Pierluigi Paganini May 19, 2014

The FBI (Federal Bureau of Investigation) has issued a solicitation for malware development confirming the use of malicious code for investigation.

The proliferation of malware in the cyber space is not a surprise, according recent reports the number of new malicious code instance is rapidly increasing. State-sponsored hackers and cyber criminals are principally responsible for the spike, the risks are enormous for internet users that in many cases are helpless in from of cyber threats, common security countermeasures like antivirus are not enough to protect their asset online.

What do you think about the possibility that malware is designed or spread by law enforcement?

There is the concrete risk that users’ PC everywhere on the planet will be infected by malicious code designed by agency like the FBI, law enforcement makes a large use of malicious code during their investigation despite they deny any accusation.

The Federal Bureau of Investigation (FBI) is one of the agencies most active in the use of malware and a recent solicitation (RFQ1307B) of DoJ confirms it.

“The Federal Bureau of Investigation has a requirement for malware. Please see attached combined synopsis/solicitation for complete requirement.“

The feds recently posted an online listing confirming that the Bureau is looking to purchase malware from a commercial supplier and is now accepting applications.

The FBI offers a one-year contract with four one-year options, this is reported in the requirement session:

“The collection of malware from multiple industries, law enforcement and research sources is critical to the success of the FBIs mission to obtain global awareness of malware threat. The collection of this malware allows the FBI to provide actionable intelligence to the investigator in both criminal and intelligence matters.”

It is requested to the malware supplier to give the FBI about 30GB to 40GB of malware per day through a feed and the feds have to be able also to retrieve the feed directly.

• Currently exist (or system currently exists that can produce the feed)
• Contain a rollup of sharable new malware (both unique and variants)
• Include a malicious URL report (Reference Section 2.3.2)
• Be organized by SHA1 signatures
• Be updated once every 24 hours
• Be a snapshot of the prior 24 hours
• Be, on average, 30GB – 40GB per day
• Be able to retrieve feed in an automated way through machine-to-machine communication
• Initiations of accessing feed shall be pulled by FBI not pushed to FBI

Which are the risks?

The malware proliferation, from spyware to cyber weapons, could represent a serious problem, F-Secure’s Chief Research Officer Company Mikko Hyppönen at the TrustyCon conference in San Francisco explained that almost every government is spending a great effort to improve its cyber capabilities.

Chris Soghoian, principal technologist with the American Civil Liberties Union, during the recent TrustyCon conference highlighted the possibility that the government will exploit automated update services to serve malware and spy on users.

Is this the next surveillance frontiers?

Instead to exploit consolidated techniques like phishing and watering hole, intelligence agencies and law enforcement could use application updates to deliver malware on victims’ systems.

“The FBI is in the hacking business. The FBI is in the malware business,” “The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust.” Soghoian said. 

Malware proliferation is a serious menace for the cyberspace, I understand the need of law enforcement agencies, but the use of malicious code must be regulated by a globally accepted framework to avoid violation of users’ rights.

Pierluigi Paganini

(Security Affairs –  FBI,malware)