In response to a Freedom of Information Act request, the FBI has released some details and history of a spyware program it has used over the years to gather details on suspects' computers, according to a recent article in Wired.
Information on the CIPAV, or "Computer and Internet Protocol Address Verifier," first came out in 2007. The documents recently released by the FBI discuss the cases in which the software was used and how it was introduced.
Unlike the usual crop of Trojans, CIPAV doesn't do anything malicious to the systems. It just logs certain transactional data on the system, such as the IP address of servers to which it connects. A simple program would tend to mitigate problems I discussed when I beat on the EU for allowing such surveillance across borders. If the work of the Trojan can be rigorously documented, then some of the concerns about chain of custody may be assuaged.
What's really interesting about CIPAV is that the more they use it, the more likely it is to come to the attention of the anti-malware community. If they get it, they'll likely treat it as malware and add detections for it. And they often share information on these things, so it's possible that multiple vendors would then detect it. And they would notice the server to which it "phones home" and blacklist it.
What could the government do about this? It could privately ask or get a court to order the companies to remove detections, but I feel pretty sure this hasn't happened. First, so many companies in the AV business are not U.S. companies. Second, it would leak out. I'm sure it would.
So has it happened? We don't know. CIPAV may very well be known to the anti-malware companies as some low-incidence, low-damage threat of some other name. The report noted the concern of some FBI personnel that it was being overused, but it probably never got to the level where anti-malware researchers considered it a major threat. And the FBI, like any good malware author, could just make minor variants of it now and then to restart the detection process. These changes, and new C&C servers if the old ones get detected, are well within the capability of the FBI. They can afford an AV lab with one of all the important AV programs to test for detection, rather than sending variants to VirusTotal. This sort of scenario seems reasonable, even likely, to me.
What do the anti-malware companies have to say about it? I thought about asking, but honestly, they're not going to give me an answer. They'll say what they said when CIPAV was first revealed two years ago: They don't know. That answer may be a cover-up, or it may be honest. It seems reasonable to me that it's honest. Even if they have detected CIPAV, they probably didn't recognize it as CIPAV, and why would they?
Spyware shouldn't be any more outrageous a tool for law enforcement to use than, for example, wiretaps. What matters is that they use them legally, with a warrant or whatever the proper authorization is, and that there be proper records and accountability. The documents released by the FBI indicate that they have obtained warrants for each use of the program. What's really interesting about this story is not that the government is in the spyware business, but that they might have to hide the way every other spyware author does.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.