The cyber security implications of Iran's government-backed antivirus software

The cyber security implications of Iran's government-backed antivirus software

Summary: According to independent industry reports, Iran has banned the import of foreign security software, and has been secretly working on its own antivirus solution since 2010.


According to independent media reports, Iran has banned the import of foreign security software, and has been secretly working on its own antivirus solution since 2010.

Developed by Iranian experts from Shiraz Computer Emergency Response Team of APA (Academic Protection and Awareness), the software has undergone active testing and is ready to be used on government and military installations.

Key points to consider:

  • The U.S, Russia and China are developing offensive cyber warfare weapons -- weaponized malware -- successfully bypassing the most popular antivirus solutions. Will Iran undermine the effectiveness of these cyber weapons? - not necessarily. What Iran's decision to rely on a government-backed antivirus software will do, is increase the interest of foreign governments into obtaining and analyzing the software on their way to exploit vulnerabilities in its design for the purpose of successfully bypassing it in the long  term. Until access to the software is obtained, it will definitely undermine QA (quality assurance) practices aiming to ensure that the weaponized malware is not detected by popular antivirus vendors.
  • Reliance on largely untested in-house built software in comparison to outsourcing to vendors with decades of experience is a flawed strategic approach - Iran's adversaries should be thankful for Iran's largely flawed approach to secure the nation's infrastructure from malicious code. Instead of importing innovative solutions, and embedding multiple antivirus solutions to protect endpoints, the country's nationalist sentiments seems to be prevailing, potentially exposing the country's infrastructure to malicious attacks.
  • Basing your entire strategy on a single endpoint solution, undermines the concept of defense in-depth - Iran doesn't seem to be aware of the defense in-depth concept, ensuring multi-layered approaches to securing a network or an endpoint system. The country's ban on foreign security products, mean it will have to build firewalls, intrusion prevention/detection systems from scratch, in complete isolation from the rest of the industry. This will result in major flaws in the design and actual applicability of these in-house built products.
  • From an Information Warfare perspective, by banning foreign imports of security products, Iran might be setting the foundations for a successful self-mobilizing cyber militia campaign - Antivirus tools don't just detect viruses, they detect malicious code in general such as DoS (denial of service) attack and DDoS (distributed denial of service attack) tools. In case of a cyber conflict, relying on the basis of Information Warfare, Iran could distribute software agents to civilians in order to use their bandwidth or Internet connectivity in general for waging Information Warfare. We've seen this happen on numerous occasions in the past.  In event of a cyber conflict, Iran's antivirus software could on purposely skip the detection for these malicious tools that would otherwise be detected by foreign antivirus software in an attempt to ensure that the Iranian population will participate in the cyber conflict. See: Attack of the Opt-in Botnets

Moreover, Iran's antivirus doesn't participate in any of the industry comparative reviews performed on a periodic basis evaluating the effectiveness of antivirus software, it doesn't participate in chapters of such organizations such as the Honeynet Project, it doesn't share samples with competing vendors, and it doesn't require them to share samples in the same way. This self-serving mentality typical for communist regimes, will ultimately allow foreign adversaries easy access to Iran's infrastructure, and in particular to hosts running the largely untested antivirus software.

Diversification may results in complexities which on the other hand result in insecurities, but basing the protection of endpoints on a single, largely untested product, results in monocultural insecurities posed by the use of a single, potentially 'buggy' product.

Iran isn't the first country to start developing its own hardened security products, however it's among the few to ban imports of foreign security software on the local market. China with its Red Flag Linux and Kylin OS, the European Union with its secure OS Minix, and Russia which also expressed interest in the concept, are among the countries that are considering to migrate from using U.S developed Operating Systems in order to migrate from the monocultural insecurities posed by the world's most popular Operating System - Microsoft's Windows.

What do you think? Is Iran's move putting the U.S, Russian or China at a strategic disadvantage, of is the move largely exposing Iran's infrastructure to amateur malware authors who will inevitably start bypassing Iran's proprietary antivirus software?


Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.

Topics: Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is writing your own A/V really meaning that you're weak?

    If you have enough resources, you might be good enough to reach a similar level as currently available commercial products. It is sure that A/V is good, but localized reaction to local attacks is always a bit slow, under the condition that you're not based in English speaking country.
    Just writing your own A/V doesn't mean that you have not understood or implemented a defense in depth approach. Or did the sources also state that they create their own O/S, firewalls and so on.
    • half of the story

      It's not a bad decision to develop your own AV. The stupidity lies in their decision to ban all other AVs. Once a hole is found in the Iranian AV, the whole country is at risk because you know for sure that everybody uses the same product...
  • Are they gonna bann Windows aswell?

    Or have they already done so :| if they don't bann Windows, don't think they can bann Microsoft Security Essentials :p
  • Maybe, Probably

    It is natural, and at least some extent reasonable to think that the competition in the market will ensure that a better product comes out of at least one vendor. It is also natural/reasonable to think that once you close down to outside influence you will stop getting better, unless...

    1) There actually is/was a conspiracy to leave some vulnerability in place or to secretly disclose any new ones and perhaps leave them unpatched for a period of time until publicly disclosed
    2) In the process of doing this, you develop a better solution that nobody has thought of, i.e. a paradigm shift, which is how every business and technology revolution happens
    3) The value of uncertainty/obscurity, at least in the short term (which is all that really matters in the case of Iran), enables a heightened catch rate, since the bad guys, whomever they are, may not know everything you are doing.

    Iran may or may not achieve better results this way. My hunch is that they will not, but I gave up underestimating Iran a long time ago - both in good and bad ways.
  • Iran is saying (in easy word).

    Antivirus software are backdoor.
  • Well I love this..

    "Iran???s adversaries should be thankful for Iran???s largely flawed approach to ..." well everything.
  • Iranian Security Software

    Other points to consider:
    1. Can anyone doubt that the USA & other cyber nations are also developing confidential in-house protection?
    2. Can anyone doubt that open-market security software, good as it may be, is automnatically superior to in-house software; or that it may not be subject to undisclosed trapdoors?
    Kootenay Coyote
    • RE: subject to undisclosed trapdoors?

      Excellent point!

      See my reply below to 'dhays' as I explore this point.
  • Iran

    Who's to say that they cannot build a superior product, just because they don't allow Symantec or McAfee or some other off the wall product like Comodo (which I use), doesn't mean they can't make a good product, who says they aren't reverse engineering the other products to find out what makes them tick and improving on it?
    Again, lack of proofreading makes this article harder to read. One has to guess at the proper word.
    "of is the move" is presume to mean or not of, "may results in complexities " should read result not results, as results is confusing tense.

    At present, it sounds like much ado about nothing, just speculation, nothing more.
    • RE: Iran

      First off, we should agree to leave the politics (after all, we are speaking of Iran here) out of the discussion. What you think of Iran, for the most part, should be immaterial to the base discussion here.

      Why would any nation state, [u]whose infrastructure has been the subject of attack[/u], not want to protect those assets against actors with nefarious intent? Any rational, objective observation would require you to 'protect' those assets. Whether it is nuclear centrifuges, or electric grids, strategic assets must be protected.

      If you [b]can not trust[/b] that some nation state has used its resources to install back doors in commercially available software; then you must create your own. Critical infrastructure here in the US is being probed all the time, and, in no small thanks to stupid, clueless `bean counters`, much of it is entrusted to off the shelf (OTS) Microsoft products.

      From the Iranian POV, they can not trust that the commercially available AV software doesn't have NSA and Israeli sponsored backdoors; just like we (the USA) have every reason to be suspicious of hardware that is made in China. We most certainly [b]do not want[/b] backdoors in equipment used by the military, now would we???? Nor, would the Iranians, or any other nation.

      Thus, the idea, that Iran has decided to 'outlaw' OTS AV products be regarded as "dumb" or "stupid", or fails to recognize the cyber security implications, is mistaken in itself. They may fully realize that they are quite exposed, and are not comfortable with it. No doubt, in the aftermath of the damage inflicted on their facilities, some heads may have rolled. I know, that if I were in such a situation, and that sort of s--- happened `under my watch`, I would "get top the bottom of it". Now, on the surface, it looks like they are putting plans in place to prevent, or diminish the potential for a re-occurrence of another intrusion. Time for the "home grown" solution, or so we are led to believe.

      [i]Just because that have made this statement publicly,[/i] doesn't mean that it is not [u]disinformation[/u]. What is the first rule of being a great magician? [i]Distract your audience, while you pull off the 'trick'.[/i]

      Who knows what the Iranians are up to.

      [b]Governments LIE, all the time!!!!![/b]

      EDIT: typo, damn, do I HATE this keyboard!!!!
  • Iran or not


    Gee look at this way, if they start making or creating thier own A/V protection, won't that make them a center of other hackers and security people to test it out, curiosity killed the cat ?
    • re: curiosity killed the cat

      You can as well say that the pressure is making things harder.
  • Practise&Therory

    Maybe if they banned foreign potatoes they could succeed, but AV is software and can be downloaded off the Internet easily.

    Just because they ban foreign AV it doesn't mean people won't be using it anyway.
  • Easy

    Iran will have it's own 'secret' defense system for the internet age. The US will just ask Israel for a copy. Israel will have the thing totally taken apart and broken within 2 months of it's deployment. China will probably do the same thing too.

    Iran is only trying to reduce the export currency. That they are desperate to do. It's not like they can defend against the Script Kiddies.

    As such things go, this is an easy situation of NSA or any of it's international rivals.
  • Iran and security software

    Security software such as this will also give the government and automatic backdoor into every computer that uses it. It it goes out to the general public as well it will just be another method of spying on their own people.
  • Questionable content

    "world???s most popular Operating System - Microsoft???s Windows.".
    • Questionable content

      Actually there was an apostrophe in there..."considering to migrate from using U.S developed Operating Systems in order to migrate from the monocultural insecurities posed by the world???s most popular Operating System - Microsoft???s Windows." It's the multiple use of "migrate", as in "considering to order to migrate" that I find clumsy and distracting.
  • Well..

    It appears that other governments will have a pretty good idea of what security software *every* computer in Iran will be running and if they find a vulnerability in that security software, *every* computer in Iran will be at risk.

    They may be using this to control their population but it could seriously backfire on them -- because a dissident in their own country could uncover such vulnerabilities too.
  • what about supply side security motives?

    It may be that the Iranians are suspicious of foreign products that may contain backdoors. They are not the only country that is concerned about buying products with something not published in the brochure and unwanted inside.
  • Spyware

    Gosh, you know it's going to be loaded with spyware and key-loggers, and I wouldn't be a bit surprised if it didn't have a botnet for attacking whoever they point it towards....