By Shawna McAlearney
The FBI last week admitted to developing “Magic Lantern,” a worm/Trojan combination capable of infecting a suspect's machine to obtain encryption keys.
“We're talking about something that is in the process of being developed and we're really not too pleased that it got out to begin with,” says FBI spokesman Paul Bresson. “We don't really want to talk too much about the specifics. It is something we're developing, but it's never been used before.”
Though details of how the program will work aren't available, AV experts speculate that it installs keylogging software on a suspect's machine after infecting it with a worm. By capturing keystrokes, critical encryption key information can be gathered and transmitted back to the FBI.
The admission caused an uproar in the antivirus industry when several companies said they wouldn't include detection capabilities for Magic Lantern in their products.
“If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it, we wouldn't detect it,” Eric Chien, chief researcher at Symantec's antivirus research lab, said in a published report. “However we would detect modified versions that might be used by hackers.”
An Associated Press report also indicated McAfee Corp. had contacted the FBI to make sure that its software wouldn't detect the Trojan. However, Network Associates, McAfee's parent company, contradicted the report, saying that the discussion hadn't occurred.
Other vendors say it would depend upon safeguards. “If the authorities would be able to closely contain and monitor the use of their special tool--that it's not spreading like wildfire through the Internet and if it's only available in a controlled fashion--it's much easier for antivirus vendors to cooperate with the authorities and not detect the tool as a damaging Trojan horse,” says Ari Hypponen, CTO of F-Secure. “The key differentiator here is whether the tool would affect real-world customers and their legitimate need for network security.”
The AV industry is walking a tightrope on such covert government actions. Companies that insist on detecting the Trojan could be shielding terrorists and criminals while vendors that concede to the FBI's wishes will be accused of violating their customers' civil liberties and providing a flawed product.
“Looking at this situation from an industry perspective, if an AV vendor was going to put this into their software, it would be bad,” Rob Rosenberger, editor of VMyths.com, a computer virus myths Web site. “There are a lot of companies out there that want to know that their antivirus software detects all malicious stuff--even if we're talking about the FBI.”
Some vendors reassured customers that they wouldn't modify their products to allow the FBI Trojan to slip past undetected.
“Malicious code is malicious code,” said Graham Cluley, senior technology consultant, Sophos Anti-Virus. “There's no reason why organizations targeted by Magic Lantern could not write a variant of the e-bug for their own use. Before we know it, we'll all be spied on by every Tom, Dick and Harry--the FBI could even become a victim of its own code!”
Allowing “back doors” for U.S. law enforcement has additional implications for vendors that do business in other countries. Customers outside the U.S. would expect protection against the Trojan, companies based in other nations may add it to their signatures and other nations might wish to develop similar tools.
“Is the FBI going to trust Eastern European and Asian companies to do the honorable thing and not detect this Trojan,” asks Cluley. “What if the French intelligence service, or even the Greeks, created a Trojan horse program for this purpose? Should we ignore those too?”
Some doubt that Magic Lantern could work as a successful way of observing suspected criminal and terrorist activity.
“Maybe we already detect Magic Lantern, but call it by a different name. The FBI hasn't provided us with a sample--it could be one of the many keylogging Trojans we've been sent in the past,” says Cluley. “We have no way of knowing if it was written by the FBI and, even if we did, we wouldn't know whether it was being used by the FBI or if it had been commandeered by a third party wishing to spy on a customer--it's a totally unworkable situation.”
The FBI recently acknowledged it used key-logging software in the investigation of suspected mobster Nicodemo Scarfo; however, in that case, the FBI physically installed the program on his machine.
Website copyright © 2000-2003 by Matrix Masters, Inc. where
not otherwise reserved.