Virus Checkers and the FBI

In 2001 the FBI used keystroke logging technology to gather evidence, which was then used to send perpetrators of a crime to jail. The public admission of the use of this software by the FBI led to a number of people digging to find out how the FBI interacts with companies that develop Virus Scanners. The main question being whether Virus Scanners would detect keylogging software developed by the FBI.

It is an interesting idea, which comes to my attention due to current studies in Computer Forensics, and Cryptology. I have been doing a bit of thinking about how this might work out, and played with Google for a little bit to see just how unoriginal my ideas are. This blog is the collection of links I found while looking, as well as some various related thoughts. As most people reading this site will know, I am neither a great writer, or security expert, so please read the rest of this with those preconditions in mind.

Let me share my googling results….

Just after the details of the FBI keylogging came out in 2001 a number of different people talked about the issues and ways that this might have happened. A good summary of the details is available here and here. Declan McCullagh is one of the more well informed suspicious people.

There was a whole heap of interest in late 2001 and not a whole heap since (aside: Google is great — finding stuff that has changed recently isn’t its strong point, not necessarily Google’s fault I understand, some kind of semantic web is needed to make it possible to really know when things changed, and people will probably want to make things appear newer than they really are).
encryption I was thinking a little about how to allow such a hole in the virus software without letting more malicious code take advantage (or at least not letting code that is not sanctioned by the government). I think that this is a hard problem but not unsolvable. There are a couple of different interesting approaches which come to mind (this is my 20 minutes of thinking on this, so with the more time and money available to the FBI, I am sure they could do something better).

Lets start with a little discussion of two keyloggers 1 called FBIK and the other called MalK, both of which use the same approach in their keylogging, and have very very similar signatures.

In order to deliberately avoid detection of FBIK, but pick up MalK, a digital signature of could be used. ie VirusSoftware would only allow keyloggers that were digitally signed by the FBI. The problem with this is that if FBIK is well understood, it could be setup to be completely separate to the malicious software, with the malicious software intercepting the logs, and redirecting the information. It would take a bit of hacking, but is logically feasible. What would be needed is for the keystroke logger to encrypt the keystrokes as soon as recording them. This would of course make the data much less useful to anyone without the private key.

The fact that one of the biggest uses for this type of key logger is to get someone’s passphrase for encryption would make the requirements for having to include encryption software lower (not that the footprint is that big in the first place).

Then if that software was digitally signed, and the digitially signed software was allowed to be used by the Virus Scanner, you would end up with a safer system than if the virus scanner let that type of Key stroke logger be on a system.

The information about the key logger could even be made relatively public knowledge, the biggest reason not to share about it being the fear of big brother being too bad. Of course being a bit more open about things that people already assume is there wouldn’t be a bad thing.

The other option that is interesting to think about is for the FBI not not give any details of FBIK to the virus scanning companies, instead, doing something like this.

Keep a farm of machines that has up to date virus definitions, and a copy of FBIK running. Automate the machines and have them doing some activity that would cause the FBIK to actively do its stuff. Then if any virus scanner detects FBIK, the FBI will know that they need to remove it from active service, and release FBIK 2.0. The risk here is that the FBI might be left in a position where the FBIK is out in the wild and compromised, but they should be able to minimise this risk, and the expected usage patterns would also minimise this risk. If the FBI did have the farm of machines, they could even perhaps collude with the virus scanning companies (or telcos providing the backbone to the Virus Scanning companies) to ensure that they get updates slightly before others, allowing a window of opportunity to vet any virus definition updates that are risky for the FBI.

The thing about the latter option is that if the keylogging software is well written (remember people are getting paid real money to do it, and were probably in a position to devote a lot of time to writing it), is that it is likely that the virus protection software probably would never detect FBIK. Most Virus definition updates seem to be reactive rather than proactive, and so assuming that the FBI uses FBIK with some discretion, they will be safe from detection.

Some relatively interesting issues also float around this, and it makes good food for thought.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>