-MMGTG (ComputerBild # 23 | 30 days) NEW!

Trial key for kaspersky kis 90 days

Z34ZH-HM6WS-S8RYG-E8SNP
ZJDXGRRQ1-E8BMN
ZP-3FSZ1-TUCG6-YWTYV
ZP1RXZN6X-MG66J
Z36XB-MZ8WGBR-4XVR1
ZF-JNNF7W1R-NWUF5
Z38XN-9FUAF-X9VF9-XBMYJ

Activating kaspersky using Dump keys:

2. Open the antivirus and go to Settings -\ue Advanced -\ue Self-Defenseif the version will be a little different, but the meaning is the same disable self-defense And disable the antivirus by right-clicking on the icon in the taskbar.

3. Open in a previously unzipped folder DELtrial_exe and we agree to reset the trial, this program is suitable only for version 14 of kaspersky, for version 13, the trial can be reset by the link above " Getting a day trial version of kaspersky antivirus"One goal is to reset the trial.

4. Then in the same folder we look for dump keys on KAV on the folder the end date is written, select the desired one and first enter the information into the register by clicking on adityagaur.comand then on adityagaur.com in the same folder.

Well, all in principle, rejoice. If you have version 13 and nothing comes out, use the key keys, they are also in the archive, and above you can find another package of key files plus instructions on how to use them.

Video instruction for activating the program in this way

Activated Kaspersky using this method

On this page you will find codes for Kaspersky Anti-Virus And also utilities for resetting the trial period (retrial).

At the time of publication, all keys and codes are working (verified).

Codes for KIS and KAV , , , , and

Official trial (trial) codes. Attention! Before activation, reset the trial period using Kaspersky Reset Trial (look below). Otherwise, it is not activated or is activated for 30 days or less.

4CH4C-PPFDT-NFK4BR69 - 90 days (KIS - )
XZBB7-UZFBN-E8GAD-9GZUF - 60 days (KIS - )

JHJ7C-C69PX-MQY3J-PKG5B - for 90 days (KAV )
52MFR-XMPS3-RPXBM-K6T5E - for 90 days (KAV )

To activate, use a French proxy.
Proxy must be entered in Settings \ud\ue Advanced \ud\ue Network \ud\ue Proxy server settings (at the very bottom).
Disable proxy after activation.

JAPXZ-9G9EJ-CSUVYQUS - 45 days

After 90 days, reset the trial period again and reactivate the antivirus for 90 days. And then again and again

1. License dumps
   There will be no more dumps. The keys are quickly banned and then the antivirus stops updating. Therefore, now, the dump is useless.
2. Codes for a year or more
   There will be no free long codes either. Do not search the Internet - you will not find workers. They get banned quickly, even if they show up.
   • Now the most working option for KIS - this is activation using trial codes for 90 days, which are located above. After the expiration date, reset the trial period and reactivate it. I think it's not difficult to press a couple of buttons every 3 months.
   • For KAV there are journal keys, but they are of little use, because most often they are given for 30 days. The easiest way is to reset the trial period every month. There is also a day code at this time. Reset the trial period and activate. Everything is as with KIS.
   • The same goes for KTS - the easiest way is to reset the trial period every month. Sometimes there are promotions for the distribution of keys for an average of 3 months.
3. What's the bottom line?
   Freebies as before (keys for years, dumps for a year or more, purchased codes) more likely will not. The Caspers have done a lot of work in recent years to combat this. They often monitor sites where keys are handed out in order to immediately ban them. Everything you find on the Internet is mostly either non-workers or some kind of deception.

Trial Reset for Kaspersky (Retrial - reset the trial period):

Kaspersky Reset Trial

Kaspersky Reset Trial - an excellent tool for resetting the trial period and activating using a Kaspersky Anti-Virus dump.

Kaspersky Antivirus
Kaspersky Antivirus
Kaspersky Antivirus
Kaspersky Antivirus
Kaspersky Antivirus
Kaspersky Antivirus
Kaspersky Antivirus
Kaspersky Antivirus

Kaspersky Internet Security
Kaspersky Internet Security
Kaspersky Internet Security
Kaspersky Internet Security
Kaspersky Internet Security
Kaspersky Internet Security
Kaspersky Internet Security

Kaspersky Total Security
Kaspersky Total Security
Kaspersky Total Security
Kaspersky Total Security

Kaspersky Free Antivirus
Kaspersky Free Antivirus
Kaspersky Free Antivirus

Kaspersky CRYSTAL
Kaspersky CRYSTAL

Kaspersky Endpoint Security 8
Kaspersky Endpoint Security 10

Kaspersky Small Office Security 2
Kaspersky Small Office Security 3
Kaspersky Small Office Security 4
Kaspersky Small Office Security 5

Download Kaspersky Reset Trial -

KasTrial

KasTrial- utility for resetting the trial period of Kaspersky anti-viruses.

All KasTrial features:

• Activating Kaspersky using a key
  Now you do not need to enter the code for beta versions with the Internet disabled, so that you can activate using a key.
• Extracting a key from Kaspersky
  You can display the key file and activation code from Kaspersky.
• Ability to completely disable KSN
  Kaspersky Security Network (KSN) is a cloud-based anti-virus technology. Now you can turn it off completely.
• Removing trial reminders
  Removes the reminder to use a trial license, to ask to buy a license.

• KIS / KAV , , ,
• Kaspersky Crystal (Pure) (before Crystal )
• KAV WKS MP4
• Kaspersky Small Office Security 2 (for file servers and PC)
• Kaspersky Endpoint Security 8

Various antivirus packages from Kaspersky are very popular among CIS users. We are sure that many of them do not realize that you can use your favorite product for free, moreover, legally. The method is very simple - using license journal keys. Where do they come from? Each issue of several popular computer magazines (CHIP, ComputerBild, MirPK and others) contains a fresh key on the enclosed disk for activating any version of Kaspersky Anti-Virus. You don't have to worry about the year either, programs and the latest version for are supported.

The only drawback of journal keys is the limitation of the term of operation, usually 45 days. If it is not difficult for you to periodically visit our website and download a fresh set of keys for Kaspersky, then this legal way to activate the package is just for you. We take care of the timely updating of the keys. Many users of Dr. Web.

Subscription to receive Kaspersky keys via VK

At the request of our users, it was decided to create a special group in VK, in which journal activation codes for Kaspersky products will be published in parallel. This was done on purpose so that you can subscribe to the group and receive notifications about fresh keys, even without visiting this page.

License keys for KAV ,

Keys for KIS Windows:

# 1: 91 days (no proxy)

Keys for KIS Android:

# 1: for 45 days (no proxy)

Free Kaspersky key. Free key Kaspersky Internet Security Free official Kaspersky key, Kaspersky activation code free 91, and days. Free kaspersky antivirus days. Kaspersky Keys free official activation code. Free license renewal activation of Kaspersky Keys for Kaspersky.

Free fresh key series Activation codes for Kaspersky Anti-Virus. Free Kaspersky Anti-Virus activation code, free license Kaspersky Internet Security 91, , days Protect your computer Kaspersky Keys free license for all devices Free license renewal Kaspersky Internet Security

Free official Kaspersky license

Kaspersky Lab provides protection for your computer completely free of charge.
Free download the official Kaspersky.
Get a free activation license for Kaspersky days.
Free full version and free activation code for Kaspersky.
Free official Kaspersky
Free download Kaspersky from the official website activation license days, to protect your computer, your personal data, your money and your family.
Get Kaspersky Free days free version for Windows 7, , and new 10

Get free Kaspersky Anti-Virus
Official free license for Kaspersky days

To renew or activate a new license, use a fresh series of activation codes, Kaspersky keys free for three, six 12 months

Kaspersky Internet Security
28/11 / DYA2D-GVSNS-H18N9-VEZ2Y

U18AX-4ENAKQHW-B8T9T days

Kaspersky Total Security
ZZR2E-EDHUURNMUMQ days
VUUHA-JJXNDTZZ-SKCHF days
GDTX3-HZFAU-6SAUM-JB7ZA days
E2HY-7ZZSB-2QT6A-4MRE8 days ave. German
MARCH 8 2f1pddp1-rzxb9-zxet1 1 year (US Proxy)

Kaspersky Antivirus
2MUNK-6GTUU-ME4YE-WNTM5 days

Kaspersky Internet Security for Android.

MRUHXHRA-BK9JJ-R7DKG all days
TPQN1-WT9ZT-R9EGQ-TDUP4
TPGKS-FMJ4C-K7Q8W-HK97V

Do not have time to get a free Kaspersky key, you can purchase a personal activation code for Kaspersky 90, and days