Slashdot Mirror

← Back to Stories (view on slashdot.org)

What We Know About the FBI's CIPAV Spyware

Posted by Zonk on from the i-always-feel-like-somebody's-watching-me dept.

StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

8 of 207 comments (clear)

  1. Re:What about zombies? by Anonymous Coward · · Score: 2, Informative


    1) re: duration of evidence kept:

    This is either a troll or a rhetorical question.

    Why would they need to erase it? how could you prove they didn't delete it?

    I remember sitting in a Computer Law class in the early 80s. One of the things which arose (aside from writing briefs which the chair from the department and a group of landsharks would pick pieces apart & continue until it looked reasonable) One of the things discussed at that time was you could force the FBI to ensure your information is correct. Did they send you a copy of their information and let you correct it? No. You'd send the information which you believe might be outdated or incomplete and they'd update their information with whatever you sent to them.

    2) As far as dealing with the charges + any other issues, remember: there are things which the gov't will prosecute you for, which are top secret and your lawyer isn't given access to the information.

  2. Re:does it... by OrangeTide · · Score: 3, Informative

    insert a new system call in the middle of your syscall list, and recompile everything for it. it will break all static binaries and shell code :)

    My Sparc Classic would takes minutes to establish an SSH2 connection. those big keys take a while, SSH1 was nice and fast. (50MHz no cache, no FPU)

    --
    “Common sense is not so common.” — Voltaire
  3. Re:The real threat of "government spyware" by plague3106 · · Score: 2, Informative

    Um, you've been able to sign executable in windows since at least Windows 2000. Its call Authenticode, and XP does read it. Vista takes it a step further by warning you if you run an unsigned application.

  4. Re:But how do they install it?!?! by mogasm · · Score: 2, Informative

    They have gotten court orders in the past to break into the house for the purpose of installing the spyware

  5. Re:The real threat of "government spyware" by querist · · Score: 4, Informative

    Discretion is the better part of valor.

    One of the differences between the virus that your bog-standard AV will detect and this critter from the FBI is the number of instances out there in the wild. Keep in mind that this FBI thing is intentionally sent to specific targets, and I suspect that it is used sparingly in order to prevent it from being found easily.

    Nearly all AV programs rely on signatures. The way they obtain the signatures is first to obtain samples, and then determine how they can identify the program accurately (Hashes, etc). I've discovered new malware and forwarded it to the proper channels, as have others that I know.

    Therefore, the following (simplified) steps must occur:

    1. become infected with the malware
    2. suspect that the machine is infected
    3. correctly isolate the malware (find its parts, etc)

    Then, once those happen one must also do the following in order to hope that protection will be offered to others:

    4. send the sample to one or more anti-malware application support teams for inclusion
    5. wait until the AV/AM team can create a signature
    6. wait until the AV/AM team distribute the signature
    7. wait until people update their AV/AM signature databases.

    As you can see, there are several places where this process can fail. Think of it like phishing, but sort of in reverse. Phishers send out a large number of messages in hope that even if only a very small percentage of recipients (1/100th of one percent, for example) fall for it, they will be able to profit.

    That works just fine if you send out a few hundred thousand messages.

    If you send out only one message, or ten, or twenty, your odds are very close to zero that even one person will "bite".

    This is the critical difference. I doubt that this program is out there on thousands of machines, or hundreds of thousands of machines all over the place. It is "placed" (I know - some victim effort is required) on specific machines.

    Therefore you have a very small victim base. The odds of this being discovered are quite small, even without collusion from the AV vendors.

    This is more like "spearphishing" (who dreams up these phrases?), being specially targeted for one individual. This increases the odds of that one individual falling for the ruse, and since only one person was the target, this works well.

    Things like this make the lives of us who work in security full time much more complicated.

    -Q

  6. Third Time Slashdot Has Wrong CIPAV Story Version by Anonymous Coward · · Score: 1, Informative

    This is the third time Slashdot has featured a story on CIPAV, and not one of them has been as thorough as the original story broken by Kevin Poulsen at Wired News. http://www.wired.com/politics/law/news/2007/07/fbi _spyware?currentPage=all Declan McCullagh at News.com simply re-wrote Poulsen's story and introduced errors (slashdotting #1). Heise doesn't write original content (slashdot #2, a clear dupe) and this Computer World article (slashdot #3) looks like a later version of this: http://blog.wired.com/27bstroke6/2007/07/fbi-spywa re-how.html.

    How about some Slashdot love for the reporter who broke the story?

  7. Re:Moral to this story? by JimDaGeek · · Score: 2, Informative

    Linux is open source, how exactly would they have an "unpublished" exploit? There are a lot more people looking for bugs for Linux than the FBI have searching Linux for some exploit they could take advantage of. Oh, and the FBI would only be able to use a exploit they found first for a few times before it is patched and all through the Linux Community.

    As for MS Windows, if there is an unknown exploit, maybe MS would leave it there with a little nudge and wink from the FBI?

    As for OS X, the core is open source *BSD based, so would be the same there as for Linux. However, the proprietary stuff of OS X could have an unpublished exploit. Though I don't think Apple would be as willing to help out the FBI and keep things under wraps. The thing going for Apple are Apple fans. If Apple really screwed over their fans, their business would collapse.

    --
    General, you are listening to a machine! Do the world a favor and don't act like one.
  8. Re:The real threat of "government spyware" by GeekZilla · · Score: 2, Informative

    "that's why many european states does not trust windows to run their battleships or other critical military systems. I was assigned to disassembling the windows core logic when I did my mil svc."

    Afraid that Great Britain is more than happy to employ Microsoft software in their warships.

    See this: http://www.theregister.co.uk/2007/02/26/windows_bo xes_at_sea/

    and this:

    http://en.wikipedia.org/wiki/Type_45_destroyer

    --
    Veritas patesco per quaestio questio. Truth is revealed through questions.