Antivirus Firms: Whitelisting Malware For Law Enforcement Against Policy


Malware designed to help law enforcement conduct surveillance against suspected criminals is not getting a pass by antivirus vendors, according to several leading antivirus firms, which told CRN the companies have strict policies against taking such measures on behalf of investigators or other officials at government agencies.

Whitelisting malware to help law enforcement avoid detection is strictly against policy, the antivirus vendors said. The message from antivirus firms comes just days after child pornography websites cloaked by the anonymizing service Tor were brought down and Eric Marques in Ireland was arrested for allegedly peddling child pornography on sites globally. The sites, hosted by Freedom Hosting, were infected with malware to uncover the identities of people visiting them. Some have speculated that evidence suggests that FBI investigators may be behind the infections.

"McAfee has a policy to not design back doors of any kind into our products," Chris Palm, director of corporate communications at Santa Clara, Calif.-based McAfee, told CRN via email. "McAfee doesn't participate in such a U.S. government program, and we're not aware of whether the reports of such programs are accurate."

 

[Related: Top 10 Malware Threats To Microsoft PCs]

Freedom Hosting delivered a variety of sites via Tor. It provided access to a hacking discussion forum and a hidden Wiki used by visitors to find other anonymous sites, known as dark nets. Vikram Thakur, principal research manager at Symantec Security Response, said malware authors could create malicious code that evades antivirus detection for a period of time, creating little need for law enforcement to seek assistance from security firms to whitelist their malware.

"We have a strict policy against whitelisting malware for law enforcement and governments globally," Thakur told CRN. "We have never received such a request from law enforcement."

Security experts that have reverse-engineered the malware found on the Freedom Hosting sites cloaked by the Tor network say that the identities of people uncovered by the malware were sent to a server located in Reston, Va. The malware discovered on the websites exploited a zero-day flaw in the Firefox browser, allowing it to steal a person's MAC address, which reveals the identity of the computer network and Windows host name being used by the computer.

The software used in the incident is analogous to spyware used by cybercriminals to steal personal details of victims. Roel Schouwenberg, a senior researcher at Moscow-based Kaspersky Lab, said the link to federal law enforcement agents isn't entirely clear. "Nobody has claimed responsibility for the Tor/browser incident," Schouwenberg said.

Kaspersky Lab has a strict policy against whitelisting any piece of malware, Schouwenberg said. Like most antivirus vendors, Kaspersky Lab currently detects the malicious code used in the Tor incident, he said.

"Our duty is to detect malicious code, regardless of who may be behind it," Schouwenberg said. "We can't make exceptions to that, for both ethical and technical reasons."

NEXT: Malware Used To Combat Piracy