IP: More on Symantec, McAfee, loopholes, and espionage-enabled 'ware

[David Farber <dave () farber net>]

> From: Declan McCullagh <declan () well com>
>
> Previous message:
>
> "Symantec, McAfee backpedal furiously on espionage enabled-software"
> http://www.politechbot.com/p-02914.html
>
> **********
>
> Date: Tue, 11 Dec 2001 12:21:49 -0800 (PST)
> From: Annalee Newitz <brainsploitation () yahoo com>
> Subject: symantec's new position
> To: declan () well com
>
> (you can post this if you like)
>
> --- Declan McCullagh <declan () well com> wrote:
> > We've now heard contradictory reports from both
> > Symantec and McAfee, though
> > I'm inclined to believe McAfee's public,
> > on-the-record statements.
>
> Declan, I've been interviewing "spokespeople" from
> Symantec (they don't like to give out their real
> names) about this issue for the past couple of weeks.
> I finally got one to go on record saying very
> specifically that "if a Symantec customer located a
> copy of the Magic Lantern trojan horse virus and gave
> us a copy, we would be obliged to filter for it with
> our anti-virus software." In other words, their new
> public position is that they will actively block
> FBI-authored viruses. Interesting, no?
>
> Annalee
>
> =====
> Annalee Newitz
> tech * pop * sex
> 415.487.2559 - cell: 415.378.4498
> www.techsploitation.com
>
> **********
>
> From: Adrian Alcock <adrian_alcock () presence com au>
> To: "'declan () well com'" <declan () well com>
> Subject: RE: Symantec, McAfee backpedal furiously on espionage enabled-sof
>         tware
> Date: Wed, 12 Dec 2001 10:30:21 +1100
>
> Hi Declan.
>
> "Despite subsequent reports to the contrary, officials at
> Symantec Corp. (Nasdaq:SYMC - news) and Network Associates
> Inc. (Nasdaq:NETA - news) said they had no intention of
> voluntarily modifying their products to satisfy the
> FBI. Spokesmen at two other computer security companies,
> Japan-based Trend Micro Inc."
>
> They probably wouldn't have to modify their product to suit the FBI.  I
> don't use either Symantec's or NA's software, but I know that a Sophos
> installation requires extra files (called "virus identity files") for each
> new virus to be protected against.  Assuming that the same applies to McAfee
> and Norton, then we would be concerned if they didn't alter their product to
> identify the FBI's snoopware as it means they are doing nothing to identify,
> let alone act on the threat.
>
> Adrian
>
> **********
>
> From: Nomen Nescio <nobody () dizum com>
> Comments: This message did not originate from the Sender address above.
>         It was remailed automatically by anonymizing remailer software.
>         Please report problems or inappropriate use to the
>         remailer administrator at <abuse () dizum com>.
> To: declan () well com
> Subject: Re: FC: Symantec, McAfee backpedal furiously on 
> espionage      enabled-software
>
> You may be interested in the statement on Magic Lantern issued by
> Moscow-based anti-virus maker Kaspersky:
>
> Betreff: [Kaspersky Labs Press Release] The FBI's "Magic Lantern" Shines
> Bright
> Datum: Tue, 11 Dec 2001 15:53:09 +0300
> Von: Denis Zenkin <denis () kaspersky com>
>
> December 11, 2001
>
> The FBI's "Magic Lantern" Shines Bright
>
> The FBI's latest cloak-and-dagger tool has attracted the attention of virus
> writers
>
> The rumors surrounding the US Federal Bureau of Investigation's developing
> of its own Trojan program, Magic Lantern, has drawn interest from the
> computer underground.  On December 10, it was discovered that a
> seventeen-year-old Argentinean hacker, going by the pseudonym of
> "Agentlinux," has developed a Trojan that poses as the widely advertised
> Magic Lantern.
>
> We remind readers that in mid-November, MSNBC reported that the FBI has
> begun developing its latest spy program that will allow the Bureau to
> discover and crack PGP encoded messages sent by suspects under
> investigation. Magic Lantern is a classic keystroke-tracking bug that FBI
> authorities, by logging a suspect's keystrokes and transmitting them to a
> secret file, could use to decipher encoded files and messages containing
> supposed evidence.
>
> The FBI has yet to comment about the Magic Lantern program, but, according
> to ZDNet (http://www.zdnet.com/zdnn/stories/comment/0,5859,2829781,00.html),
> two US-based anti-virus developers, McAfee and Symantec, have already
> decided not to include detection procedures for Magic Lantern in their
> databases, causing varying reactions amongst users.
>
> As previously mentioned, December 10 witnessed the appearance of a Trojan
> program that masks itself as Magic Lantern.  "Malantern" (the Trojan's given
> name) is a very simplistic malicious program written in Visual Basic.  Upon
> start up, Malantern deletes files in the Windows temporary directory
> (C:\WINDOWS\TEMP) and all .SYS files in the Windows system drivers directory
> (C:\WINDOWS\SYSTEM\DRIVERS\).
> "So far, we haven't registered any reports of incidents caused by Malantern.
> However, it isn't important that the program isn't spreading.  What is
> necessary to realize is that with the appearance of the official 'Lantern,'
> virus writers won't wait long to release numerous clones," commented Eugene
> Kaspersky, Head of Anti-Virus Research at Kaspersky Labs.  "In addition, the
> possibility that the original Trojan version could end up in the hands of
> hackers cannot be excluded.  In this case, hackers could use Magic Lantern
> as a means to their own ends."
> For this reason, the refusal of anti-virus developers to include detection
> procedures for Magic Lantern could cause a large epidemic leading to
> unpredictable consequences.
> At this time, Kaspersky Labs has not received any confirmation about Magic
> Lantern's existence or the FBI's intention to develop such a program.  In
> this case, we view these rumors as they are ­ just rumors without any basis
> in fact.
>
> Defense procedures thwarting Malantern have already been added to the
> Kaspersky Anti-Virus database.
> A more detailed description of this malicious program can be found in the
> Kaspersky Virus Encyclopedia
> (http://www.viruslist.com/eng/viruslist.asp?id=4327&key=00001000120001800021).
>
>
>
> Best Regards, Denis Zenkin
> Head of Corporate Communications
> Kaspersky Lab Ltd
>
> 10, Geroyev Panfilovtsev St, Moscow, 123363,  Russia
> Tel.: +7 095 948 56 50; Fax: +7 095 948 43 31; Mobile: +7 095 798 98 76
> E-mail: denis () kaspersky com; http://www.kaspersky.com;
> http://www.viruslist.com
> ----------------------------------------------------------------
>
> ***

For archives see:
http://www.interesting-people.org/archives/interesting-people/