What We Know About the FBI's CIPAV Spyware

StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

Re:The real threat of "government spyware"

[querist]

Discretion is the better part of valor.

One of the differences between the virus that your bog-standard AV will detect and this critter from the FBI is the number of instances out there in the wild. Keep in mind that this FBI thing is intentionally sent to specific targets, and I suspect that it is used sparingly in order to prevent it from being found easily.

Nearly all AV programs rely on signatures. The way they obtain the signatures is first to obtain samples, and then determine how they can identify the program accurately (Hashes, etc). I've discovered new malware and forwarded it to the proper channels, as have others that I know.

Therefore, the following (simplified) steps must occur:

1. become infected with the malware
2. suspect that the machine is infected
3. correctly isolate the malware (find its parts, etc)

Then, once those happen one must also do the following in order to hope that protection will be offered to others:

4. send the sample to one or more anti-malware application support teams for inclusion
5. wait until the AV/AM team can create a signature
6. wait until the AV/AM team distribute the signature
7. wait until people update their AV/AM signature databases.

As you can see, there are several places where this process can fail. Think of it like phishing, but sort of in reverse. Phishers send out a large number of messages in hope that even if only a very small percentage of recipients (1/100th of one percent, for example) fall for it, they will be able to profit.

That works just fine if you send out a few hundred thousand messages.

If you send out only one message, or ten, or twenty, your odds are very close to zero that even one person will "bite".

This is the critical difference. I doubt that this program is out there on thousands of machines, or hundreds of thousands of machines all over the place. It is "placed" (I know - some victim effort is required) on specific machines.

Therefore you have a very small victim base. The odds of this being discovered are quite small, even without collusion from the AV vendors.

This is more like "spearphishing" (who dreams up these phrases?), being specially targeted for one individual. This increases the odds of that one individual falling for the ruse, and since only one person was the target, this works well.

Things like this make the lives of us who work in security full time much more complicated.

-Q