CIPAV: Spy(ware) versus Spy(ware)
See “New FBI Documents Provide Details on Government's Surveillance Spyware” for more information on that, though the redaction makes most of the actual documents pretty hard to read. Maybe that was the intention...
Anyway, Townsend's article “FBI, CIPAV spyware, and the anti-virus companies” is well worth a read for his take on the topic, and I won't talk here too much about the original email thread, as he quotes me at some length (and with his usual scrupulous accuracy). Not to mention other AV quotables like Luis Corrons, Graham Cluley and David Emm. (I'm flattered to find myself in such good company when a journalist wants some expert opinion from the industry!)
However, I thought I'd take up one or two points arising from that article. Kevin Townsend is surprised that, given the emphasis on behavioral analysis in modern AV software, that no one in the industry appears to know whether we detect the thing or not, though all the labs contacted seem to agree that we wouldn't remove detection if asked to by law enforcement.
As far as I know, no company has actually been asked, and I'd be surprised if any company was approached – or at any rate, any company except those with close ties to the U.S. government as a contractor, consultant or whatever. There are a great many AV companies outside the U.S., and while I'm sure most of them are as trustworthy as ESET, exposure of the policeware so widely (especially in certain countries that are somewhat hostile to the U.S.) would inevitably risk leakage of the information back to the wrong people.
But what about that point about behavior analysis? Kevin Townsend says:
I would be surprised if the sort of analysis undertaken by AV researchers would not turn up some indication of an FBI source. But I may be wrong.
Well, he's not completely wrong. AV companies are capable of some pretty sophisticated forensic analysis when necessary, and we do work with law enforcement on occasion: I've been involved with that sort of effort occasionally myself. But the key words here are “when necessary”: AV labs receive tens, even hundreds of thousands of samples a day. We can't give all those samples the same exhaustive, manual analysis. So unless there's some clear reason to (as when tracking a major botnet, for example), the fact that something rarely seen exhibits clear spyware behavior doesn't necessarily mean that we're going to trace it right back to a server at Pennsylvania Avenue, even if the FBI had thoughtfully left clues in the code. You don't usually have to know everything about malicious code to detect it: heck, we had generic detection for Stuxnet before we even knew it was there, let alone what it did.
I don't know how many of the suspects targeted by the FBI have AV at all, or which products they're likely to use – I wouldn't necessarily assume Big 3 – so we don't know how likely any AV product is to have come across CIPAV, let alone all of them. AV companies do share samples, but not necessarily all samples.
Some samples are never detected because they have very short lives and/or very narrow distribution and never hit our radar. The FBI don't have to be smarter than the AV labs, just a little bit lucky. Of course, they might be smarter, or they may have smart friends at the NSA.
But I certainly wouldn't make any assumptions either way.
As it happens, my friend Craig Johnston (now at Sophos) and I wrote a paper a couple of years ago on CIPAV and other policeware issues for the AVAR 2009 conference, called Please Police Me. Inevitably, it's speculative rather than authoritative, but you might find it interesting.