OPINION: For years the FBI has been using a Trojan horse program to spy on suspects' computers.
In response to a Freedom of Information Act request, the FBI
has released some details and history of a spyware program it has used over the
years to gather details on suspects' computers
, according to a recent
article in Wired.
Information on the CIPAV, or "Computer and Internet Protocol Address
Verifier," first came out in 2007. The
documents recently released by the FBI
discuss the cases in which the
software was used and how it was introduced.
Unlike the usual crop of Trojans, CIPAV doesn't do anything malicious to the
systems. It just logs certain transactional data on the system, such as the IP
address of servers to which it connects. A simple program would tend to
mitigate problems I discussed when I
beat on the EU for allowing such surveillance across borders
. If the work
of the Trojan can be rigorously documented, then some of the concerns about
chain of custody may be assuaged.
What's really interesting about CIPAV is that the more they use it, the more
likely it is to come to the attention of the anti-malware community. If they
get it, they'll likely treat it as malware and add detections for it. And they
often share information on these things, so it's possible that multiple vendors
would then detect it. And they would notice the server to which it "phones
home" and blacklist it.
What could the government do about this? It could privately ask or get a
court to order the companies to remove detections, but I feel pretty sure this
hasn't happened. First, so many companies in the AV business are not U.S.
companies. Second, it would leak out. I'm sure it would.
So has it happened? We don't know. CIPAV may very well be known to the
anti-malware companies as some low-incidence, low-damage threat of some other
name. The report noted the concern of some FBI personnel that it was being
overused, but it probably never got to the level where anti-malware researchers
considered it a major threat. And the FBI, like any good malware author, could
just make minor variants of it now and then to restart the detection process.
These changes, and new C&C servers if the old ones get detected, are well within
the capability of the FBI. They can afford an AV lab with one of all the
important AV programs to test for detection, rather than sending
variants to VirusTotal
. This sort of scenario seems reasonable, even likely,
What do the anti-malware companies have to say about it? I thought about
asking, but honestly, they're not going to give me an answer. They'll say what
they said when CIPAV was first revealed two years ago: They don't know. That
answer may be a cover-up, or it may be honest. It seems reasonable to me that
it's honest. Even if they have detected CIPAV, they probably didn't recognize
it as CIPAV, and why would they?
Spyware shouldn't be any more outrageous a tool for law enforcement to use
than, for example, wiretaps. What matters is that they use them legally, with a
warrant or whatever the proper authorization is, and that there be proper
records and accountability. The documents released by the FBI indicate that
they have obtained warrants for each use of the program. What's really
interesting about this story is not that the government is in the spyware
business, but that they might have to hide the way every other spyware author
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.