Unlike the usual crop of Trojans, CIPAV doesn't do anything malicious to the
systems. It just logs certain transactional data on the system, such as the IP
address of servers to which it connects. A simple program would tend to
mitigate problems I discussed when I
beat on the EU for allowing such surveillance across borders. If the work
of the Trojan can be rigorously documented, then some of the concerns about
chain of custody may be assuaged.
What's really interesting about CIPAV is that the more they use it, the more
likely it is to come to the attention of the anti-malware community. If they
get it, they'll likely treat it as malware and add detections for it. And they
often share information on these things, so it's possible that multiple vendors
would then detect it. And they would notice the server to which it "phones
home" and blacklist it.
What could the government do about this? It could privately ask or get a
court to order the companies to remove detections, but I feel pretty sure this
hasn't happened. First, so many companies in the AV business are not U.S.
companies. Second, it would leak out. I'm sure it would.
So has it happened? We don't know. CIPAV may very well be known to the
anti-malware companies as some low-incidence, low-damage threat of some other
name. The report noted the concern of some FBI personnel that it was being
overused, but it probably never got to the level where anti-malware researchers
considered it a major threat. And the FBI, like any good malware author, could
just make minor variants of it now and then to restart the detection process.
These changes, and new C&C servers if the old ones get detected, are well within
the capability of the FBI. They can afford an AV lab with one of all the
important AV programs to test for detection, rather than sending
variants to VirusTotal. This sort of scenario seems reasonable, even likely,
What do the anti-malware companies have to say about it? I thought about
asking, but honestly, they're not going to give me an answer. They'll say what
they said when CIPAV was first revealed two years ago: They don't know. That
answer may be a cover-up, or it may be honest. It seems reasonable to me that
it's honest. Even if they have detected CIPAV, they probably didn't recognize
it as CIPAV, and why would they?
Spyware shouldn't be any more outrageous a tool for law enforcement to use
than, for example, wiretaps. What matters is that they use them legally, with a
warrant or whatever the proper authorization is, and that there be proper
records and accountability. The documents released by the FBI indicate that
they have obtained warrants for each use of the program. What's really
interesting about this story is not that the government is in the spyware
business, but that they might have to hide the way every other spyware author
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.