What We Know About the FBI's CIPAV Spyware 207
StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"
does it... (Score:5, Interesting)
Does it run on Linux?
sorry, couldn't help myself.... but seriously..... does it?
How to identify? (Score:2, Interesting)
The real threat of "government spyware" (Score:5, Interesting)
Either the feds don't give AV vendors a heads-up when they plan to use a trojan, i.e. they risk being found. Now, this would double as the "hey stoopid, the feds are onto you" warning.
So it's likely they do require AV vendors to avoid finding them. This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.
I needn't write more, I guess? Why bother coming up with a rootkit if there are governmental-assisted ways to create undetectable malware?
Re:The real threat of "government spyware" (Score:1, Interesting)
That's difficult considering that all cia and fed software are signed with a public crypto key that is hidden deep in windows, and used to verify that the binary is indeed a signed goverment trojan.
The same method is used to send windows trojans to foreign military windows computers as well - that's why many european states does not trust windows to run their battleships or other critical military systems. I was assigned to disassembling the windows core logic when I did my mil svc.
Re:What about zombies? (Score:5, Interesting)
Do they still get spam? (Score:3, Interesting)
But how do they install it?!?! (Score:5, Interesting)
Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?
Do they mail it to you as a virus, perhaps cleverly disguised as a Nigerian spam scam?
Do they use the back door that Microsoft agreed to put in all their software in return for being granted Most-Favored Monopoly status by the government?
Or something else? "You are a suspected pedophile. To clear your name, please click here to install the FBI's internet spyware on your computer"?
Anyone know?
Re:What about zombies? (Score:1, Interesting)
That would certainly increase the awareness.
Re:How to identify? (Score:3, Interesting)
You can go ahead and force every program you run to load a DLL of yours, which hooks the relevant calls and alerts you should an application that's not supposed to tries to access things it has no business in. At least that's how I did it.
It does slow the system down considerably, though, so you might want to use it on a separate machine (real or VM) that you use to do your internet stuff.
Better question (Score:4, Interesting)
5 bucks says they get a visit from big men in serious black suits and then are never seen again.
Is this really a reliable tool for the FBI? (Score:5, Interesting)
Better yet, if programs like CIPAV become more common as a tool for Federal Investigations, does it become a requirement that said programs allow CIPAV and its successors to do their work?
Re:does it... (Score:3, Interesting)
Of course, be prepared to have one SETI@Home packet take about four weeks to process, and to have a bogomips rating of something like 16.9...
What if Crackers modify it for themselves? (Score:4, Interesting)
what if the virus and worm writers of today get a hold of this and modify it for their own purposes?
Re:But how do they install it?!?! (Score:4, Interesting)
Some More Speculation on Installation Methods (Score:5, Interesting)
http://blog.misec.net/2007/07/31/3/ [misec.net]
Specifically, it looks like the FBI may have several ready-made exploits, each targeting a different OS/web browser combination. An interesting question, then, is what they would do if they encountered a system that is fully patched and running a more secure browser such as Firefox. Does the FBI have access to their own zero-day exploits that they can whip out to install this trojan? If so, is it possible they have their own team of hackers set out to find such exploits?
Re:What about zombies? (Score:4, Interesting)
Otherwise, who knows. Maybe their software has to wipe out other possible malware to be effective (wouldn't want that data they're collecting, or even the software they installed going overseas, right?). You'd hope that they would have to show that it was someone typing out the emails locally vs. remotely. But then, who's to say it wasn't the person's little brother writing the email? It doesn't seem like they'd have a lot to stand on...there should be a lot of supporting evidence going with what they collect with that software.
But in the end, don't they pretty much just have to say "We're the FBI. That's what happened." anyway?
Re:Is this really a reliable tool for the FBI? (Score:3, Interesting)
Zombie or not, one specimen WILL be found. (Score:5, Interesting)
Re:So, if you're a criminal.... (Score:3, Interesting)
There is this Japanese urban legend that when a corporation or Yakuza wants to off someone, they have the sucker win a trip to Indonesia. Then at the airport they slip some drugs in his bag and then give an anonymous tip to the Indonesian authorities.
The thing is... The penalty for drug possession in Indonesia is death.
You just got a government to carry out a mob hit for you.
That said, if you didn't like someone in particular and had a vendetta, putting these images on their machine would be a good way to get rid of them for a long time... Or at least ruin their career and family life.
I'm surprised the same Russian mob types behind spamming haven't created a scheme to put images on peoples computer and threaten to report them to the FBI if they didn't pay up.