Legal spyware

The Swiss newspaper “Schweizer Sonntagszeitung” recently published an article on malware experiments conducted by the Swiss Department of the Environment, Transport, Energy and Communications. The full article, in German, can be found here.

The department is clearly considering the use of spyware that has been specifically developed for tapping into encrypted Voice-over-IP connections (e.g. Skype). It is still unclear whether using such a tool could be made legal. In any event, a judge would have to approve each case in advance, similar to the procedure for monitoring normal telephone calls.

The Swiss company that develops the program (and rather ironically offers installation services for antivirus software on their website) has made some interesting statements. They say that the spyware would only be given directly to the Swiss authorities, and that their program would be undetectable by any firewall or antivirus solution. Of course, the latter statement cannot be verified without a sample, but personally I don’t believe it anyway. We all know, that not only signature-based methods can detect malware, but also heuristic and proactive technologies, which antivirus vendors are continuously improving.

On the other hand, even if the spyware could fool all antivirus solutions, it would be highly irresponsible to use such software “in the wild”, no matter what the reason. Sooner or later it would be discovered by other malware developers, and be modified and abused for illegal purposes.

So far this spyware is not in use, and hopefully, that will not change any time soon.

Legal spyware

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox