Symantec Will Not Detect Magic Lantern

An anonymous reader contributes: "In this article on Declan McCullagh's Politech, Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.'"

No need to use Norton AV...

[the_rev_matt]

I'd rather not use AV software that was designed not to work. Of course, I run Linux so it's not really an issure for me...

Re:No need to use Norton AV...

[babbage]

...until of course the first big cross platform or Linux only virus comes along and trashes your computer[s], which we all know is just a matter of time.

Your OS is certainly more esoteric, but it has holes like all the rest of them do. Your immunity thus far isn't an indication that there are no holes -- there are always holes -- but that the *nix enviroment hasn't yet been able to cultivate & propagate any really serious viruses yet.

One of two thing is likely to happen: Linux's popularity will crest & wane, and people will stop using it (unlikely, I hope :), or it will continue to get more popular, and as it does so it will provide an ever more appealing target for virus writers, licking their chops at all the complacency out there....

Re:No need to use Norton AV...

[quartz]

It is NOT only "a matter of time". If Linux programmers will ever get the idea to make Linux login as root by default, to write email clients that allow scripts to be executed without user's permission, to ship their OS without a firewall mechanism in place and to make the whole system a sitting duck to any running script via a conveniently accessible registry file, THEN you will start seeing viruses for Linux. But by then us security conscious people will have long since moved on to another more decent OS.

Re:No need to use Norton AV...

[babbage]

Yeah. Sure. Just make sure you leave enough of whatever it is you're smoking in that pipe so that we can all get as addled as you are on this one.

Mac OSX is becoming an interesting case study in Unix For The Masses. Default Linux is, as the Register recently noted, [from memory, can't find a link] "a paragon of Stalinistic control freakery", and that has made it more secure out of the box than the average WinME box, but more importantly it has also scared off millions, and rightly so. Apple's engineers knew well that if they wanted to bring this architecture to the masses -- the way the Gnome & KDE folks do -- then they'd have to encapsulate & hide as much of that control freakery as possible.

And for the most part they've done a good job, but there have been some serious glitches, like programs that would launch themselves as root, or a broken iTunes installer that wiped out whole disk partitions because of one mistyped "rm" command in an installer script. Pay attention, you seething Linux hordes, because if you want to hit the big time then this is your future. You too will face these problems as the system matures & seeks out a wider audience.

The only "secure" system is either (pick your punch line) the one that hasn't been built yet, or the one you bought a decade ago and still haven't plugged in yet. All of the others -- all of them -- have problems of one kind or another, and all of them always well. Welcome to real life, kids.

Re:No need to use Norton AV...

[quartz]

You know what the difference is between Linux and Mac OSX? Linux is written by control freaks. Fortunately, the fine folks who are working on the various parts of the Linux system differ from your average Slashdot sheep in that they care more about system security and less about "widespread Linux adoption". That's why you will never see such a thing as "insecure Linux".

Yes, it's possible that Linux companies will eventually start putting out windows-ified Linux distros that will sacrifice security for ease of use to make it more appealing to the unwashed masses, but so what? Viruses work so well in Windows territory because there's Only One Windows, and everything works exactly the same on millions of computers. Look at all the different Linux distros from a virus writer's perspective and ask yourself if you could really write an effective virus and expect it to work the same on all of them. My answer is no. Not with the huge diversity of libraries and programs and kernel versions out there. What's a virus writer to do? Spread the virus as source file and ask the user to type ./configure? I guess you could do that, but you'd be the laughing stock of the virus writers' community, if there is such a thing.

And if you're going to suggest that Linux will eventually standardize and everybody will use the same distro (or all distros will be functionally identical), and all the programs and libraries will reach stable versions updated only once every six months in service packs, then you obviously have no idea what you're talking about, which is what I would half expect from someone who says things like "welcome to real life, kids".

Uh, the answer is simple...

[Nijika]

Someone will just write something that in theory WILL detect Magic Lantern. We just have to wait for it. Who in the geek community would really sit back and WAIT for a virus software company to come up with a solution like that.

Anyway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours? :-)

Re:Uh, the answer is simple...

[czardonic]

yway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours?

Here's why it IS your problem. If you think the FBI is going to limit their spying to Windows, you are pretty naive. Count on one of the following:

They will find a way to make it work in every consumer OS.

They will find some other way to acheive the same thing with other OSs.

They will outlaw the use of an OS that can be used to evade law enforcement.

Re:Uh, the answer is simple...

[gazbo]

Anyway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours? :-)

I don't think it is useful to assume that you are safe because you are using Ye Sacred Linux. If a Linux version of the trojan were written, it could be installed in 3 ways (that I can see):

• By exploiting known weaknesses - well, I guess Linux has a lot going for it on that one.
  
• By user stupidity - Linux users in general are more security savvy than Windows users, but that is different from saying that using Linux is protecting you. Stupid Linux users can still install anna-kournikova.lantern.rpm if they want.
  
• By physical intrusion - not many boxes can stand up to tech people with a warrant entering your house and installing the software
  

But you're still right with most of your point. It's not my problem (because I don't live in USA) and it's not your problem (because you have not done anything to attract the attentions of the CIA/FBI/NSA/FDA/TLA have you)
I really don't think they'll install it without cause - and even if they did, who's going to monitor keystrokes on every computer in America?

Oh, for the stupidity example, I'm assuming that Magic Lantern wouldn't be sent to Linux users as source...

Re:Uh, the answer is simple...

[bfree]

Sometimes the UScentricities of /. just make me ROFL!

All that is happening here is that

• All non-US parties will purchase non-US anti-virus software losing the US anti-virus software produces $xxxxxxxxxx/annum and meaning the US software will have a smaller user base and be more likely to be less secure
• Every US citizen will have to decide whether to break the law (cause I believe they will outlaw the use of anything which cannot be cracked by the FBI, including all the non-US anti-virus products) or to leave themselves vulnerable
• The US will spend a massive amount of resources on trying to control this whole issue. The filtering of the Net would be an immediate requirement to try and find people who are using illegal software, or downloading it
• MY OS will NEVER be vulnerable!! I will always, from some day about 3 years ago, use an OS which is Free where the code can be reviewed, modified and distributed. I can attach hooks into my TCP-IP stacks, network device drivers or any other level I wish to watch for the FBI (or anyone else) trying to track me (or gather any info) and block them at source, but I won't need to cause a 17 year old scandinavian will release a tool to do it for me which will be plastered over the non-US internet
• The US is well on its way to writing itself out of the rest of the world, and whatever they believe they can't survive alone!

Sometimes I honestly feel pity for Americans!

Silly to the extreme

[Dark+Paladin]

I'm not a conspiracy nut, and I certainly don't have total trust, or total mistrust, of the government either.

But it isn't the idea of the FBI trying to use these tools that offends me. I expect them too, and I don't have anything to hide. But the issue of a company that I pay money for to help protect me to turn a blind eye to government intrusion is insane.

If I pay someone to give me security, I expect them to provide it against anyone who wants my information. Pure and simple. And I'm not worried about the "Oh, we won't check the FBI's version - but we would check variants."

Oh, that makes me feel *much* better. Imagine a cracker getting his fingers on the FBI software and using that on my systems. Gee, thanks for not checking that, Symantec.

Of course, you have to admit that Symantec and McAfee are in a bind. If they state they're going to detect the FBI software, then they're anti-government. If they don't, then they're aiding big brother. But considering that the United States was formed from a healthy distrust of our government (and that distrust has only proved to help us, thank you Hubert Hoover and your bra collection), I would rather have the security companies on my side and make my government work just a little harder to prove guilt. Or at least, that's what my tax dollars should be going to.

Of course, this is just my opinion. I could be wrong.

Re:Silly to the extreme

[ictatha]

I don't think your analogy is quite accurate. From what I gather, your analogy should be:

So if you hire private security guards to protect your house, do you expect them to forcibly keep out the FBI even if they don't have a warrant?

These companies are ignoring the FBI trojan altogether. They aren't requiring a warrant to ignore it.

Re:Silly to the extreme

[j7953]

So if you hire private security guards to protect your house, do you expect them to forcibly keep out the FBI when they have a warrant?

This analogy doesn't work because if the FBI presents a warrant I already know they're searching my house.

A more accurate analogy might be: What do you expect your security guards to do if they find out that your house is bugged? Should they not tell just because the bugs carry "FBI" labels?

Re:Silly to the extreme

[OmegaDan]

Once someone catches magic lantern, we're just gonna have to pay 20$ for a magic lantern detector I already run Norton and Ad-Aware scanners, why not Lantern-Away? ... Hopefully Lavasoft (makers of ad-aware) will catch the thing and put it in their ad-aware scanner ...

I have a better conspiracy theroy though ... The thing thats missing in all this is the delivery vector. *What if* norton/mcaffee *are* the delivery vectors? Think about it -- they're perfect. It would prolly only add a few hundred kbytes to the program ... Virus programs automatically call home for updates (nav 2002 calls home almost every day), in one of those updates why coulnd't it say "here's the newest copy of magic lantern, please install" :) And once its in, either ML itself *or* norton anti-virus can update ML with the newest evasion techniques etc etc ...

huh?

[new+death+barbie]

So they're not going to detect the original, but they WILL detect any hacker-modified clones?

What about Norton Firewall? Will it still detect unexpected outgoing connections? How can I expect it to reliably detect and permit FBI-approved software, but not hacker software with a similar MO?

Oh, maybe there'll be a hard-coded IP address in the outgoing connection -- now THERE'S a nice target for DDOS!

I can hardly wait

[r_j_prahad]

From the time a copy of this "Magic Lantern" is first discovered in the wild until an exact copy of the FBI-approved (and consequently undetectable) version is available via alt.hackers.maliscious is going to take what, twenty minutes?

Malda might as well start composing (and spellchecking) the headline now, because it's a sure bet he'll get to use it.

Re: a/v software

[blibbleblobble]

The FBI? Do anything illegal? Who would ever imagine that such a thing could happen?

<repressed_memory>

• Wiretaps of opposition politicians
• Wiretaps of civil rights protestors
• Wiretaps of those who voice dissent
• Wiretaps of people unrelated to any crime investigation

</repressed_memory>

Hmmm, I can't seem to think of any examples of how police spy powers have been abused in the past, can you?

just say no

[joss]

Symantec are perfectly entitled to do whatever they want. If they want to sell crippled security software, it's their funeral ? Sophos has a more sensible attitude http://www.theregister.co.uk/content/55/23057.html , and better AV software anyway.

If US software companies want to sell crippleware in the interests of "patriotism" that's their business. There are plenty of companies willing to fill the gap.

international terrorist: fbi

[SubtleNuance]

How long until this little app ends up on a PC that is not on US soil? Will some foreign nation be able to make an offical-issue of this? It seems like the FBI might not be thinking this through.

... then again, there is Echelon.... apparently no one minds...

Re: a/v software

[the+Man+in+Black]

Not to mention what happened the last time the FBI decided to abuse it's powers in blatant and utter disregard for the consitutionally guaranteed rights of the American people.

COINTELPRO

And this time we're GIVING the government this power by agreeing to be spoon-fed this 'for our own good' and 'war on terrorism' bullshit.

I say no thank you. If there was a tracking device installed subcutaneously on every single American citizen in the country, and our borders were closed, THEN would you people feel safe?

Who needs 3rd party software?

[crimoid]

Assuming that this is a standardized attachment (ie the same size, etc.) it should be pretty easy for filters on the ISP or client to catch. Also, to my knowledge the only mail clients that can execute code w/o user intervention are M$ products. This narrows the people that can be affected alot.

Re:Some need to clue in

[red_dragon]

Your analogy is, unfortunately, incomplete. Let's review:

If you hired private security guards for your house, and the FBI showed up with a warrant to search the place, would you expect them to turn away the FBI?

In such a case, the following is expected to happen:

• FBI spooks obtain search warrant from court;
• Spooks knock at your door;
• Guards step out and meet spooks;
• Spooks show the search warrant to guards;
• Guards inform you of the presence of spooks with a search warrant, and (presumably) let them through.

Now, in the case of Magic Lantern, the following *might* happen:

• FBI spooks obtain a (possibly fake) lead;
• Spooks infect your computer with Magic Lantern, and poke around it as they wish;
• You're not informed of what's going on.

So, what's missing here? Simply enough, the agents did not have the consent of the court to infect your computer, and you've been deprived of the knowledge of what occured. This is the major issue here. I wouldn't want them poking inside my computers as much as the next guy, but if they're going to, I'd like to know when they're doing it, and they better have that bloody warrant in hand.

Someone help me figure this one out..?

[linuxrunner]

I like to program but I'm not a huge trojan nut but have the basic concept and idea on how these things work....

First off:
Everyone keeps talking about how it will just be a matter of time before a wild version of "green lantern" or something of the sort shows up in the wild....
Dude, if you have Green Lantern on your computer and you find out about it, you've got a lot more things to worry about then sharing it with the hacker / cracker community!

Second of all:
Who cares that the anti-virus software won't recognize it. They haven't detected half the viruses for years!
Heck, Just create your basic client server in c++ or whatever and you'll notice that it is not recognized by the software anyways..... I started to learn sockets and create client/server chats, remote access for work, etc. My anti-virus, anti-trojan software never picked up on it... only my Zone Alarm caught it.

Not these company's job anyway

[iabervon]

These companies provide detection and removal services for widely-distributed and automatic attacks. That is to say, it's their job to clean up when someone releases a virus that spreads all over the place. They discover something spreading, and they make an update.

If the FBI is doing their job well, that's not the situation here. The way they've been describing this working is that they set it up to attack the particular person against whom they've obtained a warrent. It doesn't email itself to the target's addressbook, it doesn't attack random IPs, it doesn't try to infect floppies. That would be both illegal (since it could destroy the data of non-targets) and probably invalidate their evidence (since they don't have a warrent to investigate every individual in the US).

So a virus scanner shouldn't catch Magic Lantern, because it's not really a virus, in the sense that they're scanning for. It's an attack tool, which uses the methods often employed by viruses. Virus scanners don't fix security holes; they look for particular malicious and spreading code on your computer and clean it up. They won't stop Magic Lantern, they won't stop someone hijacking your passport account, and they won't stop even script kiddies breaking into your webserver, because their purpose and system design just aren't good for that.

So far I haven't heard of any IDS companies saying they will ignore ML, nor have I heard of any companies saying they won't fix security holes that ML uses. That's what would be significant.

Its a non-problem

[Srin+Tuar]

I just wonder how a free software anti-virus lab would work

Easy- we fix the problem instead of treating the symptoms:

If there are exploits, they get fixed. So you would never have to worry about an email or webpage hijacking your machine.

And so long as you stick to source-available code (not necessarily the same as open-source) which has at least a moderate distribution, you dont have to worry about trojans.

The run-away virus problems you see in windows are a direct result of a closed source culture where all software is delivered and exchanged via inscrutable black-box binaries. A typical windows user thinks nothing of downloading a .exe file from an untrusted source then running it, whereas a typical unix user would get shivers just at the thought of doing so.

Virus scanner software is just a huge patchwork of duct tape that is fundamentally incapable of solving any problem- or providing any security.

(for example nimda: it had already done its damage by the time it was in the pattern files)

If an open-source system and philosophy were ta take hold of the desktop- an entire industry (virus scanning/recovery) would simply disappear.

Not likely at all.

[Pinball+Wizard]

A few things happened in the Microsoft world that made it pretty easy for viruses to spread that could not happen in the Linux world.

1) most people don't read their email while logged in as root. This is the number 1 reason why viruses easily spread in Windows systems is because in Windows, just about everything is done with an account that has full control over the system.

2) In Windows-land you generally run binary-only programs and you have no idea what the source looks like. Most programs in Linux come with the source code. You are not likely to run a binary only program in Linux unless you know for sure who its coming from.

So, to reiterate, viruses are executable programs. They need both permission to execute and a means of spreading themselves. Windows systems were already set up to allow these things to happen by default. Linux systems will never be set up that way, at least not on a widespread basis.

I don't think we will ever see problems as widespread and damaging such as Nimda or Sircam on Linux systems, no matter how popular Linux gets. Its just not designed to easily allow programs to be run, without someone explicity giving it permission. Even exploits of commonly used server programs are limited in the damage they can do, because most servers do not run as root. No, the virus writer has a much much harder job to do on Unix systems. Why bother when Windows is so much easier?

Could Magic Lantern be buit into Windows XP

[savaget]

Would it be possible for Magic Lantern to be built into a closed source OS like Windows XP?