Home > All, Security Issues > FBI, CIPAV spyware, and the anti-virus companies

FBI, CIPAV spyware, and the anti-virus companies

We’ve known it’s been around for a long time, but now the Electronic Frontier Foundation (EFF) has released new information on the FBI’s spyware. Gathered in response to a Freedom of Information Act request, EFF explains that the spyware (Computer and Internet Protocol Address Verifier – CIPAV) gathers the following information from the target’s computer:

  • IP Address
  • Media Access Control (MAC) address
  • “Browser environment variables”
  • Open communication ports
  • List of the programs running
  • Operating system type, version, and serial number
  • Browser type and version
  • Language encoding
  • The URL that the target computer was previously connected to
  • Registered computer name
  • Registered company name
  • Currently logged in user name
  • Other information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”

EFF goes on to explain

It’s not clear from the documents how the FBI deploys the spyware, though Wired has reported that, in the Washington state case, the FBI may have sent a URL via MySpace’s internal messaging, pointing to code that would install the spyware by exploiting a vulnerability in the user’s browser. Although the documents discuss some problems with installing the tool in some cases, other documents note that the agency’s Crypto Unit only needs 24-48 hours to prepare deployment. And once the tool is deployed, “it stay[s] persistent on the compromised computer and . . . every time the computer connects to the Internet, [FBI] will capture the information associated with the PRTT [Pen Register/Trap & Trace Order].
New FBI Documents Provide Details on Government’s Surveillance Spyware

Luis Corrons, PandaLabs

Luis Corrons, technical director, PandaLabs

There are almost certainly legal issues here. There are most definitely moral issues. But there are also other issues. The first is this: what is the AV industry’s attitude towards what David Harley, senior research fellow at ESET and a director of the Anti-Malware Testing Standards Organization, describes as ‘policeware’? Luis Corrons, technical director at PandaLabs, doesn’t hesitate: “Panda Security endeavours to detect any kind of malicious application which attempts to corrupt or intercept legitimate client communication. Malware is malware no matter who creates it and our customers pay to have the best protection against any malicious software created.”

Sophos’ Graham Cluley is equally forthright: “Sophos’s position [is] that we detect any malware that comes to our attention, regardless of who might have written it.”

ESET is the same: “I don’t know if we detect it but our attitude is clear: we detect everything that might be dangerous or potentially unsafe/unwanted. We can’t make exceptions because of a specific origin of some spyware/malware, it would compromise security and consistency of our product. Period.”

David Emm

David Emm, senior security researcher, Kaspersky Lab

And finally, David Emm, senior security researcher at Kaspersky Lab, comments “In general, I can say that Kaspersky Lab is focused on providing the best possible protection for its customers, without distinguishing the source of the malware.  And in practice, we would be unable to distinguish between programs authored by criminals and those authored by government or law enforcement agencies:  it is likely that in both cases a sample would be sent to us by one of the victims and we would add detection automatically.”

Almost universally, then, we can say that the anti-virus industry makes no distinction between crimeware and policeware: both are automatically remedied if detected.

But equally universally the AV industry claims to not know whether they detect this spyware or not. Graham Cluley again: “How would we know if we detect it or not?  To determine if we detected it or not, we’d have to have a confirmed sample of CIPAV.  As it’s highly unlikely that the FBI has put a copyright message inside their spyware and it’s unlikely to announce that it’s ‘CIPAV’, it’s impossible for us to confirm if we have a sample of it in our malware collection or not.”

Graham Cluley

Graham Cluley, senior technology consultant at Sophos

Well, I’m not so sure. Much of AV detection is now behaviour-based. A file is bad if it tries to do bad things – like spyware phoning home. If a bad file is detected, it is analysed. Where for example, is the home that is being phoned? I would be surprised if the sort of analysis undertaken by AV researchers would not turn up some indication of an FBI source. But I may be wrong.

So what are the options here? Does the AV industry detect and remove CIPAV without knowing that it’s CIPAV? In which case, why does the FBI persist with it, and why do other agencies and even other countries, express interest in it (EFF: “Other agencies, and even other countries have shown interest in the tool, indicating its effectiveness. Emails from 2006 discuss interest from the Air Force, the Naval Criminal Investigative Service and the Joint Task Force-Global Network Operations, while another email from 2007 discusses interest from the German government.”)?

Or does the AV industry simply fail to detect it? In which case, does this imply that the industry is no match for the FBI? That’d be worrying.

David Harley

David Harley, senior research fellow at ESET

Or finally, is the AV industry under strict instructions, in the overstretched name of national security, to leave well alone; but deny any such instruction? David Harley is fairly convinced that this does not apply: “I suppose they could conceivably ask us to whitelist a given file hash, which would actually be technically problematic,” he told me. “Apart from the possibility of an accidental hash collision, it would also be possible for a malware author to engineer a hash collision. And such whitelisting wouldn’t necessarily stop the presence of the ‘policeware’ being flagged, if it launched processes or initiated symptoms that were detected heuristically as spyware-like.

“While I don’t speak for the lab [ESET],” he continued, “I’d personally find non-detection ethically uncomfortable. While I don’t have a problem with a legitimate agency ‘invading the privacy’ of a suspected terrorist, drug-runner etc in the course of a properly conducted criminal investigation (and AV does, of course, cooperate with law enforcement and related agencies from time to time in some contexts), it would be very different if there were grounds for thinking it was likely to be used without due legal process.

“However,” he concluded, “I don’t know of any instance of an AV company being asked not to detect it; and in fact, it occurs to me that since it wouldn’t be possible to guarantee that it would only be found on systems within the FBI’s jurisdiction, deliberate non-detection could put an AV company in legal jeopardy in other jurisdictions, even if they were sure that it wouldn’t be installed illegally in the US.”

Frankly, I don’t know the truth here. But what I do know is that it is a worrying society where the law for law enforcement is different to the law for everyone else. ‘All are equal in the eyes of the law’ should not be a proverb – it should be a fact. And if we are reduced to using the same tactics as the criminals, then what exactly do we have that is worth defending?

See also: AV and the NSA: is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV?

Panda Security

Categories: All, Security Issues
  1. Jason Realman
    January 21, 2014 at 12:54 pm

    The purpose of anti-malware tools is to rid a system of malware. Any conditional disabling of functionality, however justified, renders the entire principle compromised.
    If the AV company can be sent a list of computers, then remotely disable detection for those machines, then the AV software is itself acting maliciously by allowing itself to be remotely disabled.
    Therefore, any software that does not strictly punish ALL kinds of intrusion isn’t worth the box it came in.
    If the AV companies are writing in back doors for the FBI or anyone else, someone will find them and compromise innocent systems in the same way.
    If a crime is committed, it is the job of the law enforcement to find and punish the criminal. The job of the AV companies is to secure computers.
    Any crossing of wires corrupts both entirely.


  2. September 27, 2012 at 2:36 pm

    Brian, really…you think the AV companies should work with the FBI to create a backdoor?


  3. May 30, 2012 at 1:41 pm

    Correct me if necessary, BUT wasn’t there an organization of AVAS companies which went by the name Anti-Apyware Coalition? And didn;t this organization include ALL of the major AVAS companies? And didn’t they decide which programs would be permitted under their radar when they chose to not detect and prevent programs like WebWatcher by Awareness Technologies and other programs which are supposedly being used by parent to monitor children. I assure you no parent needs the obfuscation, redirection and keyword notifications provided by WebWatcher. It goes even further, when programs like WebWatcher get a pass, because the first thing that it does is disables the AVAS software from functioning. An extra slash in the registry disables all the virus definitions (McAfee). A junction point can assure that any scan of the system never completes to the point where a user can act on the intrusion (Kaspersky). And if the ATI advertising is correct NORTON SYMANTEC is securing the data being hijacked from your computer EVEN IF YOU ARE RUNNING THEIR PROGRAM YOURSELF. There is no exit from a targeted intrusion until there is detection, prevention and prosecution for the misuse and illegal use of these programs. I have watched this go from a detected piece of spyware in 2006, to a branded package which avoided detection/prevention SIMPLY BECAUSE IT WAS PACKAGED AND SOLD, to a bootkit and then to a rootkit which installs itself on a virtual drive and runs from virtual memory with minimal traces on the hard disc or BIOS records. the damage this program can do it documented here… http://www.work2bdone.com/live


  4. Brian Brown
    February 3, 2012 at 10:26 pm

    This scares the heck out of me…. If the AV companies cannot detect ANYTHING which sends info from the computer such as this , then there is a huge Security hole open on all computers… my suggestion for the AV companies is to make SURE even this level of spyware can be detected, but that these companies could be notified by the FBI (with a court order) as to which specific machine/network it is targeting and that they can then disable machine/user protection via an update… ON THOSE SPECIFIC computers, so that the rest of us can rest assured that no one, can compromise the security, we are PAYING for.


  5. John Krowtiz
    October 26, 2011 at 6:35 pm

    Panda has already detected CIPAV and knows this. They probably arent saying for some kind of mobsters-in-our-own-fucking-government-mentality.

    But I’ll say it. ci.a = cipav. Check ci.a on panda’s AV DB


  6. wrangler
    June 28, 2011 at 9:43 pm

    The FBI is made up of meat heads and run by cowardly pot smoking debutantes with a penchant for watching people watch kp and coming in each others mouths in between anal gang bangs and shots of Jameson….


  7. finack
    May 12, 2011 at 3:53 pm

    You don’t need to ask AV companies to not detect your malware. With the state of the AV industry, all that is needed is a minor change and recompilation, or even easier an automated deployment process that generates a binary with a new hash each time. Look at the detection rates of CVE-2011-0611: each time it was redeployed in a different container detection rates on virus total shot back down to approximately 0, even though the exact same exploit was being deployed.

    AV companies will receive a low number of samples of CIPAV as it isn’t being bulk distributed (as many trojans or viruses are) – by the time they capture a sample and add it to their signature databases the FBI is assuredly on to a new build. Consider that anyone can easily check if a file is detected by 40+ vendors in a matter of seconds. Why would anyone deploy malware that was detected as long as they have the ability to rebuild it.


    • Brian Brown
      February 3, 2012 at 10:32 pm

      The malware can always be detected…..based on its behavior. It would suffice to say that these companies MUST protect us all against any type of data transmission moving specific types of data from a node. The FBI should work with these companies to work out a randomly coded back door key which would allow them stealth when they need it, but offering everyone else the security of knowing their data is secured from all other such types of copycat trojans etc.


  1. July 11, 2015 at 10:31 am
  2. November 8, 2014 at 10:05 pm
  3. April 29, 2014 at 2:55 pm
  4. September 15, 2013 at 12:02 pm
  5. February 11, 2012 at 1:57 pm
  6. May 6, 2011 at 6:23 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s