Symantec Will Not Detect Magic Lantern

An anonymous reader contributes: "In this article on Declan McCullagh's Politech, Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.'"

possible detection still exists

[jeffy124]

most AV tools (including Symantec and McAfee) monitor program execution for anomolis behavior by unknown virii. would lantern be able to avoid being detected by that?

also, what about personal firewall programs? I use a Tiny Software's PF (yes, under Windows, sad isnt it) that checks the md5 of an executable before granting internet access. on top of that, it can allow you to block certain apps from making/accepting connections from various sites. for example I have it set to not allow Mozilla access to ads.x10.com.

Here, two things exist: the lantern has to find a way around the md5 and also find a way around "PGP wants to connect to [fbi-ip-address], allow it?" Getting through one or the other might prove difficult.

Re:Actually, it's even simpler...

[jd]

This is the collection of tools I would suggest, based on what is listed on Securityfocus, for Windows 95/98 machines. Look under Windows tools. If you can't find the software on the site given as it's home, you can pick a copy up from Securityfocus.

• Notify
  
• ProtectX
  
• X-NetStat
  

These utilities, when used together, would offer a defence, using a slightly different technique. Here, you'd be warned, the moment any intruder attempts to connect to your machine, OR your machine mysteriously attempts to connect to someone else. You also get the warning on when a file is changed.

(By relying on only one verifier, you're not quite so secure, but it was the best I could find in a short time. Apologies for that.)

Re:No need to use Norton AV...

[Zeinfeld]

It is NOT only "a matter of time". If Linux programmers will ever get the idea to make Linux login as root by default, to write email clients that allow scripts to be executed without user's permission, to ship their OS without a firewall mechanism in place and to make the whole system a sitting duck to any running script via a conveniently accessible registry file, THEN you will start seeing viruses for Linux. But by then us security conscious people will have long since moved on to another more decent OS.

Don't be so sure. We have had UNIX worms and even VMS worms. Unlike the designers of UNIX, VMS started with a security architecture and actually recieved B2 certification rather than describing itself as 'B2 equivalent'.

At the other end of the scale the security architecture of MAC O/S has until a few months ago been stuck at the MSDOS level, lacking even protected memory, yet MAC viruses are none too common these days.

The significant factor is the proportion of the network population that uses a particular O/S. As with a biological infection there are definite inflection points that determine whether a virus spreads fast enough to cause an epidemic or a pandemic.

When the Wang Worm hit it could propagate because close to 100% of the computers on HEPNET were VMS systems. Equally the Moriss worm took out the Internet when the vast majority of nodes were UNIX boxes running sendmail.

The proportion of UNIX machines on the Internet today is probably close to critical mass for allowing a viral epidemic. The saving factor is not the design of the O/S, it is the variation between the O/S implementations. Anyone who thinks that sendmail is a lesser security risk than Outlook should read a few CERT advisories.

The separation of administrative privs is not actually significant when it comes to the propagation of email viruses. If that was the case Windows XP would solve the virus problem completely (it won't). The problem is that the boundary between code and data has been blurred. For some reason the people who felt they had to foist Java and Javascript winky-blinky features on the world had no clue when it came to security. (Don't get me started about the Java sandbox model, the code does not match the marketing hype, the implementation does not correspond to what I would regard as a sandbox design)

The other reason that UNIX boxes tend to be more secure is that the use of winky-blinky features is nowehere near as widespread. The proportion of terminally clueless users in the Windows world is (acording to my studies) approximately 92.931%, in the Linux world that figure is only 23.428%. So not only is the userbase smaller, the propability that a user sent the virus will execute the program and cause it to replicate is much smaller.

Again, look at biological models of propagation. x^n is a very big number if x > 1, it is a very small number if x Therefore the day that AOL ships AOL for Linux will be the day that Linux will start to get virus problems. It will have the active code to support winky-blinky features and thus be vulnerable to attack, it will introduce the terminally clueless into the Linux user base.

Re:Could Magic Lantern be buit into Windows XP

[Embedded+Geek]

I guess it could. From an engineering standpoint it would make more sense. The FBI need merely turn it on, not infect/install it themselves. If MS threw this bone to the DOJ, they might consider some quid pro quo on the antitrust front (not like they need to with the way things are going, though).

'Hadn't thought of that option before. Of course, I will now. Probably not get any sleep for a few days, too.