Antivirus Firms: Whitelisting Malware For Law Enforcement Against Policy

Malware designed to help law enforcement conduct surveillance against suspected criminals is not getting a pass by antivirus vendors, according to several leading antivirus firms, which told CRN the companies have strict policies against taking such measures on behalf of investigators or other officials at government agencies.

Whitelisting malware to help law enforcement avoid detection is strictly against policy, the antivirus vendors said. The message from antivirus firms comes just days after child pornography websites cloaked by the anonymizing service Tor were brought down and Eric Marques in Ireland was arrested for allegedly peddling child pornography on sites globally. The sites, hosted by Freedom Hosting, were infected with malware to uncover the identities of people visiting them. Some have speculated that evidence suggests that FBI investigators may be behind the infections.

"McAfee has a policy to not design back doors of any kind into our products," Chris Palm, director of corporate communications at Santa Clara, Calif.-based McAfee, told CRN via email. "McAfee doesn't participate in such a U.S. government program, and we're not aware of whether the reports of such programs are accurate."

[Related: Top 10 Malware Threats To Microsoft PCs ]

Freedom Hosting delivered a variety of sites via Tor. It provided access to a hacking discussion forum and a hidden Wiki used by visitors to find other anonymous sites, known as dark nets. Vikram Thakur, principal research manager at Symantec Security Response, said malware authors could create malicious code that evades antivirus detection for a period of time, creating little need for law enforcement to seek assistance from security firms to whitelist their malware.

"We have a strict policy against whitelisting malware for law enforcement and governments globally," Thakur told CRN. "We have never received such a request from law enforcement."

Security experts that have reverse-engineered the malware found on the Freedom Hosting sites cloaked by the Tor network say that the identities of people uncovered by the malware were sent to a server located in Reston, Va. The malware discovered on the websites exploited a zero-day flaw in the Firefox browser, allowing it to steal a person's MAC address, which reveals the identity of the computer network and Windows host name being used by the computer.

The software used in the incident is analogous to spyware used by cybercriminals to steal personal details of victims. Roel Schouwenberg, a senior researcher at Moscow-based Kaspersky Lab, said the link to federal law enforcement agents isn't entirely clear. "Nobody has claimed responsibility for the Tor/browser incident," Schouwenberg said.

Kaspersky Lab has a strict policy against whitelisting any piece of malware, Schouwenberg said. Like most antivirus vendors, Kaspersky Lab currently detects the malicious code used in the Tor incident, he said.

"Our duty is to detect malicious code, regardless of who may be behind it," Schouwenberg said. "We can't make exceptions to that, for both ethical and technical reasons."

NEXT: Malware Used To Combat Piracy

There have been other incidents of malware used to protect against piracy or potentially spy on individuals, said Dan Ring, director of global communications at Sophos. The most notorious may be the Sony rootki,t which was embedded into millions of music CDs in 2005. It was first detected by an independent researcher. The rootkit was automatically installed if a CD was inserted into a computer to prevent the PC from copying music. Sony BMG eventually settled lawsuits agreeing to pay out millions to those impacted.

In Germany, the country's federal crime investigation agency was suspected to be behind the R2D2 malware installed on a person's machine as it passed through customs control at Munich Airport.

Sophos doesn't approve of whitelisting malware in its products, Ring said. Malware initially works for a period until a researcher detects it or antivirus detects it by picking up an anomalous activity on a system, Ring said. "That said, as AVs don't detect 100 percent of malware, there is no guarantee that it will get detected," he said. "Targeted attacks can be evasive."

Investigators may have other ways to get software makers to open up. The FBI has been reportedly attempting to expand the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law that currently forces telecommunications firms to enable lawful wiretapping. The goal is to get the law to apply to eavesdropping on communications on Facebook, Microsoft and other firms by forcing software developers to build back-door access into their systems. But security experts point out that back doors open up weaknesses in software that can be used by cybercriminals.

PUBLISHED AUG. 6, 2013