Slashdot Log In
What We Know About the FBI's CIPAV Spyware
Posted by
Zonk
on Wed Aug 01, 2007 12:42 PM
from the i-always-feel-like-somebody's-watching-me dept.
from the i-always-feel-like-somebody's-watching-me dept.
StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"
Related Stories
[+]
Your Rights Online: FBI Remotely Installs Spyware to Trace Bomb Threat 325 comments
cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."
[+]
FBI Used Spyware for Online Search 79 comments
juct writes "The FBI has used PC spyware for the first time to reveal the identity of an offender who sent bomb threats to a high school in Washington state. According to heise Security, a declaration from the FBI official who applied for the search warrant describes the mode of operation of the spyware which the FBI is using under the abbreviation CIPAV (Computer and Internet Protocol Address Verifier)."
[+]
Your Rights Online: FBI Sought Approval To Use Spyware Through FISC 92 comments
An anonymous reader writes "Wired is reporting that the FBI sought approval to use its custom spyware program, CIPAV, from the secretive Foreign Intelligence Surveillance Court in terrorism or spying investigations. Affidavits prepared for the court are among 3,000 pages of documents gathered, but not yet released, in response to a Freedom of Information Act request from Wired. The FBI hasn't answered any questions about its use of the CIPAV since the program's existence became widely known in July. The FISC is generally regarded as a rubber stamp; it approved over 4,000 surveillance requests in 2005 and 2006[PDF], rejecting none."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
does it... (Score:5, Interesting)
Does it run on Linux?
sorry, couldn't help myself.... but seriously..... does it?
Re:does it... (Score:5, Funny)
"Mr. Gman from Quantico, VA has sent you an eGreetingCard from Flowers By Irene! Just open this P.D.F. file to view..."
Parent
Re: (Score:3, Interesting)
Of course, be prepared to have one SETI@Home packet take about four weeks to process, and to have a bogomips rating of something like 16.9...
Re:does it... (Score:4, Informative)
My Sparc Classic would takes minutes to establish an SSH2 connection. those big keys take a while, SSH1 was nice and fast. (50MHz no cache, no FPU)
Parent
Let's check... (Score:5, Funny)
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package cipav
Whew, safe!
Parent
Re:does it... (Score:5, Insightful)
Mod parent down. SELinux is support for more fine-grained rights management in Linux. It's a mandatory access control policy system, basically. Unless parent has proof that there is a back door in there somewhere, I'm pretty sure parent is full of it.
Just because the software is partially paid for by the government, it does not necessarily follow that it's a back door. Take off the tinfoil hat.
Parent
Re:does it... (Score:4, Funny)
oh no - it's going to have Ajax and a drop shadow!
Parent
What about zombies? (Score:5, Insightful)
So many questions raised by this... I'm sure others can think of many more.
Re:What about zombies? (Score:5, Interesting)
Parent
Re: (Score:3)
Point being, I'm wondering just how solid this evidence really would be in the eyes of the courts, with or without tech-savvy judges and lawyers.
Re:What about zombies? (Score:4, Interesting)
Otherwise, who knows. Maybe their software has to wipe out other possible malware to be effective (wouldn't want that data they're collecting, or even the software they installed going overseas, right?). You'd hope that they would have to show that it was someone typing out the emails locally vs. remotely. But then, who's to say it wasn't the person's little brother writing the email? It doesn't seem like they'd have a lot to stand on...there should be a lot of supporting evidence going with what they collect with that software.
But in the end, don't they pretty much just have to say "We're the FBI. That's what happened." anyway?
Parent
Re: (Score:2, Informative)
1) re: duration of evidence kept:
This is either a troll or a rhetorical question.
Why would they need to erase it? how could you prove they didn't delete it?
I remember sitting in a Computer Law class in the early 80s. One of the things which arose (aside from writing briefs which the chair from the department and a group of landsharks would pick pieces apart & continue until it looked reasonable) One of the things discussed at that time was you could force the FBI to ensure your information is c
Zombie or not, one specimen WILL be found. (Score:5, Interesting)
Parent
Re: (Score:3, Funny)
Brody: The CIPAV is a source of unspeakable power and it has to be researched!
Eaton: And it will be, I assure you Dr. Brody, Dr. Jones. We have top men working on it right now.
Jones: Who?
Eaton: Top men.
Re: (Score:3, Insightful)
Let's up the ante and get this thing going - I'll throw in $10 to the first slashdotter who contains and publishes the 'bins' and/or reverse engineers this piece of code. $20 if you can isolate the signature of executables that it's binded to with a high degree of success (say, =>75% confidence). It's $10 well spent to sleep at night, IMO. I kinda' want to play with this thing and I'm willing to fund the hunt for it. Anyone else wanna' throw in?
How to identify? (Score:2, Interesting)
Re: (Score:3, Interesting)
You can go ahead and force every program you run to load a DLL of yours, which hooks the relevant calls and alerts you should an application that's not supposed to tries to access things it has no business in. At least that's how I did it.
It does slow the system down considerably, though, so you might want to use it on a separate machine (real or VM) that you use to do your internet stuff.
address is 192.168.0.100 (Score:4, Funny)
It most do a trace route/phone home or somthing to actually get a useful address
Yes... millions of taxpayer dollars have been... (Score:3, Funny)
Re:address is 192.168.0.100 (Score:5, Funny)
It most do a trace route/phone home or somthing to actually get a useful address
As opposed to the guy at 127.0.0.1! I hacked into his machine once, but that bastard had some sort of active defense daemon running that wiped my drive at the same time I was trying to wipe his!
Fortunately, I was able to see the porno pics of his wife before I was hit. Man! That bitch was FUGLY!
Parent
The real threat of "government spyware" (Score:5, Interesting)
Either the feds don't give AV vendors a heads-up when they plan to use a trojan, i.e. they risk being found. Now, this would double as the "hey stoopid, the feds are onto you" warning.
So it's likely they do require AV vendors to avoid finding them. This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.
I needn't write more, I guess? Why bother coming up with a rootkit if there are governmental-assisted ways to create undetectable malware?
Re: (Score:3, Funny)
Re: (Score:2)
Re:The real threat of "government spyware" (Score:4, Insightful)
Parent
Re: (Score:3, Funny)
No, but that would be awsome. Maybe some of the open source antivirus kits out there (I know there's at least one) should use that as the name if they ever manage to get a signature of CIPAV.
Re: (Score:2)
Besides, that only serves as a better way to detect it. I give it 2 days 'til the first detector circulates that looks for exactly THIS crypto key signature.
Re: (Score:2)
Re:The real threat of "government spyware" (Score:4, Informative)
One of the differences between the virus that your bog-standard AV will detect and this critter from the FBI is the number of instances out there in the wild. Keep in mind that this FBI thing is intentionally sent to specific targets, and I suspect that it is used sparingly in order to prevent it from being found easily.
Nearly all AV programs rely on signatures. The way they obtain the signatures is first to obtain samples, and then determine how they can identify the program accurately (Hashes, etc). I've discovered new malware and forwarded it to the proper channels, as have others that I know.
Therefore, the following (simplified) steps must occur:
1. become infected with the malware
2. suspect that the machine is infected
3. correctly isolate the malware (find its parts, etc)
Then, once those happen one must also do the following in order to hope that protection will be offered to others:
4. send the sample to one or more anti-malware application support teams for inclusion
5. wait until the AV/AM team can create a signature
6. wait until the AV/AM team distribute the signature
7. wait until people update their AV/AM signature databases.
As you can see, there are several places where this process can fail. Think of it like phishing, but sort of in reverse. Phishers send out a large number of messages in hope that even if only a very small percentage of recipients (1/100th of one percent, for example) fall for it, they will be able to profit.
That works just fine if you send out a few hundred thousand messages.
If you send out only one message, or ten, or twenty, your odds are very close to zero that even one person will "bite".
This is the critical difference. I doubt that this program is out there on thousands of machines, or hundreds of thousands of machines all over the place. It is "placed" (I know - some victim effort is required) on specific machines.
Therefore you have a very small victim base. The odds of this being discovered are quite small, even without collusion from the AV vendors.
This is more like "spearphishing" (who dreams up these phrases?), being specially targeted for one individual. This increases the odds of that one individual falling for the ruse, and since only one person was the target, this works well.
Things like this make the lives of us who work in security full time much more complicated.
-Q
Parent
Re: (Score:3, Insightful)
I think it's fairly secure to assume that one of them would have used a security hole like this in the meantime, e.g. by rewriting the hosts-file, then sending to the (rerouted) cipav.fbi.gov and the AV tool would let it be.
And this, in turn, would have been detected immediately by an AV company (who is competing with the AV company that lets this le
Nice acronym but... (Score:5, Funny)
Do they still get spam? (Score:3, Interesting)
Re:Do they still get spam? (Score:4, Funny)
Parent
So, if you're a criminal.... (Score:2, Insightful)
Re: (Score:3, Interesting)
There is this Japanese urban legend that when a corporation or Yakuza wants to off someone, they have the sucker win a trip to Indonesia. Then at the airport they slip some drugs in his bag and then give an anonymous tip to the Indonesian authorities.
The thing is... The penalty for drug possession in Indonesia is deat
But how do they install it?!?! (Score:5, Interesting)
Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?
Do they mail it to you as a virus, perhaps cleverly disguised as a Nigerian spam scam?
Do they use the back door that Microsoft agreed to put in all their software in return for being granted Most-Favored Monopoly status by the government?
Or something else? "You are a suspected pedophile. To clear your name, please click here to install the FBI's internet spyware on your computer"?
Anyone know?
Re:But how do they install it?!?! (Score:4, Interesting)
Parent
Re: (Score:3, Funny)
try{
getTarget().addUncostitutionalSpyware();
}
catch (SomebodyFoundOutException e){
getTarget().accuse( new Excuse( Excuse.paedophile , Excuse.terrorist ));
}
finally{
profit();
}
Better question (Score:4, Interesting)
5 bucks says they get a visit from big men in serious black suits and then are never seen again.
Re:Better question (Score:4, Insightful)
Parent
Re: (Score:3, Insightful)
Yeah, because the US government has never grabbed someone who is on foreign soil and whisked them away in an airplane late at night when nobody was looking. (No, really [usatoday.com].)
If they want you bad enough, they will send someone to retrieve you. Domestic and international laws be damned. Now, they won't do it for sending spa
Is this really a reliable tool for the FBI? (Score:5, Interesting)
Better yet, if programs like CIPAV become more common as a tool for Federal Investigations, does it become a requirement that said programs allow CIPAV and its successors to do their work?
Re: (Score:3, Interesting)
What happens to the data collected? (Score:3, Funny)
Duh.
I wouldn't mind running this (Score:2)
What if Crackers modify it for themselves? (Score:4, Interesting)
what if the virus and worm writers of today get a hold of this and modify it for their own purposes?
A lot of effort for 90 days detention. (Score:4, Insightful)
They spent a log of money on that. Sounds to me like it was actually a "test run" to make sure things work as expected. And now that they know it will work...
Hey, this is no fair. (Score:4, Funny)
Moral to this story? (Score:3, Insightful)
Re: (Score:3, Informative)
As for MS Windows, if there is an unknown exploit, maybe MS would leave it there with a little nudge and wink from the FBI?
As for OS X, the core is op
Some More Speculation on Installation Methods (Score:5, Interesting)
http://blog.misec.net/2007/07/31/3/ [misec.net]
Specifically, it looks like the FBI may have several ready-made exploits, each targeting a different OS/web browser combination. An interesting question, then, is what they would do if they encountered a system that is fully patched and running a more secure browser such as Firefox. Does the FBI have access to their own zero-day exploits that they can whip out to install this trojan? If so, is it possible they have their own team of hackers set out to find such exploits?