This is the first reported malicious use of malware in eDiscovery we’ve seen.
An article over at ArsTechnica tells a pretty interesting story wherein an attorney claims the Fort Smith, Arkansas Police Department added known malware to a hard drive ordered for discovery purposes. Apparently, a series of trojans were found in a directory created after the data was initially collected. One of the trojans were renamed to “Bales Court Order”.
The hard drive was provided last year by the Fort Smith Police Department to North Little Rock attorney Matt Campbell in response to a discovery demand filed in the case. Campbell is representing three current or former police officers in a court action, which was filed under Arkansas’ Whistle-Blower Act. The lawsuit alleges former Fort Smith police officer Don Paul Bales and two other plaintiffs were illegally investigated after reporting wrongful termination and overtime pay practices in the department.
According to court documents filed last week in the case, Campbell provided police officials with an external hard drive for them to load with e-mail and other data responding to his discovery request. When he got it back, he found something he didn’t request. In a subfolder titled D:Bales Court Order, a computer security consultant for Campbell allegedly found three well-known trojans, including:
- Win32:Zbot-AVH[Trj], a password logger and backdoor
- NSIS:Downloader-CC[Trj], a program that connects to attacker-controlled servers and downloads and installs additional programs, and
- Two instances of Win32Cycbot-NF[Trj], a backdoor
All three trojans are usually easily detected by antivirus software. In an affidavit filed in the whistle-blower case, Campbell’s security consultant said it’s unlikely the files were copied to the hard drive by accident, given claims by Fort Smith police that department systems ran real-time AV protection.
“Additionally, the placement of these trojans, all in the same sub-folder and not in the root directory, means that [t]he trojans were not already on the external hard drive that was sent to Mr. Campbell, and were more likely placed in that folder intentionally with the goal of taking command of Mr. Campbell’s computer while also stealing passwords to his accounts.”
This sounds like a federal matter – interference with the right to counsel and attorney-client privilege. Malware files wouldn’t be sitting in the PD’s “My Documents” folder or anywhere else it could be copied easily to an external drive, and as the article points out, their AV would have caught it regardless. And when was the last time you saw three different Trojans in the same directory, which they conveniently named “Bales Court Order?”
IMO this kind of police interference with the judicial process needs to be dealt with promptly and harshly, or we’ll soon have the law enforcement committing as many illegal acts as the criminals.
I’m sure that if the defendants had infected the PD’s systems with malware, it would be taken substantially more seriously than appears to be the case when the situation is reversed.