Slashdot Mirror

← Back to Stories (view on slashdot.org)

What We Know About the FBI's CIPAV Spyware

Posted by Zonk on from the i-always-feel-like-somebody's-watching-me dept.

StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

11 of 207 comments (clear)

  1. What about zombies? by Reziac · · Score: 4, Insightful

    What happens when zombied computers are used to email such threats? who gets the blame in that case? How do you distinguish the innocent zombied-user from the trojan or virus? Would being infected constitute defense? If so, how do you prove intent??

    So many questions raised by this... I'm sure others can think of many more.

    --
    ~REZ~ #43301. Who'd fake being me anyway?
  2. I read the article by Anonymous Coward · · Score: 1, Insightful

    And all I saw was a whole bunch of "Don't know"s and speculation.

  3. So, if you're a criminal.... by iknownuttin · · Score: 2, Insightful
    MySpace accounts can't receive traditional e-mail, so one hacker standard -- attach the CIPAV to a message and hope the recipient is stupid enough to launch it -- wasn't available. Instead, the most likely tactic would have been to send a URL to the suspect account using MySpace's own instant messaging and/or Web mail system. If the suspect clicked on the link -- it would have had to be enticing, so use your imagination here -- and visited the FBI-owned malicious site, an exploit for a zero-day vulnerability (or unpatched one on the suspect's PC) would have let the government download CIPAV to the target hard drive.

    Don't click on any links sent to you and don't visit any sites sponsored by the FBI.

    I guess if the FBI is targeting you and they know that you like kiddie porn, they would set up a kiddie porn site to get a trojan on your machine.

    --
    I prefer Flambe as apposed flamebait.
  4. Re:Better question by Mattintosh · · Score: 3, Insightful

    That depends on whether they're in the USA or not. If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all, but don't fly to the USA. Ever.

  5. A lot of effort for 90 days detention. by AltGrendel · · Score: 3, Insightful
    ...Monday, June 18. On July 15, after he pleaded guilty in juvenile court to charges of identity theft and making bomb threats, the teen was sentenced to 90 days' detention.

    They spent a log of money on that. Sounds to me like it was actually a "test run" to make sure things work as expected. And now that they know it will work...

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

  6. Re:The real threat of "government spyware" by mr_mischief · · Score: 3, Insightful

    By the time you've detected it, it's probably already reported everything. IP, MAC, IP address and HTTP request of last packet to ports 80 (or possibly 443 if it gets its information before the SSL encryption), etc. is not difficult nor time consuming to figure out.

  7. Moral to this story? by JimDaGeek · · Score: 2, Insightful

    Don't use a MS Windows based OS if you want to do stupid stuff. Odds are that these type of government programs are only targeting the large user base of MS Windows. Use Linux, *BSD or Mac OS X and flip the government the birdie! ;-)

    --
    General, you are listening to a machine! Do the world a favor and don't act like one.
  8. Re:Better question by gstoddart · · Score: 2, Insightful

    That depends on whether they're in the USA or not. If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all, but don't fly to the USA.

    Yeah, because the US government has never grabbed someone who is on foreign soil and whisked them away in an airplane late at night when nobody was looking. (No, really.)

    If they want you bad enough, they will send someone to retrieve you. Domestic and international laws be damned. Now, they won't do it for sending spam, but if you seem like a potentially serious enough threat, they will.

    Cheers
    --
    Lost at C:>. Found at C.
  9. Re:does it... by dgatwood · · Score: 4, Insightful

    Mod parent down. SELinux is support for more fine-grained rights management in Linux. It's a mandatory access control policy system, basically. Unless parent has proof that there is a back door in there somewhere, I'm pretty sure parent is full of it.

    Just because the software is partially paid for by the government, it does not necessarily follow that it's a back door. Take off the tinfoil hat.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  10. Re:The real threat of "government spyware" by Opportunist · · Score: 2, Insightful

    AV programs are amongst the most reversed programs in existance. Malware writers spend hours, days and weeks dissecting AV tools and finding weaknesses in them.

    I think it's fairly secure to assume that one of them would have used a security hole like this in the meantime, e.g. by rewriting the hosts-file, then sending to the (rerouted) cipav.fbi.gov and the AV tool would let it be.

    And this, in turn, would have been detected immediately by an AV company (who is competing with the AV company that lets this leak exist), as soon as they got a sample of that malware.

    Question for 100 bucks: Think we'd have read a blog about it by now?

    Malware writers usually don't care, neither for the FBI nor for the goodwill of AV companies. Actually, they are quite happy when they can piss off both.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:Zombie or not, one specimen WILL be found. by Gazzonyx · · Score: 2, Insightful
    Thanks, I didn't want to sleep tonight, anyways.


    Let's up the ante and get this thing going - I'll throw in $10 to the first slashdotter who contains and publishes the 'bins' and/or reverse engineers this piece of code. $20 if you can isolate the signature of executables that it's binded to with a high degree of success (say, =>75% confidence). It's $10 well spent to sleep at night, IMO. I kinda' want to play with this thing and I'm willing to fund the hunt for it. Anyone else wanna' throw in?

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.