Updated 7/19/07: FBI nabs bomb threat suspect with spyware

Updated 7/19/07: Policeware: the spyware used by law enforcement

A recent case that was heard by the U.S. Court of Appeals involved law enforcement use of a key logger on a suspect’s computer. The case involved a suspected illicit drug maker that was under investigation by the U.S. Drug Enforcement Agency (DEA). The DEA obtained permission from a judge to install key logging software on the suspect’s computer in order to harvest passwords for PGP and Hushmail encryption.

This case highlights a question that I’ve been thinking about for years: would my anti-virus program alert me to the presence of key logger software, even if it was installed by law enforcement? C|Net News interviewed representatives from several anti-virus/malware companies and got answers to that question. Would the following vendors’ programs detect key loggers even if installed by law enforcement?

▪ Grisoft/AVG: Yes

▪ Checkpoint: Yes

▪ Computer Associates: Yes

▪ eEye: Yes

▪ IBM: Yes

▪ Kaspersky: Yes

▪ McAfee: Yes

▪ Microsoft: Yes

▪ Sana: Yes

▪ Sophos: Yes

▪ Symantec: Yes

▪ Trend Micro: Yes

▪ Websense: Yes

C|Net News also asked these vendors if they had ever received requests from law enforcement (including subpoenas) that their products not inform a specific user of the presence of a law enforcement installed key logger. Some of the companies have a policy to not discuss specific dealings with law enforcement – and the rest said they had received no such request.

I am wondering just now – what would McAfee, Trend, Symantec, or any of the others do if law enforcement DID request / require that their products not report the presence of a key logger. How would they accomplish that feat? I can imagine a number of scenarios on how that would be accomplished:

The specific anti-virus vendor would design in a mechanism that would silence the software’s alert of a key logger if it received a specific signal from the vendor’s update service. To accomplish this, the vendor would have to know precisely which PC should be silenced, and be able to do so silently.

Other, less serious, alternatives come to mind:

Law enforcement could sneak into the suspect’s computer and run a program that would disable anti-virus programs’ ability to detect or report the presence of the key logger. I can easily imagine malware that would perform the same disabling feature in order to hide its own key logger. Some malware already has the ability to completely shut down anti-virus programs, firewalls, and so on, so this capability is not that far-fetched.

Law enforcement could send an e-mail to the suspect, where the e-mail either contained an executable, or a URL to a law enforcement website. “Please run this program or visit this web site so that we can install a key logger for you.” Uh huh.

Remember: anything that law enforcement can do, hackers can do. In fact, hackers are often one step ahead of law enforcement, experienced with the illicit installation of key loggers.

Anyway, I can imagine a future where law enforcement may have the ability to get key loggers onto computers, and at the same time get anti-malware programs to look the other way. But I expect that there will be capabilities of detecting and disabling such key loggers: hackers are notoriously anti-law enforcement and they would quickly fill the need to detect and block law enforcement key loggers.

In the meantime I can think of a few countermeasures:

Regularly scan your computer with one of several available online malware scanners (see this tip for more information).

Run one or more anti-rootkit programs to scan for rootkits (I feel that key loggers and/or the means for blocking anti-malware’s alerting it may be done by rootkits).

Switch your OS: use MacOS or Linux instead of Windows.

I have a feeling that the Electronic Frontier Foundation and the ACLU will be watching these developments.

Links to stories:

http://news.com.com/Security+firms+on+police+spyware%2C+in+their+own+words/2100-7348_3-6196990.html?tag=st.num

http://news.com.com/8301-10784_3-9741357-7.html

