FBI Spyware Could Look Like Your Average Trojan

By Larry Seltzer  |  Posted 2009-04-23 Print this article Print

OPINION: For years the FBI has been using a Trojan horse program to spy on suspects' computers.

In response to a Freedom of Information Act request, the FBI has released some details and history of a spyware program it has used over the years to gather details on suspects' computers, according to a recent article in Wired.

Information on the CIPAV, or "Computer and Internet Protocol Address Verifier," first came out in 2007. The documents recently released by the FBI discuss the cases in which the software was used and how it was introduced.

Unlike the usual crop of Trojans, CIPAV doesn't do anything malicious to the systems. It just logs certain transactional data on the system, such as the IP address of servers to which it connects. A simple program would tend to mitigate problems I discussed when I beat on the EU for allowing such surveillance across borders. If the work of the Trojan can be rigorously documented, then some of the concerns about chain of custody may be assuaged.

What's really interesting about CIPAV is that the more they use it, the more likely it is to come to the attention of the anti-malware community. If they get it, they'll likely treat it as malware and add detections for it. And they often share information on these things, so it's possible that multiple vendors would then detect it. And they would notice the server to which it "phones home" and blacklist it.

What could the government do about this? It could privately ask or get a court to order the companies to remove detections, but I feel pretty sure this hasn't happened. First, so many companies in the AV business are not U.S. companies. Second, it would leak out. I'm sure it would.

So has it happened? We don't know. CIPAV may very well be known to the anti-malware companies as some low-incidence, low-damage threat of some other name. The report noted the concern of some FBI personnel that it was being overused, but it probably never got to the level where anti-malware researchers considered it a major threat. And the FBI, like any good malware author, could just make minor variants of it now and then to restart the detection process. These changes, and new C&C servers if the old ones get detected, are well within the capability of the FBI. They can afford an AV lab with one of all the important AV programs to test for detection, rather than sending variants to VirusTotal. This sort of scenario seems reasonable, even likely, to me.

What do the anti-malware companies have to say about it? I thought about asking, but honestly, they're not going to give me an answer. They'll say what they said when CIPAV was first revealed two years ago: They don't know. That answer may be a cover-up, or it may be honest. It seems reasonable to me that it's honest. Even if they have detected CIPAV, they probably didn't recognize it as CIPAV, and why would they?

Spyware shouldn't be any more outrageous a tool for law enforcement to use than, for example, wiretaps. What matters is that they use them legally, with a warrant or whatever the proper authorization is, and that there be proper records and accountability. The documents released by the FBI indicate that they have obtained warrants for each use of the program. What's really interesting about this story is not that the government is in the spyware business, but that they might have to hide the way every other spyware author does.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel