|
|
|
FBI Spyware Could Look Like Your Average Trojan
By: Larry Seltzer
2009-04-23
Article Rating:  / 2
There are 1 user comments on this Network Security & Hardware story.
OPINION: For years the FBI has been using a Trojan horse program to spy on suspects' computers.In response to a Freedom of Information Act request, the FBI
has released some details and history of a spyware program it has used over the
years to gather details on suspects' computers, according to a recent
article in Wired.
Information on the CIPAV, or "Computer and Internet Protocol Address
Verifier," first came out in 2007. The
documents recently released by the FBI discuss the cases in which the
software was used and how it was introduced.
Unlike the usual crop of Trojans, CIPAV doesn't do anything malicious to the
systems. It just logs certain transactional data on the system, such as the IP
address of servers to which it connects. A simple program would tend to
mitigate problems I discussed when I
beat on the EU for allowing such surveillance across borders. If the work
of the Trojan can be rigorously documented, then some of the concerns about
chain of custody may be assuaged.
What's really interesting about CIPAV is that the more they use it, the more
likely it is to come to the attention of the anti-malware community. If they
get it, they'll likely treat it as malware and add detections for it. And they
often share information on these things, so it's possible that multiple vendors
would then detect it. And they would notice the server to which it "phones
home" and blacklist it.
What could the government do about this? It could privately ask or get a
court to order the companies to remove detections, but I feel pretty sure this
hasn't happened. First, so many companies in the AV business are not U.S.
companies. Second, it would leak out. I'm sure it would.
So has it happened? We don't know. CIPAV may very well be known to the
anti-malware companies as some low-incidence, low-damage threat of some other
name. The report noted the concern of some FBI personnel that it was being
overused, but it probably never got to the level where anti-malware researchers
considered it a major threat. And the FBI, like any good malware author, could
just make minor variants of it now and then to restart the detection process.
These changes, and new C&C servers if the old ones get detected, are well within
the capability of the FBI. They can afford an AV lab with one of all the
important AV programs to test for detection, rather than sending
variants to VirusTotal. This sort of scenario seems reasonable, even likely,
to me.
What do the anti-malware companies have to say about it? I thought about
asking, but honestly, they're not going to give me an answer. They'll say what
they said when CIPAV was first revealed two years ago: They don't know. That
answer may be a cover-up, or it may be honest. It seems reasonable to me that
it's honest. Even if they have detected CIPAV, they probably didn't recognize
it as CIPAV, and why would they?
Spyware shouldn't be any more outrageous a tool for law enforcement to use
than, for example, wiretaps. What matters is that they use them legally, with a
warrant or whatever the proper authorization is, and that there be proper
records and accountability. The documents released by the FBI indicate that
they have obtained warrants for each use of the program. What's really
interesting about this story is not that the government is in the spyware
business, but that they might have to hide the way every other spyware author
does.
Security Center
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
|
|
�������x}ks⸶I�
s{����I�H �$�ԭ-�c{&if�7$@�Lw%�K^KKKK��I"f\9̢d���7郿O$w�m���Lj-GgPSrD廚�f�w2v-S;^��> \?g#Q;Y|��Z=$#t:�+?f�'_ZUկ7#?xej{d�P[w8Lwjt$�r�~hv-2 �I|[��:NR'm)5ٴ6l;4d}t>�(>hhƋM�r_OL�r�Ӈ�u4@���ͣn]='tfo7,Abχ@��a`Nr�DAЂMx>t�T�ێ�]6}l2���9<8�({�hk
=`D+wKPb�(���բ�!Tgf,Z�z��]�
��X./�lm^3-mhZ`1 �5f:%Km��;r%Fa"�n.G))*I.BD(ZH�B�!A�l~
��[$p�Xt�d+��+�ä�\*1=�Ri !Kg�
җ!ڹ&,�QY,�p[/ �Pf%)5{~u}bB��FND��l�0��VRx5Vn`o��*'zT§�&F#S7a 3�z {[5̴�Ҁ%�(450�jHL\U�}Ge٤S�h5�K�tıAs>n5
~"�Wn�znr��#ʇ&fy:epGҶLo� J|�z[.z8
9�r!�M5kb�$�`Cf�O
�y6yBN{�r+kF&+)\=P>P
S�1�8�FL��qO)'��gJFJ��V��zh'N>eg�pt�YKnuooEI8�J�Ҵ.�@T<�?��Z�!d[�}aa62֡R(k���Ӳ�=2P<
Cx�EQ҆�����Ss�m���_�U.�d��Ȅe:lTbՒX6k|�[�Y`C�b�eܡQ7$X�3Q��[�Җaw6<:��ЃX�鹞`�ۉ�0et�6X*g�bBJe�ǝ8~&&����،
P-$61Sgm1L�x=e\�8�(�V,'Ё*:t55{quؿ\Z�[�ÎtݐүhVp�
;D��h2��f�,ÑiH5ߴ�IF�Jn��kP�%X(ĸ'q?�|���2,exY=mQ�r�1'j3s��4\�Z�2Y�8pǾxo'<|�CH�u�~"=����l���HKm�"
rQa X+�\�c¹VѹU(`dDܔwт.�;|P,'i~?DJQ}�G=ܸ~?CÜU^of���$JXVbtxѡ�RPTPY+g7#UFQH.a�g4�'�u`ޝo>0Z�xY9�[J�/�w��^;͙���|tqZ�L�av"O`��%L_w�z�>CyVA��cԧJǦ8P�z0a@BrUQ��[�M�Ν�Ο�#���Ϣ=t@�qD��L��ui�I;D�Ho@E皚HqUIF��G�ҟs�tP.�S�u�k>L�k}�S+(jwYY�P^�Lj��B&���dH�t=k�;J%&��~tq㉱Z}f,}P\�_6cmEf^ab2U�{YoƱ �
vo�YljCAΊ�f�[�ٔY]�}G*5r_An�j GOqS�V3Wnb�*r6�*|
z&:vi0vM0\]>w"qD d��k�Ŏ|�H� q)(k1
�k�`-��@V
K6l䌇%b�
"8&K�8.zGd�DRks-�?�=#l9J6[\JI)`qU�Ej)~�)HÞ1|M��}Yy^ƙ4�6U((�*O#�
ʌ�Qߐ@ZhrGX��]�km{S�T3 fl�?/c�q�)V�4�N\)�;'Zz�)*BD��RO Bn#�|tǞfP� X%7:ZiZL$>rc-!Íj6�bPR�b> +8�ri�Ur2j�,j��.�v�~Xk�kLo9���2j>sP>*
K�'��2���_vn�ES>�)�u0J\Œ�tH]6 �y1~�'vemBX�vIW$#
V�*�Cf\PG� tZb(�OCsw@l_z̢tDqh2)iQ_k�}3݀�����(yX|u���aEP*�!Hw�ضRs''̅BLÀ1⺆a�rKt@t0C�O.'�-JxT�$YP���X9H((�|��ɷ0�6fKmCXr|�MN?K�{e$ $"z��R=.=2�
杨V,Yŵ .y48'�o��_Ԫ$1A��dE6 7�cy$s�?��l�4F::~�ݕDw�{ݶcRT^y/7ڗ��K5�ϥw;vݹ>&�"h�rjGg�jR���5
}Uj_7[� �n:�R߅Ӹoٷ���P �K1N��bwmɾ3zq6�醿F�>l(�[�o'��r;W�UCZ|IsٹNe%%{�w's5BN�:ڥe1KAV�C�=gMxq)q��m2�Y$C4qH=�^p@��ҹin8`pB|0c5I'bl���AYO�q�XɫI)�j[YUH*?��#s81
t<ÓDs? "�rL.a~�]Xe"m6G�Hԝi(6�{��GQ
=c�Z�nO8ZSta|�`�|;�sF�G5\{(6'cvN'�}�Z��]s6�ͥ��͠O\E�{�wmhJG(V-w)ģ99naS�f8:ʳ�'q1~<,0~h8Sʹq!ם>i\[7q�b@�c$H~ `@GL|9zÿ|§ �' �{s�\�'伉�*ћ^^S�{25[l�ؗ{vO�n4�]9n鐧^�UR{I2ӱ$B��5v*ln(r� s攤랬W
��ƣ�boZW`@Ɍ7COf=K��f==4zooo=ȥ�q=*~�C'k��w.�z@R-JKz9n�h�p;D�%eȁqQ�#y�∶K`!j�>bϽ�o
�14�-*zj6=l-39"i
�ј@.,vt64Y��A�AXy� !h79g; 91lQId3h�l?|n�wkLRx26�y��)1h4Ro.�lv8�W
-��֍N��
�7��V�9e�O�/[QVD3>�>dzQc%Fm?^��ϗIO
4˼tYÃQ\QPR}Jo)}2�?ξ^i�ƀ��ͼ{:v�DG,WEPK��?mx>�C?��oHe�$8j]4"Av�}X|wc&5qX9TR
S
$�A$jjzDG,[w�3~3H'��l�)gڸEX�.vǗn5]�z!��*w���(1t1�6�K �C�D ��_�Ad/K/
�e&:е�D>C^
�M[pc|2�azo6�S�!�^w2�g@T��)e^T�s@�,v���'] �3$#fG��?.��,uY�a�Kp�BֳP74qIY���N�c�$X�x!;1a}Zė�-;a-:?mKg�+Ǔ<<5TQ}�sI`�A�,�[ ?.VG>&���������_�9Teeo���{}wQ
ۯQ�,)�IU&�z%RP0�ĐL�k>z|HR`"TŠ����(A�3�icnD'GRa�:)>;N�f�RH]m.�LJ#cAOCF�G2��0%/��D"�Lt"0�4Nw*JBy[
:|<��ZEr�+ח�G%<&5c�wpN� rC(m U`/w=y)rypcbDUOwsUB(vQa>Vnxԑz�Ix�#p���L~i�bmkj(nK*ǓJ3S��7���Dx��4���gp�c��$�o�*aP�DPI�zZ�)jzfDh��_ٕ*�趤ʳ�8[Ʃ�H}�ך-�e��t�3+8Npg�t�2$T���¡��Ah'$�G�VFG
v$�U_ڹ -�![jX� �۾�[>QC��ij#
}iM͠]�`Pj*�%e}Q;VMļck\D";�WkCs_iԻP<:��oڛ2"kT2}� [E�M@! (1
} BYO}��~e3�"q�_X%Vų{>`m_J?NSvT�pџy�hv��SCh
��* qGPh�>aP߿�yn$y<^~uK�{6?Ѫ]Æ�:K)]r�J],i4|�����̱u�R-@֮�Gm!*H� b5c�%a�{ak$"ZC>;&
qK>|.�֧vV`O*
X4Ф.81U��ϼc+@\ǦX?��+�(o��@���-�[x%�8�h?�-)j�;YO$�J U=nLI]
J�淄1&"�7=4���W/HţjlN(ፆ�BF kč�"[�ҫg6cqHφsCܒNb7^'��A}pnZ�t�S5D�X
z mFZ߲vVntnz~ u11�HKWugA{�#Z�]�K{f�f�V=�k%SXV{
*��5��bK�6�츨-B;�T$�UB8�]kOK⡾�k]�Y�3=!Z!)��LMܳ��`jp:�
ϖ�?��vȸ�b븚e}{ ^��Pj%��Ϳ2n59rO|k
nfvCǔb�s�͆}6P!e�f5�(�ɮP[tymƧR!�?۾ޞ`+m��U-1δ��Os]@VE]6,ѩsOr*e 8X
5}5?�gG�
�?�[�yG�©Yj|ubM
$4F87?.?┱fne�?
%3_��iN4�P�pt�Kɻ��v�z@�稹NwL�Eu� _'.K}~[��OAs[�L�_UjXbw2$\K���E3(hMÙBt}�K��wI* �6Tx_~6!
]!^ϥ=hT|�8�7�~�.kG�ʁZ=P�,
xm߸֊�[NiΞCaXb0Ǘ��q�l=
�ΐg߈{�-�>6w��w �zas��@�a]Iޞ�Y^��ͦ��0i߆o�S�u&]:���I(,�nM
d�s�5;8~/L~
J5?4+O|'8-L,N�x8�j
Z�{=]q'�H|�X.<|,{R#aw�Ƕ�_)TGcmc��BX>;і�$5d�_M�,9&*�>diS�]�
]_^=��]n��'��*��v%DrBYm�2}v51w%1i}PR�M#~=%1�!{�#ߍ=gf�?�QaT]QS]��Z���G�9��D NE��7�"�wyap�D]dbɠ:Xc>l�AE�y3�M5kia�1fS�Y�h�!cb9w�娰s\�: G ]J1x~��[?L̀+5&LU/RE(�*Io�$TCRt;�pU)
&u0Z`��nh1�]`YS65�yZŠ���JOk&`A*a�9cS;Xif>yBE� ~K-y��fŚU��71jr=ӧ�'CϤ#f
W}�Kx��cKkЊ >�F�S$X �t�7E\9(;#8�~<|6�ژy�k�iF$�Y0Q8��wFd.$<~Ip��S�;BE!,�߅tz['U}�H?Km1n��+62s���L*>c�=��qujh_mnza�� 3Cym"���L�<�ySM\�}tä7C�ǾS}b�~s�C�O좺�t�
,�a�]aQX�Z�؟
0J7�5t$rkqCL9Ҕ/Zr�1g4}A~b�C:�
lZ��ԒF(Є��G#Os3MǸZ�sx�X��m�!�a��Ϥ"�F$E�&&�BDc^ôuk4bwp]
%m(At|괻Xj��
�!�1�gGi>'_Y�ELKr
(ڽKE�,��D��"}�˂`Aa~L#[C1P/Rjs# a/x��S�L�\��X�=E�)�X<6uO�we~rkt:�^��25�f;.
l9�:U�@Lg�>�:ςl�Qغ9�P{�n�߲w1-4!W�)W,,
��?$5GFP�xɺk�$�ڟh�,\^~&�o_7~ΏPaqlR[db(�L%,C r~ݸj1;eFq*�c.ͅdUh,Y.3U94dG�1}4��y�=��L*a^e5DU@*8��ac lz=5�[q-�Ƌ#xYj12;ZhU\2��~2{��*cW@W�y�yAȣ��2/"�P+((Θk�Θ��ȟN|dȗ.G7>~7��{�{��3�#��埲a|2 )�P~U�{AmF@�ug..N�fr�z)A^d_�~*%yF�gȳ���+z'^˰f\12ௗednleuu
�F�]Q%Zx%kkZ1nv�d�b�a/
��KPe^��#(��^>&c�4tk 7b[y�$=)>w�懤I��x�qLw<-cENj).~QxdB$h{�dc3,�Dka>ľ7'%YØܻ�GznQ>�e&m3?��`jE9u@' @8�pm^9���
#p�}u�ӚܴO8ŭhg?>/�ydֺWWV�Wl�NA�m(L�0mge'A�]C�bi3Q�9j{��$o�qA��zh7_�J�nAm�z7g4j`n�nC=gZ}yP+iPͩȪ)�N(~P+"D7�4�\9�~�BPKt�-Wxz�m̹~o8c�5c[&�HΝ
��*P*{
"�M���= ��.rA*�[��a�`"!
*�s>P�`26UJ`
P�z!�J1
�4c֭dK1;BDO"�ѱF͠��|�y3�B�[T�;I��a�q �Y8P*`!�K�؞;�FvgCV��x[3�Ϩ�^ocƥ��6�%dή�1vK�fuƿ.?p&3_4w�YBDø�f��z4}�z<(.=P�sE&a ̀N5W�ȕ&SI"�>�oє^\C+�ǓH�X��Ųn&�`X]�L['l�yb�RۨWe+㫱`w�ȼ!)g�P,#V}|Aӟ�}Q!2eӡ/'"ixwL$�[l,�O�ECDOv�֤��>C5�q��cail@ꃧrS��Y`�_CBb� #+M
�
L8BZwl�F�v5hX�9�VX#e�
괻dԢx4Zdv�k&|ۃ[u�7r��f;�W1^{�3
E3$ư�z<
3�)10Χ_T54p�twkd9HR�=�I�*4맩UMf�ْ�4=��szn%0)%� �KBl�PՍFoU�^%1b9?���v"ㅰx�j^y�|Xw-e֓yk,XoMD�
Ǩ���!m^Πb/;MzKV9j[(�(&�]�aFʪv\/ݠ#���\w|7(6؋|!O'
ϻ�Hj)t��I�c_P
&� ���,ڍM]ɿع+Ә2L1А8v2COA=t
O��e[b |kc'p�'!
X���oj;:SA\W��C�⁜1ћZ�S1$(+nOvG�D
'>��6'كl4=p6g@�!(Fْ[0��9@/7Ak~��E Oɺ<�l4�@FWD0;"����Zim,#sE��%��X,8/# kuf6[�ƝMQ�7.�9���,Bu6 ^|:�yOW=Q'�Falhd%./�7��v�/-��vJ^�Q.u�7tleb�@��ëh� �7#�T�U^�X��(K#
LeopSGg�hup#b� ��u�u+y!.��0�: .X=lR#nȕ+`
jk�7D]YtAwy�BTؕc<��Xè+�7q;s�[__38V0�|6,�l�p/>&G[�0tczw^=�R6Ȥ{��y�2 !δyyU~ҥ�^�.I,g`cQd+8*)�ؐ��r���k`4bO���1,sQv7}MA '�Ɣ
ϰ"�� sc���˙Y)��O
GGe
.^� �{e��7�5w�HR#z.y��A�C9Xq�k @c݄6y8�L]L�l&j1Bi6e1�bf��W`2M�Z�.<'�ȳ�(`,��Lv"V�KJMΡmfP�0H6�c?t�f��7�@ýŵ]�Ac"a?<#�/a_(�`y��bSSQ2��J�Ѭd�;j
�����_yfOȅ�^a\YG��+n:�'�wX{y�B(;}qվ|C*'��U]N7z_[a}BeFBl4*�ŷe&��n:�RXB^S$DM� $RzFپ S_%ȕ/g�2f#-<��#@FJ"4&o�(FҢ̰
\岞�)V0�1{6JܖmJưP:M\"G�Zi/%!&k+E46�!f0rlǝl| n!%#��^&Ů�v�be}��V⪞ ��
|
Network Security & Hardware 
