Magical lights shine on you

2007-04-01

Righard Zwienenberg

Norman, The Netherlands
Editor: Helen Martin

Abstract

'The use of trojans to gather evidence has previously been proposed by law enforcers in Sweden, the Netherlands, Denmark and the USA ... However, there is something of an obstacle for all magic lantern projects: the anti-malware industry has the habit of developing solutions that detect malicious or unwanted activity.’ Righard Zwienenberg, Norman.


In February, the light of a 'magic lantern' shone once again, this time on computer users in Germany. 'Magic lantern' is the term that has been adopted by the anti-malware industry to describe a trojan that is planted (without the user's consent) on a system by an official intelligence agency or criminal investigator in order to gather evidence relating to the user's activities.

The magic lantern idea is not new. The use of trojans to gather evidence has previously been proposed by law enforcers in Sweden, the Netherlands, Denmark and the USA. The first time the magic lantern idea came to light was in 2001, when there was rumoured to be in existence a key logger, created by the FBI, which could be installed remotely via an email attachment or by exploiting vulnerabilities in the operating system. (Code Red was first discovered in July 2001 - was it a trial run?)

However, there is something of an obstacle for all magic lantern projects: the anti-malware industry has the habit of developing solutions that detect malicious or unwanted activity. And we are getting better and better at doing so in a generic way, using heuristics or behavioural analysis. Therefore there is a very high likelihood that at least one anti-malware product or forensic tool will be able to detect the malicious nature of the code (which, at least from the user’s point of view is unwanted), thus revealing the presence of the trojan to the user. This would put the evidence gathering at risk: a criminal who detects a surveillance trojan on his system would likely then delete all the evidence before the investigators have obtained it. Extremely counterproductive!

To get around this problem, the intelligence agencies will have to ask the anti-malware industry not to detect their magic lantern trojans. To ask one company for cooperation would seem reasonable, but to get the entire anti-malware industry to agree not to detect a piece malicious code (whose origin and purpose is irrelevant for analysing engines) would be a utopia.

The anti-malware industry as a whole has, in fact, already agreed to make one exception to its detection rules: almost all anti-malware products detect and treat as malicious the (clean) EICAR test file (see http://www.eicar.org/anti_virus_test_file.htm). However, in the case of the magic lantern trojan, even if the majority of vendors agreed not to detect the trojan, it is likely that there will always be one or two (if not more) vendors who choose to detect it. This may be for ethical reasons, it may be because the vendors are new to the market and unaware of the non-detection agreement, it may be for PR reasons (making such an exception would get the company a lot of press coverage), or it may simply be because the vendor has updated its behavioural analysis module, with the result that the trojan has become detectable.

For the sake of this article, let's assume that it is possible to have a global non-detection agreement for a magic lantern trojan. The next problem is that the trojan can only be used once. Criminals may have backups which are not discovered and confiscated at the time of their arrest. These could then be analysed by the criminals or their associates, and information about the trojan would quickly become freely available. Even if the established anti-malware industry didn’t detect it, there would be a market for one-off scanners, detecting just this instance of the 'magic lantern trojan'. So, for every instance in which an agency wants to deploy a magic lantern trojan, a new one would have to be made - and in every instance it would require the agreement of all anti-malware and forensic utility vendors not to detect it. World peace would be easier to accomplish.

As for whether such a magic lantern does exist and has ever been used, I am not aware of one, and I don't believe such a thing has ever been deployed (yeah, right!). If I at least plead ignorance in public, it might save me from being taken away in a dark-windowed car by men in black suits and sunglasses.

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest articles:

Throwback Thursday: Michelangelo - Graffiti Not Art

In early 1992, a boot sector virus captured the imagination of the press and kicked up a media storm. Following a number of reports of the virus spreading in the UK, VB decided to publish an analysis. Fridrik Skulason brought us all the details of…

Throwback Thursday: Once a Researcher...

The author of Flushot, one of the world's first anti-virus programs, Ross Greenberg had already distanced himself from the main AV industry by 1995 - finding himself put off by the antics of certain vendors, whom he considered less than ethical in…

VB2016 paper: APT reports and OPSEC evolution, or: these are not the APT reports you are looking for

While APT reports should have threat actors scrambling to keep up, in reality they are providing APT actors with the information they need to implement new operational security practices and technologies that have defenders working as hard as ever to…

Throwback Thursday: A Troubled World

In early 1991, the world was a troubled place and conflict and violence were being reported globally on a daily basis. With this as a backdrop, the world of "indiscriminate" computer viruses which "victimise in a random and unpredictable manner"…

The journey and evolution of God Mode in 2016: CVE-2016-0189

Exploits for the CVE‑2016‑0189 vulnerability offer both reliability and complexity, so it is little wonder that it was the most commonly exploited vulnerability in 2016. Ankit Anubhav traces the journey and evolution of the 'God Mode' exploitation…