FBI, CIPAV spyware, and the anti-virus companies
We’ve known it’s been around for a long time, but now the Electronic Frontier Foundation (EFF) has released new information on the FBI’s spyware. Gathered in response to a Freedom of Information Act request, EFF explains that the spyware (Computer and Internet Protocol Address Verifier – CIPAV) gathers the following information from the target’s computer:
- IP Address
- Media Access Control (MAC) address
- “Browser environment variables”
- Open communication ports
- List of the programs running
- Operating system type, version, and serial number
- Browser type and version
- Language encoding
- The URL that the target computer was previously connected to
- Registered computer name
- Registered company name
- Currently logged in user name
- Other information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”
EFF goes on to explain
It’s not clear from the documents how the FBI deploys the spyware, though Wired has reported that, in the Washington state case, the FBI may have sent a URL via MySpace’s internal messaging, pointing to code that would install the spyware by exploiting a vulnerability in the user’s browser. Although the documents discuss some problems with installing the tool in some cases, other documents note that the agency’s Crypto Unit only needs 24-48 hours to prepare deployment. And once the tool is deployed, “it stay[s] persistent on the compromised computer and . . . every time the computer connects to the Internet, [FBI] will capture the information associated with the PRTT [Pen Register/Trap & Trace Order].
New FBI Documents Provide Details on Government’s Surveillance Spyware
There are almost certainly legal issues here. There are most definitely moral issues. But there are also other issues. The first is this: what is the AV industry’s attitude towards what David Harley, senior research fellow at ESET and a director of the Anti-Malware Testing Standards Organization, describes as ‘policeware’? Luis Corrons, technical director at PandaLabs, doesn’t hesitate: “Panda Security endeavours to detect any kind of malicious application which attempts to corrupt or intercept legitimate client communication. Malware is malware no matter who creates it and our customers pay to have the best protection against any malicious software created.”
Sophos’ Graham Cluley is equally forthright: “Sophos’s position [is] that we detect any malware that comes to our attention, regardless of who might have written it.”
ESET is the same: “I don’t know if we detect it but our attitude is clear: we detect everything that might be dangerous or potentially unsafe/unwanted. We can’t make exceptions because of a specific origin of some spyware/malware, it would compromise security and consistency of our product. Period.”
And finally, David Emm, senior security researcher at Kaspersky Lab, comments “In general, I can say that Kaspersky Lab is focused on providing the best possible protection for its customers, without distinguishing the source of the malware. And in practice, we would be unable to distinguish between programs authored by criminals and those authored by government or law enforcement agencies: it is likely that in both cases a sample would be sent to us by one of the victims and we would add detection automatically.”
Almost universally, then, we can say that the anti-virus industry makes no distinction between crimeware and policeware: both are automatically remedied if detected.
But equally universally the AV industry claims to not know whether they detect this spyware or not. Graham Cluley again: “How would we know if we detect it or not? To determine if we detected it or not, we’d have to have a confirmed sample of CIPAV. As it’s highly unlikely that the FBI has put a copyright message inside their spyware and it’s unlikely to announce that it’s ‘CIPAV’, it’s impossible for us to confirm if we have a sample of it in our malware collection or not.”
Well, I’m not so sure. Much of AV detection is now behaviour-based. A file is bad if it tries to do bad things – like spyware phoning home. If a bad file is detected, it is analysed. Where for example, is the home that is being phoned? I would be surprised if the sort of analysis undertaken by AV researchers would not turn up some indication of an FBI source. But I may be wrong.
So what are the options here? Does the AV industry detect and remove CIPAV without knowing that it’s CIPAV? In which case, why does the FBI persist with it, and why do other agencies and even other countries, express interest in it (EFF: “Other agencies, and even other countries have shown interest in the tool, indicating its effectiveness. Emails from 2006 discuss interest from the Air Force, the Naval Criminal Investigative Service and the Joint Task Force-Global Network Operations, while another email from 2007 discusses interest from the German government.”)?
Or does the AV industry simply fail to detect it? In which case, does this imply that the industry is no match for the FBI? That’d be worrying.
Or finally, is the AV industry under strict instructions, in the overstretched name of national security, to leave well alone; but deny any such instruction? David Harley is fairly convinced that this does not apply: “I suppose they could conceivably ask us to whitelist a given file hash, which would actually be technically problematic,” he told me. “Apart from the possibility of an accidental hash collision, it would also be possible for a malware author to engineer a hash collision. And such whitelisting wouldn’t necessarily stop the presence of the ‘policeware’ being flagged, if it launched processes or initiated symptoms that were detected heuristically as spyware-like.
“While I don’t speak for the lab [ESET],” he continued, “I’d personally find non-detection ethically uncomfortable. While I don’t have a problem with a legitimate agency ‘invading the privacy’ of a suspected terrorist, drug-runner etc in the course of a properly conducted criminal investigation (and AV does, of course, cooperate with law enforcement and related agencies from time to time in some contexts), it would be very different if there were grounds for thinking it was likely to be used without due legal process.
“However,” he concluded, “I don’t know of any instance of an AV company being asked not to detect it; and in fact, it occurs to me that since it wouldn’t be possible to guarantee that it would only be found on systems within the FBI’s jurisdiction, deliberate non-detection could put an AV company in legal jeopardy in other jurisdictions, even if they were sure that it wouldn’t be installed illegally in the US.”
Frankly, I don’t know the truth here. But what I do know is that it is a worrying society where the law for law enforcement is different to the law for everyone else. ‘All are equal in the eyes of the law’ should not be a proverb – it should be a fact. And if we are reduced to using the same tactics as the criminals, then what exactly do we have that is worth defending?